This is an interesting change, and essentially enforces a de-facto package naming scheme for Clojure. I don't see this as a bad thing, though.
Have you considered automatically validating domain name ownership by supplying a challenge token and then looking for it at a well-known location on the domain? On Mon, 1 Mar 2021, at 1:46 PM, Toby Crawley wrote: > Howdy folks! We have two separate changes coming for the Clojars system that > you need to be aware of. > > First, the tl;dr: > > - After 2021-04-15, versions of Java older than 7u25 will no longer be able > to access the Clojars repository > - After 2021-04-18, a Clojars group name must have verified ownership before > a new library can be deployed to it > > Now, the details: > > # Dropping support for old Java versions > > The repository itself is hosted behind a Fastly CDN, and Fastly is forcing > all accounts to switch to SNI[1] for TLS connections. Clojars will be > migrated on or after 2021-04-15, so this will cause requests from older Java > clients to fail (SNI support was added to Java in version 7u25 in 2011). So > you will need to upgrade if you are still using an old Java for building or > for running an artifact proxy. This change only affects connections to the > repo.clojars.org hostname (and clojars.org/repo/, since it redirects to > repo.clojars.org). > > [1]: https://en.wikipedia.org/wiki/Server_Name_Indication > > # Requiring verified group names > > In light of the recent announcement[2] of a method to inject libraries into > internal builds by shadowing internal names (aka 'Dependency Confusion'), we > have decided to take steps to make Clojars more secure. Clojars will soon > require that all **new** libraries have a verified group name, and that group > name needs to be reverse-domain-based. This will help protect against Clojars > being used in the following attack vectors: > > - shadowing a company-internal library name, causing the version published on > Clojars to be used instead in some situations > - shadowing a library name that is also published to Maven Central or another > public repository (Clojars already has checks in place to prevent shadowing > anything on Maven Central, but they are brittle and could be removed once > verification is in place) > - "typo-squatting" - a library that is named very similarly to one published > elsewhere; designed to capture cases where a developer makes a typo in the > dependency specification > > The schedule for releasing this change should allow enough time for us to get > the Clojars changes in place and to communicate the changes throughout the > community: > > - Today: > - net.clojars.<clojars-username>/org.clojars.<clojars-username> groups are > already verified for all existing and future users (see below for details) > - the Clojars admins can start processing any manual verification requests > (see below for details) > - **creating new non-verified groups and creating new libraries in > non-verified groups is still allowed** > - 2021-03-07: > - com.github.<github-username> and io.github.<github-username> groups will > be verified automatically when when you log in via GitHub > - 2021-03-21: > - login via GitLab will be released > - com.gitlab.<gitlab-username> groups verified automatically when you login > via GitLab > - 2021-04-18: > - **creating new non-verified groups and creating new libraries in > non-verified groups will be disabled** > > [2]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 > > ## FAQ > > ### What is a reverse-domain-based group name? > > A reverse-domain-based group name is one that when reversed resolves to a > DNS-resolvable domain, or a domain and a well known identifier within that > domain. For example, com.github.clojars maps to https://github.com/clojars/, > and org.clojars maps to https://clojars.org. This namespacing mechanism has a > long history in Java for package names and libraries released to Maven > Central[3]. Clojars has historically been less stringent, and using > verifiable group names brings us closer to the standards followed by much of > the broader JVM community. > > [3]: > https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories > > ### Do I have to have my own domain name to publish to Clojars? > > No, you have quite a few automatically verified options if you don't have a > domain name, don't want to use your own, or don't want to go through the > manual verification process: > > - org.clojars.<clojars-username>: this group exists for each Clojars user, > and is automatically verified. These groups have existed since the early days > of Clojars, and have typically been used as sandboxes/for non-canonical > forks. We recommend using net.clojars.<clojars-username> for "official" > releases instead. > - net.clojars.<clojars-username>: this group exists for each Clojars user, > and is automatically verified > - com.github.<github-username> / io.github.<github-username>: both of these > groups will be verified automatically when you login via GitHub after > 2021-03-07. See below if you want to verify > (com|io).github.<github-organization-name>. > - com.gitlab.