ocicl 2.16.13 Release Notes

Release Date: April 2026

Summary

Bug fix release: GPG signing keys for RPM and DEB package repositories are now correctly published.

Bug Fixes

• Fixed GPG key deployment for package repositories: The RPM and DEB repository GPG public keys were not being uploaded during the release workflow, so RPM-GPG-KEY-ocicl and the DEB archive keyring were unavailable from the package repo URLs. Users configuring dnf/apt repos with GPG verification would fail to fetch the signing key.

New Features

• Full CI/release/packaging infrastructure in project templates: The cli and web1 templates created by ocicl new now include GitHub Actions workflows for CI testing, release builds (RPM, DEB, tarballs, Windows installers), SBOM generation, GPG signing, and GitHub Pages-hosted package repositories.

Breaking Changes

None. This release is fully backward compatible with 2.16.12.

Upgrade Notes

Drop-in replacement for 2.16.12.

Installation

Download the appropriate package for your system from the releases page:

Linux:

• Fedora/RHEL/CentOS: sudo dnf install ocicl (via repo) or download RPM
• Debian/Ubuntu: sudo apt install ocicl (via repo) or download DEB

Windows:

• Installer: ocicl-2.16.13-setup.exe (recommended)
• MSI: ocicl-2.16.13.msi
• Chocolatey: choco install ocicl
• ZIP: ocicl-2.16.13-windows-amd64.zip

macOS:

• Homebrew: brew install ocicl
• ARM64: ocicl-2.16.13-macos-arm64.tar.gz
• x64: ocicl-2.16.13-macos-x64.tar.gz

ocicl 2.16.12 Release Notes

Release Date: April 2026

Summary

Packaging improvements: SPDX SBOM included in RPM and DEB packages, DEB apt warning fixed.

New Features

SBOM in Linux packages

RPM and DEB packages now include an SPDX SBOM (Software Bill of Materials)
installed at /usr/share/sbom/ocicl-2.16.12.spdx.json. This enables
system-level SBOM aggregation and vulnerability correlation tooling.

Bug Fixes

• Fixed missing Date field in DEB repository Release file that caused
  apt update to emit a warning (#194).

Breaking Changes

None. This release is fully backward compatible with 2.16.11.

Upgrade Notes

Drop-in replacement for 2.16.11.

Installation

Download the appropriate package for your system from the releases page:

Linux:

• Fedora/RHEL/CentOS: sudo dnf install ocicl (via repo) or download RPM
• Debian/Ubuntu: sudo apt install ocicl (via repo) or download DEB

Windows:

• Installer: ocicl-2.16.12-setup.exe (recommended)
• MSI: ocicl-2.16.12.msi
• Chocolatey: choco install ocicl
• ZIP: ocicl-2.16.12-windows-amd64.zip

macOS:

• Homebrew: brew install ocicl
• ARM64: ocicl-2.16.12-macos-arm64.tar.gz
• x64: ocicl-2.16.12-macos-x64.tar.gz

ocicl 2.16.11 Release Notes

Release Date: April 2026

Summary

Security update: pure-tls 1.11.1 fixes three certificate verification and TLS post-handshake vulnerabilities.

Security

pure-tls 1.11.1 (updated from 1.11.0)

Three security issues fixed in certificate verification and post-handshake handling:

• Trust-anchor forgery — Trust-anchor matching now requires
  cryptographic signature verification, not just issuer-name equality,
  preventing forged intermediates from satisfying the anchor check.
• TLS 1.3 message fragmentation — Post-handshake messages now use
  the reassembly buffer to correctly handle TLS 1.3 message
  fragmentation and coalescing across records.
• Wildcard hostname bypass — Wildcard hostname validation now
  rejects known multi-label public suffixes (e.g., *.co.uk) that were
  previously accepted due to insufficient dot-counting.

Updated Dependencies

• drakma updated (new build)
• cl-selfupdate updated to 20260412-ee7dcdc
• 40ants-doc updated to 20260411-5b0d0ba

Breaking Changes

None. This release is fully backward compatible with 2.16.10.

Upgrade Notes

Drop-in replacement for 2.16.10.

