Howdy folks! We have two separate changes coming for the Clojars system that 
you need to be aware of. 

First, the tl;dr: 

- After 2021-04-15, versions of Java older than 7u25 will no longer be able to 
access the Clojars repository
- After 2021-04-18, a Clojars group name must have verified ownership before a 
new library can be deployed to it

Now, the details:

# Dropping support for old Java versions

The repository itself is hosted behind a Fastly CDN, and Fastly is forcing all 
accounts to switch to SNI[1] for TLS connections. Clojars will be migrated on 
or after 2021-04-15, so this will cause requests from older Java clients to 
fail (SNI support was added to Java in version 7u25 in 2011). So you will need 
to upgrade if you are still using an old Java for building or for running an 
artifact proxy. This change only affects connections to the repo.clojars.org 
hostname (and clojars.org/repo/, since it redirects to repo.clojars.org). 

[1]: https://en.wikipedia.org/wiki/Server_Name_Indication

# Requiring verified group names

In light of the recent announcement[2] of a method to inject libraries into 
internal builds by shadowing internal names (aka 'Dependency Confusion'), we 
have decided to take steps to make Clojars more secure. Clojars will soon 
require that all **new** libraries have a verified group name, and that group 
name needs to be reverse-domain-based. This will help protect against Clojars 
being used in the following attack vectors:

- shadowing a company-internal library name, causing the version published on 
Clojars to be used instead in some situations
- shadowing a library name that is also published to Maven Central or another 
public repository (Clojars already has checks in place to prevent shadowing 
anything on Maven Central, but they are brittle and could be removed once 
verification is in place)
- "typo-squatting" - a library that is named very similarly to one published 
elsewhere; designed to capture cases where a developer makes a typo in the 
dependency specification

The schedule for releasing this change should allow enough time for us to get 
the Clojars changes in place and to communicate the changes throughout the 
community:

- Today: 
  - net.clojars.<clojars-username>/org.clojars.<clojars-username> groups are 
already verified for all existing and future users (see below for details)
  - the Clojars admins can start processing any manual verification requests 
(see below for details)
  - **creating new non-verified groups and creating new libraries in 
non-verified groups is still allowed**
- 2021-03-07:
  - com.github.<github-username> and io.github.<github-username> groups will be 
verified automatically when when you log in via GitHub
- 2021-03-21: 
  - login via GitLab will be released
  - com.gitlab.<gitlab-username> groups verified automatically when you login 
via GitLab
- 2021-04-18: 
  - **creating new non-verified groups and creating new libraries in 
non-verified groups will be disabled**

[2]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

## FAQ 

### What is a reverse-domain-based group name?

A reverse-domain-based group name is one that when reversed resolves to a 
DNS-resolvable domain, or a domain and a well known identifier within that 
domain. For example, com.github.clojars maps to https://github.com/clojars/, 
and org.clojars maps to https://clojars.org. This namespacing mechanism has a 
long history in Java for package names and libraries released to Maven 
Central[3]. Clojars has historically been less stringent, and using verifiable 
group names brings us closer to the standards followed by much of the broader 
JVM community.

[3]: 
https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories

### Do I have to have my own domain name to publish to Clojars?

No, you have quite a few automatically verified options if you don't have a 
domain name, don't want to use your own, or don't want to go through the manual 
verification process:

- org.clojars.<clojars-username>: this group exists for each Clojars user, and 
is automatically verified. These groups have existed since the early days of 
Clojars, and have typically been used as sandboxes/for non-canonical forks. We 
recommend using net.clojars.<clojars-username> for "official" releases instead.
- net.clojars.<clojars-username>: this group exists for each Clojars user, and 
is automatically verified
- com.github.<github-username> / io.github.<github-username>: both of these 
groups will be verified automatically when you login via GitHub after 
2021-03-07. See below if you want to verify 
(com|io).github.<github-organization-name>.
- com.gitlab.<gitlab-username>: this group will be verified automatically when 
you login via GitLab after 2021-03-21. See below if you want to verify 
com.gitlab.<gitlab-organization-name>.

