quicklisp-client VS defstar

Yes, that's clear.

I'm not very familiar with how quicklisp works. I thought that “updates once a month” implies a separate update channel (distribution, ...).

Looking at the relevant issue, https://github.com/quicklisp/quicklisp-client/issues/167 , it's not clear that even hashes are in place.

I recently found out that most Nix fetchers use https, but do not actually do verification (`curl --insecure` or equivalent libcurl settings). Channel updates do verify and include hashes, so the overall chain is authenticated.

The latest comment I see about this here from Oct. 2022 says they're working on it. There's also comment by the developer in 2016 saying want to improve the security soon, so it doesn't really seem this will actually happen soon. I realise making signature verification work cross platform in pure lisp without external dependencies isn't easy but from latest comment it seems they have that working, in a branch written 4 years ago? The simplest no-code solution is just since quicklisp is published every month or so, on each new update publish a file with sha256 hash of every package contained in quicklisp signed with same developer's pgp key they are already using to sign download of the initial quicklisp.lisp, yes then users if they care about security would have to manually download the file and verify signature every month or so but it's at least some solution that can be done now.

> That's what regular devs do, they don't even bother writing articles or commenting on HN :-)

I'll take the bait, and roll up several of my comments into one.

First, the support contract costs from the commercial vendors can make sense. It's one of the most expensive parts of software. We joke about fixing relatives' printers, but its not false. Support costs introduce a counter-balance.

Second, a message to everyone looking into or using QuickLisp, it uses http instead of https: https://github.com/quicklisp/quicklisp-client/issues/167

You can patch your version to fix this. I'd also recommend adding firewall rules to deny in case your patches roll back. And any other mitigation. Or stricter policies, such as not using it, if it makes sense for your organization.

And the AI bots? I hope there aren't people herding them who don't want to, that's how you get unloving brats and a crappy world.

I found this github issue about it, open since 2018: https://github.com/quicklisp/quicklisp-client/issues/167

I agree 100% about needing to test and audit for security. But based on the information I've seen and public activity in repos, I assumed Xach was going for home-grown CL implementation. https://github.com/quicklisp/quicklisp-client/blob/pgp/quicklisp/openpgp.lisp

there is also https://github.com/lisp-maintainers/defstar for providing more ergonomic type declarations inline in definitions

And this is another thing I'm not sure how to explain, I thought CL is surely more verbose and ugly than python for small scripts, but maybe it's macros will make it cleaner for building large systems. But then when I started writing actual programs, even small programs without any of my own macros, I generally use about 30% less LoC than in python... I've thought about making sly/slime like support for python (built on ipython with autoreload extension) or ruby (with it's fairly new low-overhead debug gem). But at the end of the day support for these things will always be incomplete and a hack compared to CL where it was designed from the start to support it, they run 20-100x slower than CL, and imo their runtime metaprogramming is harder to reason about than CL which is mostly compile time metaprogramming. When I've had to dig into some CL library, which is a lot more often than in those languages because it has 10000x fewer users so of course I will be first to run into some issue, it has generally been easy to understand what is going on and fix it, compared to large codebases in other languages.

Regarding "modern type-safe language", languages with expressive type systems, rust, ocaml, haskell, typescript, etc, can give really confusing type errors, when you get into generics and traits and more expressive stuff. I'm not convinced it's a better development experience than a dynamically typed languages where values have simple types, and when you get a type error you see the actual contents of the variable that is the wrong type and state of the program, at least in the case of CL where the stack isn't unwound on error and runtime is kind of compile-time as you're running all code as you write it. But mostly this sort of interactive development is very hard to implement in static languages, I'm not aware of any that does it. For example even in static langs like ocaml that have a repl through a bytecode interpreter, simple things don't work like say you pass some function as an event handler, and then update the function. As you passed efectively a function pointer to the old definition, rather than a symbol name like lisp, it will be calling the original function not the new version. But the main issue is that efficient staticly typed languages the type system is all at compile time, type information doesn't exist at runtime, which is great for performance, but means you don't get the ability to introspect on your running program like you do in CL and elixir, which personally I value more than full compile-time type checking.

Would I like some new language or heavy modification of existing language runtime that provides the best of everything? of course, but I also realize that it's a huge amount of work and won't happen with 10 years, while I can have a nice experience hacking away in CL and emacs right now. And ultimately CL is an extremely flexible language and I think it'll be less work to build on CL than to provide a CL like runtime for some other language. For example projects really pushing the edge there is Coalton described above. While personally I prefer dynamicly typed for general application programming I think Coalton could be great for compilers, parsing some protocol, or writing some subparts of your program in. And vernacular (https://github.com/ruricolist/vernacular) which explores bringing racket's lang and macro system to CL. For more standard CL code, using extremely common and widely used libraries like alexandria, serapeum, trivia, etc, already makes CL into a fairly modern and ergonomic language to write.

> both are dynamic languages with types added later in?

Common Lisp has always had types and type declarations (e.g. `the` in the hyperspec[1]) as it's part of the specification. It was not added later as far as I know.

However, `declaim` and `declare` were left very underspecified so they tend to be very implementation-specific, though there are libraries that make types more portable[2][3].

[1] http://www.lispworks.com/documentation/HyperSpec/Body/s_the....

[2] https://github.com/lisp-maintainers/defstar

[3] https://github.com/ruricolist/serapeum/blob/master/REFERENCE...

Like defstar? https://github.com/lisp-maintainers/defstar Type declarations that you can place inside the defun. Also serapeum:-> (atop the defun). Or Coalton: https://github.com/coalton-lang/coalton/ But it's possible you'll feel much less a need for that in CL.

Hi, if you plan to work on enhancing the library (glad to here!): you can fork the repository to your github username, decide that you will be able to maintain for the foreseeable future and ask Quicklisp to point defstrar to your repository. You can create a defstar org on github, so you could easily give push access to future maintainers. Or, you could ask for write access here: https://github.com/lisp-maintainers/defstar it's an un-official org that I created in the hope to maintain orphan projects collectively. You can send PRs or ask for push access. There is no current maintainer for this project, it is not pointed to by QL, it is only a Github mirror. Best,

agreed^^ there are macros and libraries to bring a nicer syntax (of course). Exple: https://github.com/lisp-maintainers/defstar

   (defun\* (sum -> real) ((a real) (b real))