Installation

Download the appropriate package for your system from the releases page:

Linux:

• Fedora/RHEL/CentOS: sudo dnf install ocicl (via repo) or download RPM
• Debian/Ubuntu: sudo apt install ocicl (via repo) or download DEB

Windows:

• Installer: ocicl-2.16.11-setup.exe (recommended)
• MSI: ocicl-2.16.11.msi
• Chocolatey: choco install ocicl
• ZIP: ocicl-2.16.11-windows-amd64.zip

macOS:

• Homebrew: brew install ocicl
• ARM64: ocicl-2.16.11-macos-arm64.tar.gz
• x64: ocicl-2.16.11-macos-x64.tar.gz

ocicl 2.16.9 Release Notes

Summary

First release with GPG-signed RPM packages and sigstore build provenance attestations.

Improvements

• RPM packages are now GPG-signed for verification with dnf/rpm.
• RPM repository metadata (repomd.xml) is signed.
• Build provenance attestations via sigstore for all release artifacts.

Breaking Changes

None.

ocicl 2.16.8 Release Notes

Changes

Support for authenticated/private OCI registries

ocicl now supports authenticated and private OCI registries, enabling
use with registries that require credentials (e.g., private GitHub
Container Registry, AWS ECR, Azure ACR).

New OCICL_SYSTEMS_DIR environment variable

Added the OCICL_SYSTEMS_DIR environment variable to allow users to
customize where ocicl stores downloaded systems, instead of always
using the default location.

Fixed missing ocicl.csv in web1 template

The web1 project template was missing its ocicl.csv file, which
is now included.

CI improvements

Added a 30-minute timeout to CI jobs to prevent runaway builds.

Breaking Changes

None. This release is fully backward compatible with 2.16.7.

Installation

Download the appropriate package for your system from the releases page:

Linux:

• Fedora/RHEL/CentOS: ocicl-2.16.8-1.*.x86_64.rpm
• Debian/Ubuntu: ocicl_2.16.8-1_amd64.deb

Windows:

• Installer: ocicl-2.16.8-setup.exe (recommended)
• MSI: ocicl-2.16.8.msi
• Chocolatey: choco install ocicl (after community repo publication)
• ZIP: ocicl-2.16.8-windows-amd64.zip

macOS:

• Homebrew: brew install ocicl
• ARM64: ocicl-2.16.8-macos-arm64.tar.gz
• x64: ocicl-2.16.8-macos-x64.tar.gz

ocicl 2.16.7 Release Notes

Changes

Restored missing bundled systems

The v2.16.6 dependency update incorrectly removed transitive
dependencies still required for source builds (e.g., Homebrew). This
release restores all missing systems: babel, bordeaux-threads, cffi,
chipz, chunga, cl-base64, cl-cancel, cl-ppcre, closer-mop,
documentation-utils, flexi-streams, global-vars, idna,
mgl-pax-bootstrap, named-readtables, precise-time, puri,
split-sequence, trivial-features, trivial-garbage, trivial-gray-streams,
trivial-indent, usocket, and atomics.

Fixes #193.

Fixed Windows build failure

Guarded sb-posix:mkdtemp in cl-selfupdate with
#+(and sbcl (not windows)) since this function is not available on
Windows SBCL.

Breaking Changes

None. This release is fully backward compatible with 2.16.5.

Installation

Download the appropriate package for your system from the releases page:

Linux:

• Fedora/RHEL/CentOS: ocicl-2.16.7-1.*.x86_64.rpm
• Debian/Ubuntu: ocicl_2.16.7-1_amd64.deb

Windows:

• Installer: ocicl-2.16.7-setup.exe (recommended)
• MSI: ocicl-2.16.7.msi
• Chocolatey: choco install ocicl (after community repo publication)
• ZIP: ocicl-2.16.7-windows-amd64.zip

macOS:

• Homebrew: brew install ocicl
• ARM64: ocicl-2.16.7-macos-arm64.tar.gz
• x64: ocicl-2.16.7-macos-x64.tar.gz

ocicl 2.16.5 Release Notes

Bug Fixes

Fix libyear regression reporting 0.00 for all systems

The ocicl libyear command was silently reporting 0.00 libyears for all systems due to two regressions:

1. Wrong lookup key in project dedup hash

• do-libyear stored the OCI image repository name (e.g., ag-proto-cli) extracted from the image reference, then used it for both the *ocicl-systems* lookup and the registry tag query
• Since *ocicl-systems* is keyed by system name (e.g., ag-grpc), the lookup failed silently whenever the repo name differed from the system name
• Fixed by storing the system name directly, matching how do-changes works

