How does ocicl compare to Quicklisp for Common Lisp development?

ocicl offers modern security features like OCI-based distribution and sigstore integration, along with built-in tooling for linting and SBOM generation, making it better for teams needing reproducible builds and audits. However, Quicklisp has a larger, more established library ecosystem and simpler setup for general use.

How to set up ocicl on a new system with SBCL?

Install ocicl via Linux packages, Homebrew, or from source using SBCL, then run 'ocicl setup' to configure the runtime. Add the provided Lisp snippet to your startup file (~/.sbclrc) to enable automatic dependency loading. Refer to the installation and setup sections in the README for platform-specific details.

Does ocicl work with Lisp implementations like ABCL or ECL?

Yes, the ocicl-runtime library is compatible with ABCL, ECL, SBCL, and Allegro Common Lisp for loading systems. However, the CLI tool itself must be built with SBCL, so runtime usage is broad while tool building is limited to SBCL on supported OSes.

What are the main security advantages of using ocicl?

ocicl uses TLS for all downloads, PGP signatures for package integrity, and sigstore transparency logs for auditing, providing verifiable and tamper-proof dependency chains. This contrasts with traditional methods that may rely on insecure HTTP or lack signature verification.

How to self-host a private ocicl registry for internal use?

Use OCI-compatible tools like skopeo to mirror artifacts from the default ghcr.io/ocicl registry, or run a local registry like Zot. Then configure ocicl with the '--registry' option during setup to point to your private registry, as explained in the self-hosting section.

How to fix TLS certificate errors when ocicl fails to download packages?

Enable TLS debugging with OCICL_TLS_DEBUG=1, specify custom CA bundles via OCICL_CA_FILE or OCICL_CA_DIR, or use the '-k' flag for insecure mode temporarily. If issues persist, rebuild ocicl with the OpenSSL backend using USE_LEGACY_OPENSSL=1, as detailed in the advanced TLS troubleshooting steps.

ocicl — OCI Package Manager for Lisp

What is ocicl?

ocicl is an OCI-based package manager and development toolchain for Common Lisp. It distributes ASDF systems as secure OCI artifacts, replacing traditional distribution methods with modern container registry infrastructure. It solves the problem of reproducible, verifiable dependency management while providing integrated linting, project templates, and security features.

Target Audience

Common Lisp developers seeking modern, secure package management and tooling, particularly those working in teams or environments requiring reproducible builds, dependency auditing, and supply chain security.

Value Proposition

Developers choose ocicl for its combination of OCI-based security (TLS, sigstore), integrated development tools (linter, templates), and reproducibility features. It offers a verifiable, self-hostable alternative to Quicklisp with stronger guarantees about code integrity and dependency locking.

An OCI-based ASDF system distribution and management tool for Common Lisp

Use Cases

Best For

Teams requiring reproducible Common Lisp builds with locked dependencies
Developers needing integrated linting and auto-fixing for Common Lisp code
Projects demanding supply chain security and SBOM generation
Environments where self-hosting a package registry is necessary
Bootstrapping new Common Lisp applications with templates
Auditing dependency freshness and license compliance

Not Ideal For

Projects deeply integrated with Quicklisp's extensive, non-OCI library ecosystem
Solo developers or rapid prototyping scenarios where minimal configuration and instant dependency access are priorities
Environments using Lisp implementations or platforms not supported by the ocicl CLI (e.g., non-SBCL builds or exotic OSes)
Internal or isolated networks where TLS/security overhead complicates simple dependency management

Pros & Cons

Pros

OCI-Based Security & Integrity

Packages are distributed as OCI artifacts with TLS encryption, PGP signatures, and sigstore transparency logs, ensuring verifiable and tamper-proof dependencies directly from the README's security section.

Integrated Linting & Auto-Fixing

The built-in linter includes 49 auto-fixable rules for Common Lisp code, covering style, errors, and best practices, with configurable options and git hook support as detailed in the code linting section.

Reproducible Builds with Version Locking

Dependency versions are locked in ocicl.csv files, enabling exact environment reproduction across systems, and local-only mode ensures isolation for CI/CD pipelines.

Advanced Development Tooling

Features like AI-generated change summaries, libyear freshness metrics, license collection, and SBOM generation provide comprehensive project insights and compliance aids.

Cons

Initial Setup and Configuration Burden

Users must manually install the CLI, run 'ocicl setup', edit Lisp startup files, and handle TLS configuration, with extensive troubleshooting steps noted for certificate issues.

Smaller Package Ecosystem

The ocicl registry requires systems to be specifically added and mirrored, resulting in a more limited selection compared to Quicklisp's established library base.

Platform-Specific CLI Build Requirements

The command-line tool must be built with SBCL on Linux, Windows, or macOS, limiting portability and requiring community contributions for other platforms.

Frequently Asked Questions

What is ocicl?

Target Audience

Value Proposition

Use Cases

Best For

Teams requiring reproducible Common Lisp builds with locked dependencies
Developers needing integrated linting and auto-fixing for Common Lisp code
Projects demanding supply chain security and SBOM generation
Environments where self-hosting a package registry is necessary
Bootstrapping new Common Lisp applications with templates
Auditing dependency freshness and license compliance

Not Ideal For

Projects deeply integrated with Quicklisp's extensive, non-OCI library ecosystem
Solo developers or rapid prototyping scenarios where minimal configuration and instant dependency access are priorities
Environments using Lisp implementations or platforms not supported by the ocicl CLI (e.g., non-SBCL builds or exotic OSes)
Internal or isolated networks where TLS/security overhead complicates simple dependency management

Pros & Cons

Pros

OCI-Based Security & Integrity

Integrated Linting & Auto-Fixing

Reproducible Builds with Version Locking

Dependency versions are locked in ocicl.csv files, enabling exact environment reproduction across systems, and local-only mode ensures isolation for CI/CD pipelines.

Advanced Development Tooling

Features like AI-generated change summaries, libyear freshness metrics, license collection, and SBOM generation provide comprehensive project insights and compliance aids.

Cons

Initial Setup and Configuration Burden

Users must manually install the CLI, run 'ocicl setup', edit Lisp startup files, and handle TLS configuration, with extensive troubleshooting steps noted for certificate issues.

Smaller Package Ecosystem

The ocicl registry requires systems to be specifically added and mirrored, resulting in a more limited selection compared to Quicklisp's established library base.

Platform-Specific CLI Build Requirements

The command-line tool must be built with SBCL on Linux, Windows, or macOS, limiting portability and requiring community contributions for other platforms.

Frequently Asked Questions

ocicl

What is ocicl?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Open Source Alternative To

Frequently Asked Questions

Found a gem we're missing?

ocicl

What is ocicl?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Open Source Alternative To

Frequently Asked Questions

Found a gem we're missing?