BDFProxy VS quicklisp-https

for same sort of thing but not lisp, see backdoor factory that will backdoor any .exe you download over connection that attacker is MITMing. attacker doesn't need to know what specific library you will download from quicklisp, they write a mitmproxy script like that so for any download from quicklisp.org, it opens the .tar.gz, adds some malicious lisp to it (probably that just executes shell command to download and execute their normal malware, password stealer or whatever as I don't think they going to write full malware in lisp), repack it as .tar.gz you were requesting and serve it to you. It's not the same issue as phishing where they email saying please open and run attachment.exe and you click through all the warnings that you are doing something dangerous and about to run untrusted code. You just use quicklisp as you normally do, if you install any package, when an attacker can MITM your connection they can run code on your computer. Yes that is sometimes also possible with browser exploit but browsers have multiple layers of sandbox and protections against it, and when someone finds a vulnerability that gets through it is treated as a serious vulnerability to fix. some of this thread seems people saying well nothing is perfectly secure a sufficiently pacient, skilled, well-funded attacker can always get through somehow, so it doesn't matter raising the bar off the floor by not using http unverified to download code we run on people's computer

Have you seen this mitmproxy plugin: https://github.com/secretsquirrel/BDFProxy They use mitmproxy to capture and replace software auto-updates.

Other options are:

- Quicklisp -really slick, libraries in there are curated. (with https support here: https://github.com/rudolfochrist/ql-https and here: https://github.com/snmsts/quicklisp-https.git)

- for project-local dependencies like virtualenv: https://github.com/fukamachi/qlot

- a new, more traditional one: https://www.clpm.dev (CLPM comes as a pre-built binary, supports HTTPS by default, supports installing multiple package versions, supports versioned systems, and more)

For recent Quicklisp upgrades: http://ultralisp.org/

Ocicl is very new (5 days) and tries a new approach, building "on tools from the world of containers".

I use this on a system that has curl to safely bootstrap https://github.com/snmsts/quicklisp-https.git which then uses openssl via dexador so that I can drop the curl dependency. A bit of a dance to get everything up and running, but once it is done for a given system you are good to go.

https://github.com/snmsts/quicklisp-https/blob/master/quicklisp-https.asd#L7 ?