2. Version fallback only extracted git hash, not full tag

• When the _00_OCICL_VERSION file is absent (e.g., systems directory not present), get-project-version fell back to extracting the substring after the last - in the directory name
• For ag-gRPC-20260214-dd7b561, this gave dd7b561 instead of 20260214-dd7b561
• The truncated version never matched any registry tag, so get-versions-since always returned NIL
• The fallback now detects the -YYYYMMDD date pattern and extracts the full version (e.g., 20260214-dd7b561)

Lint: extend cond-vs-if fixer

• Extended fix-cond-vs-if to handle two-clause COND with (t ...) as the second clause, converting to IF with proper indentation
• Added coerce-to-node-formatted for indented IF/PROGN output in lint fixers

Breaking Changes

None. This release is fully backward compatible with 2.16.4.

Installation

Download the appropriate package for your system from the releases page:

Linux:

• Fedora/RHEL/CentOS: ocicl-2.16.5-1.*.x86_64.rpm
• Debian/Ubuntu: ocicl_2.16.5-1_amd64.deb

Windows:

• Installer: ocicl-2.16.5-setup.exe (recommended)
• MSI: ocicl-2.16.5.msi
• Chocolatey: choco install ocicl (after community repo publication)
• ZIP: ocicl-2.16.5-windows-amd64.zip

macOS:

• Homebrew: brew install ocicl
• ARM64: ocicl-2.16.5-macos-arm64.tar.gz
• x64: ocicl-2.16.5-macos-x64.tar.gz

ocicl 2.16.4 Release Notes

Bug Fixes

Linter Improvements

1. Issue #159: Improved defvar-without-value message

• Updated the defvar-without-value linter message to be more helpful
• Now suggests using (DECLAIM (SPECIAL ...)) for forward declarations
• Provides clearer guidance on when DEFVAR without a value is appropriate

Problem:
The previous message "DEFVAR without initial value" didn't explain why this might be an issue or what the alternatives are.

Solution:
New message: "DEFVAR without initial value - consider (DECLAIM (SPECIAL ...)) for forward declarations"

2. Issues #164 & #165: Disabled semantically incorrect rules

• Disabled the if-or rule that suggested replacing (if (or ...) t nil) with (or ...)
• Disabled the cond-or rule that suggested replacing (cond ((or ...) t)) with (or ...)
• Both transformations change semantics: T (always true) vs generalized boolean (implementation-dependent)

Problem:

(if (or condition1 condition2) t nil)  ; Always returns T or NIL
(or condition1 condition2)             ; Returns the true value, not T

The transformation changes the return value from boolean T to a generalized boolean (the actual true value), which can break code that depends on canonical T.

Solution:
Both rules have been disabled to prevent incorrect transformations. While context-sensitive analysis could detect safe cases, the complexity doesn't justify the benefit.

Breaking Changes

None. This release is fully backward compatible with 2.16.3.

Installation

Download the appropriate package for your system from the releases page:

Linux:

• Fedora/RHEL/CentOS: ocicl-2.16.4-1.*.x86_64.rpm
• Debian/Ubuntu: ocicl_2.16.4-1_amd64.deb

Windows:

• Installer: ocicl-2.16.4-setup.exe (recommended)
• MSI: ocicl-2.16.4.msi
• Chocolatey: choco install ocicl (after community repo publication)
• ZIP: ocicl-2.16.4-windows-amd64.zip

macOS:

• Homebrew: brew install ocicl
• ARM64: ocicl-2.16.4-macos-arm64.tar.gz
• x64: ocicl-2.16.4-macos-x64.tar.gz

ocicl 2.16.3 Release Notes

Bug Fixes

Linter False Positives and Auto-Fixer Issues

Fixed five linter bugs reported in GitHub issues #185-189:

1. Issue #185: malformed-let in backquoted macro definitions

• Added zip-in-backquote-p to detect macro template contexts
• Updated rule-let-validation to skip validation inside backquoted forms
• Fixed false positive where ,db-var in macro templates was incorrectly flagged as CONS

Problem:

(defmacro with-db ((db-var) &body body)
  `(bt:with-lock-held (*db-lock*)
     (let ((,db-var (or *db* (open-db))))  ; <-- false positive here
       ...)))

Solution:
The linter now recognizes backquoted expressions as macro template code and doesn't parse commas as part of binding variables.

