A patch to asdf-install is available for testing at
http://kantz.com/jason/programs/asdf-install/installer.lisp.patch
The patch applies to installer.lisp 1.13 (the most recent from CCLAN's
cvs).
The main change has to do with the case where asdf-install:install is
called with a package name. In this case asdf-install goes to
cliki.net to figure out the installation source. Since the
installation source from cliki can be changed to point to something
malicious, those who are apt to skip verification of gpg signatures can
get themselves into trouble.
So the patch implements the following changes:
- The special *trusted-installation-sources* that defaults to
(list *cclan-mirror* "http://common-lisp.net") has been added.
- download-files-for-package has been changed so that when installing
by package name, gpg signature verification _cannot_ be skipped unless
the installation source is one of *trusted-installation-sources*.
- A try-again restart has been added to download-files-for-package so
that when a key is not found one can switch to a shell, receive the
key, and switch back to cl and try again.
- turned off *print-circle* for key-not-found condition's :report
message so that the suggested shell command doesn't get polluted with
#1#.
- fixed asdf-install::install-package to handle logical pathnames for
*locations*.