### How do I verify a group name?

If you aren't using one of the auto-verified group names above, you will need 
to open a verification request[4] with the Clojars staff. 

If the group name matches a GitHub/GitLab organization name 
(com.github.<org>/com.gitlab.<org>/io.github.<org>), then we'll ask you to 
create a public repository with a specific name under that organization to 
prove ownership.

If the group name is some other reverse-domain-based name, we'll ask you to 
create a TXT DNS record under that domain (or some alternate method) to prove 
ownership.

If the group name isn't reverse-domain-based, it won't be verified.

If this is a new group (no libraries have yet been released to it), you will 
need to verify it before deploying the library after 2021-04-18.

[4]: 
https://github.com/clojars/administration/issues/new?template=group_verification.md

### How does this impact existing libraries published to Clojars?

This won't have an impact on releasing new versions of existing libraries; the 
group does not need to be verified for new versions. These changes only impact 
new libraries.

### Do I have to rename my existing libraries that I publish to Clojars?

Nope - existing libraries can continue to release new versions under their 
existing names and be referred to by their existing names. 

### Does this impact how Clojure namespaces have to be named within libraries?

Not at all - there is no relationship between the name of a library and the 
namespaces it provides (but zero correspondence between them might be 
confusing).

### Can I verify an existing group name?

Yes, as long as the group name is reverse-domain-based and you are a member of 
the group. Otherwise, no.

### What does this mean for single-named libraries?

Libraries with a "single name" (like hiccup, cheshire, clj-http) are 
implemented under the hood as a library where the group and artifact name are 
the same (hiccup/hiccup, cheshire/cheshire, etc). Existing libraries named in 
that fashion will continue to be releasable, but no new ones will be allowed to 
be created (that's not 100% accurate - you _could_ verify a domain-based-group, 
then use the group name as the artifact name as well, but that seems unlikely).

### I never publish libraries to Clojars, only use them. How does this impact 
me?

This should have no impact on you other than the improved security.

### How can I help?

Great question! You can help by:

- bringing any community documentation that needs to be updated to our 
attention, or updating it yourself
- sharing this information throughout the community. The bulk of this message 
is also available on the Clojars wiki at 
https://github.com/clojars/clojars-web/wiki/Verified-Group-Names

## Implementation

The plan to implement these changes is being tracked in 
https://github.com/clojars/clojars-web/projects/1 if you are interested 
following along.

## Discussion/feedback

If you have questions or concerns that aren't answered here, feel free to 
comment on the discussion at 
https://github.com/clojars/administration/discussions/2.

# Sponsors

Thanks for reading this far! I want to take this opportunity to thank the 
sponsors that make Clojars possible.

- Clojurists Together (https://www.clojuriststogether.org/) (and all of its 
members): Clojurists Together funds my maintenance work on Clojars
- Clubhouse Software (https://clubhouse.io/): Clubhouse covers our hosting 
costs, and is flexible enough as my employer to allow me to address any Clojars 
emergencies
- Fastly (http://fastly.com/): Fastly provides the CDN that fronts 
`repo.clojars.org` at no cost
- DNSimple (https://dnsimple.link/resolving-clojars): DNSimple provides free 
DNS services for Clojars
- Deps (https://www.deps.co/): Deps covers Daniel Compton's time for Clojars 
Administration
- Both Pingometer (https://pingometer.com/) and Sentry (http://sentry.io/) 
provide free service for monitoring
- Statuspage (https://www.statuspage.io/) provides free hosting for 
http://status.clojars.org/

-- 
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your 
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
--- 
You received this message because you are subscribed to the Google Groups 
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to clojure+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/clojure/4148ed43-a978-4c7f-b76f-0dc14ff7a581%40www.fastmail.com.

Reply via email to