A small step in the right direction: https for quicklisp.org

I had a joke slide at ELS last week that explained why Quicklisp was so easy to install: just use curl install.quicklisp.net | sudo sh.  (Don't try this.) Although Quicklisp's installation isn't as risky as piping random code into a root shell, it does have its own problems. Several people at the conference asked me when I would add more security features to Quicklisp.

As of this week, www.quicklisp.org is available through an https connection. Any requests that come in over http are redirected to the equivalent https location. That means you can have some confidence that the information there is provided by me, rather than intercepted and replaced by a third party.

The main Quicklisp website is only part of the story. The software to install and use Quicklisp is hosted on another domain, beta.quicklisp.org. That domain now has optional https access, so that any URL may be accessed either through https or http.

That means the bootstrap file quicklisp.lisp is available via https, and so is the PGP key I use to sign client software and dist metadata. (That key is also available via various PGP keyservers.) If you have programs that fetch quicklisp.lisp or software archives directly from beta.quicklisp.org, I encourage you to update them to use https instead of http.

Why doesn't beta.quicklisp.org use https exclusively? Unfortunately, the Quicklisp client code itself does not know how to connect via https, so turning off http access would break Quicklisp completely. It will take more time to update the Quicklisp client code to use https.

Implementing https for quicklisp.org is a small, but important, first step toward making the use of Quicklisp safer. If you have any questions or concerns, please get in touch via zach@quicklisp.org.


  1. Font is blocked and not loaded. Remove "http:" in first line of style.css.

  2. Congratulations!

    Are you going to use ironclad for https? Or use run-program to invoke curl or wget or some such? Or link against libssl? Or just rely on the client, itself only available through https, possessing the initial PGP key from which to authenticate the rest, and use run-program or gpgme?