Hello, vindarel. Thanks for your reply! I've actually been working through your Common Lisp course on Udemy. Thanks very much for that too! Sadly it has been slow because I have a lack of free time. I have been enjoying a bit of a programming Renaissance within the last year or two after writing in imperative languages for decades. I switched from Vim to Emacs (with evil), got into Emacs Lisp, then on down the rabbit hole with CL, Scheme, etc.. Good times.

Anyway, clearly I have more to explore with the CL ecosystem, but the point of my comment was really that I am surprised that a language as old (or venerable) as Common Lisp doesn't seem to have already sorted out strong package versioning and cryptographically verifiable dependencies. The fact that using HTTPS is sort of new is concerning. Maybe the language just comes from more trustworthy days in general, but my paranoia has problems with that these days. I see CLPM has a "beta" warning, mostly one author, and 14 stars (for what that's worth). It seems there is still a lot of work to be done in this area.

Despite all that, I would recommend to anyone to try CL for all its other advantages. Other tools (such as my suggestion with Guix) might be leveraged to make up for any shortcomings until good "native" solutions are sorted out (assuming I'm not completely misunderstanding the state of affairs).