2. Issue #186: redundant-block doesn't account for RETURN statements

• Enhanced the redundant-block rule to walk the body and check for RETURN/RETURN-FROM statements
• A block is only flagged as redundant if it contains no return statements

Problem:

(block nil
  (let ((x 42))
    (when (> x 10)
      (return))  ; <-- block is needed for this
    (do-something x)))

Solution:
The linter now checks for RETURN/RETURN-FROM statements before flagging a block as redundant.

3. Issue #187: Auto-fixer generates invalid code for (progn ,@Body)

• Updated fix-redundant-progn to detect backquoted contexts and unquote-splicing forms
• Prevents attempting to fix (progn ,@body) in macro templates
• No longer generates invalid literal "unquote-splicing body" text

Problem:
The auto-fixer would transform (progn ,@body) to literal text (unquote-splicing body), causing runtime errors.

Solution:
The fixer now skips (progn ,@body) patterns in backquoted contexts, recognizing they're needed in macros.

4. Issue #188: redundant-progn in macros with &body

• Updated the redundant-progn rule to detect unquote-splicing forms
• Correctly recognizes that (progn ,@body) is needed in macros since &body can splice multiple forms

Problem:

(defmacro with-db ((db-var) &body body)
  `(unwind-protect
       (progn ,@body)  ; <-- not redundant, body can be multiple forms
     (cleanup)))

Solution:
The linter now skips the redundant-progn check for (progn ,@body) patterns.

5. Issue #189: Auto-fixer generates broken COND indentation

• Rewrote fix-bare-progn-in-if to use AST manipulation instead of manual string formatting
• Properly builds COND forms using rewrite-cl's AST nodes
• Eliminates indentation issues from manual string construction

Problem:
The fixer would generate COND forms with the (t ...) clause at incorrect indentation.

Solution:
Now uses proper AST building instead of string concatenation, producing correctly formatted code.

Pre-commit Hook Update

• Updated the pre-commit hook to exclude the systems/ directory
• Vendored third-party code is no longer linted during commits
• Only lints files in lint/, src/, and test/ directories

Breaking Changes

None. This release is fully backward compatible with 2.16.2.

Installation

Download the appropriate package for your system from the releases page:

Linux:

• Fedora/RHEL/CentOS: ocicl-2.16.3-1.*.x86_64.rpm
• Debian/Ubuntu: ocicl_2.16.3-1_amd64.deb

Windows:

• Installer: ocicl-2.16.3-setup.exe (recommended)
• MSI: ocicl-2.16.3.msi
• Chocolatey: choco install ocicl (after community repo publication)
• ZIP: ocicl-2.16.3-windows-amd64.zip

macOS:

• Homebrew: brew install ocicl
• ARM64: ocicl-2.16.3-macos-arm64.tar.gz
• x64: ocicl-2.16.3-macos-x64.tar.gz

ocicl 2.16.2 Release Notes

Bug Fixes

TLS Debug Output

Fixed OCICL_TLS_DEBUG environment variable showing "unknown" for TLS implementation:

Problem:

• Debug output always showed TLS implementation: unknown even when pure-tls was in use
• Used compile-time reader conditionals (#+pure-tls) but pure-tls doesn't set a feature flag

Solution:

• Changed to runtime package detection using (find-package :pure-tls)
• Now correctly identifies "pure-tls" or "cl+ssl" based on loaded packages

Now shows:

; TLS implementation: pure-tls
; TLS verify=T ca-file=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ca-dir=NIL
; pure-tls: using CA bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
; pure-tls: trust store loaded with 151 certificate(s)

This makes troubleshooting TLS issues much clearer for users.

Breaking Changes

None. This release is fully backward compatible with 2.16.1.

Installation

Download the appropriate package for your system from the releases page:

Linux:

• Fedora/RHEL/CentOS: ocicl-2.16.2-1.*.x86_64.rpm
• Debian/Ubuntu: ocicl_2.16.2-1_amd64.deb

Windows:

• Installer: ocicl-2.16.2-setup.exe (recommended)
• MSI: ocicl-2.16.2.msi
• Chocolatey: choco install ocicl (after community repo publication)
• ZIP: ocicl-2.16.2-windows-amd64.zip

macOS:

• Homebrew: brew install ocicl
• ARM64: ocicl-2.16.2-macos-arm64.tar.gz
• x64: ocicl-2.16.2-macos-x64.tar.gz