<gitlab-username>: this group will be verified automatically > when you login via GitLab after 2021-03-21. See below if you want to verify > com.gitlab.<gitlab-organization-name>. > > ### How do I verify a group name? > > If you aren't using one of the auto-verified group names above, you will need > to open a verification request[4] with the Clojars staff. > > If the group name matches a GitHub/GitLab organization name > (com.github.<org>/com.gitlab.<org>/io.github.<org>), then we'll ask you to > create a public repository with a specific name under that organization to > prove ownership. > > If the group name is some other reverse-domain-based name, we'll ask you to > create a TXT DNS record under that domain (or some alternate method) to prove > ownership. > > If the group name isn't reverse-domain-based, it won't be verified. > > If this is a new group (no libraries have yet been released to it), you will > need to verify it before deploying the library after 2021-04-18. > > [4]: > https://github.com/clojars/administration/issues/new?template=group_verification.md > > ### How does this impact existing libraries published to Clojars? > > This won't have an impact on releasing new versions of existing libraries; > the group does not need to be verified for new versions. These changes only > impact new libraries. > > ### Do I have to rename my existing libraries that I publish to Clojars? > > Nope - existing libraries can continue to release new versions under their > existing names and be referred to by their existing names. > > ### Does this impact how Clojure namespaces have to be named within libraries? > > Not at all - there is no relationship between the name of a library and the > namespaces it provides (but zero correspondence between them might be > confusing). > > ### Can I verify an existing group name? > > Yes, as long as the group name is reverse-domain-based and you are a member > of the group. Otherwise, no. > > ### What does this mean for single-named libraries? > > Libraries with a "single name" (like hiccup, cheshire, clj-http) are > implemented under the hood as a library where the group and artifact name are > the same (hiccup/hiccup, cheshire/cheshire, etc). Existing libraries named in > that fashion will continue to be releasable, but no new ones will be allowed > to be created (that's not 100% accurate - you _could_ verify a > domain-based-group, then use the group name as the artifact name as well, but > that seems unlikely). > > ### I never publish libraries to Clojars, only use them. How does this impact > me? > > This should have no impact on you other than the improved security. > > ### How can I help? > > Great question! You can help by: > > - bringing any community documentation that needs to be updated to our > attention, or updating it yourself > - sharing this information throughout the community. The bulk of this message > is also available on the Clojars wiki at > https://github.com/clojars/clojars-web/wiki/Verified-Group-Names > > ## Implementation > > The plan to implement these changes is being tracked in > https://github.com/clojars/clojars-web/projects/1 if you are interested > following along. > > ## Discussion/feedback > > If you have questions or concerns that aren't answered here, feel free to > comment on the discussion at > https://github.com/clojars/administration/discussions/2. > > # Sponsors > > Thanks for reading this far! I want to take this opportunity to thank the > sponsors that make Clojars possible. > > - Clojurists Together (https://www.clojuriststogether.org/) (and all of its > members): Clojurists Together funds my maintenance work on Clojars > - Clubhouse Software (https://clubhouse.io/): Clubhouse covers our hosting > costs, and is flexible enough as my employer to allow me to address any > Clojars emergencies > - Fastly (http://fastly.com/): Fastly provides the CDN that fronts > `repo.clojars.org` at no cost > - DNSimple (https://dnsimple.link/resolving-clojars): DNSimple provides free > DNS services for Clojars > - Deps (https://www.deps.co/): Deps covers Daniel Compton's time for Clojars > Administration > - Both Pingometer (https://pingometer.com/) and Sentry (http://sentry.io/) > provide free service for monitoring > - Statuspage (https://www.statuspage.io/) provides free hosting for > http://status.clojars.org/ > > -- > You received this message because you are subscribed to the Google > Groups "Clojure" group. > To post to this group, send email to clojure@googlegroups.com > Note that posts from new members are moderated - please be patient with your > first post. > To unsubscribe from this group, send email to > clojure+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/clojure?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Clojure" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to clojure+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/clojure/4148ed43-a978-4c7f-b76f-0dc14ff7a581%40www.fastmail.com. > -- James Reeves booleanknot.com -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/f012e559-ebe8-41fa-886d-b0b4ea173ec6%40www.fastmail.com.
