These changes have now been completed - you will need to use a verified group when deploying a *new* project to Clojars. These changes will only impact folks deploying to Clojars; consumption of artifacts from Clojars is unchanged. A summary of the current state:
- *existing* projects can still deploy new versions even if the group isn't verified. This won't change. - *new* projects can only be deployed to verified groups - *new* groups can only be created via a group verification request and must meet the guidelines for reverse-domain-based groups[1] - if you don't want to/aren't able to verify a group, there are several groups that are automatically verified for you[2] Please file an issue[3] if you run in to any issues with deploying. - Toby [1]:https://github.com/clojars/clojars-web/wiki/Groups#creating-a-group [2]:https://github.com/clojars/clojars-web/wiki/Groups#personal-groups [3]:https://github.com/clojars/clojars-web/issues/new/choose On Mon, Mar 1, 2021, at 08:46, Toby Crawley wrote: > Howdy folks! We have two separate changes coming for the Clojars system > that you need to be aware of. > > First, the tl;dr: > > - After 2021-04-15, versions of Java older than 7u25 will no longer be > able to access the Clojars repository > - After 2021-04-18, a Clojars group name must have verified ownership > before a new library can be deployed to it > > Now, the details: > > # Dropping support for old Java versions > > The repository itself is hosted behind a Fastly CDN, and Fastly is > forcing all accounts to switch to SNI[1] for TLS connections. Clojars > will be migrated on or after 2021-04-15, so this will cause requests > from older Java clients to fail (SNI support was added to Java in > version 7u25 in 2011). So you will need to upgrade if you are still > using an old Java for building or for running an artifact proxy. This > change only affects connections to the repo.clojars.org hostname (and > clojars.org/repo/, since it redirects to repo.clojars.org). > > [1]: https://en.wikipedia.org/wiki/Server_Name_Indication > > # Requiring verified group names > > In light of the recent announcement[2] of a method to inject libraries > into internal builds by shadowing internal names (aka 'Dependency > Confusion'), we have decided to take steps to make Clojars more secure. > Clojars will soon require that all **new** libraries have a verified > group name, and that group name needs to be reverse-domain-based. This > will help protect against Clojars being used in the following attack > vectors: > > - shadowing a company-internal library name, causing the version > published on Clojars to be used instead in some situations > - shadowing a library name that is also published to Maven Central or > another public repository (Clojars already has checks in place to > prevent shadowing anything on Maven Central, but they are brittle and > could be removed once verification is in place) > - "typo-squatting" - a library that is named very similarly to one > published elsewhere; designed to capture cases where a developer makes > a typo in the dependency specification > > The schedule for releasing this change should allow enough time for us > to get the Clojars changes in place and to communicate the changes > throughout the community: > > - Today: > - net.clojars.<clojars-username>/org.clojars.<clojars-username> > groups are already verified for all existing and future users (see > below for details) > - the Clojars admins can start processing any manual verification > requests (see below for details) > - **creating new non-verified groups and creating new libraries in > non-verified groups is still allowed** > - 2021-03-07: > - com.github.<github-username> and io.github.<github-username> groups > will be verified automatically when when you log in via GitHub > - 2021-03-21: > - login via GitLab will be released > - com.gitlab.<gitlab-username> groups verified automatically when you > login via GitLab > - 2021-04-18: > - **creating new non-verified groups and creating new libraries in > non-verified groups will be disabled** > > [2]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 > > ## FAQ > > ### What is a reverse-domain-based group name? > > A reverse-domain-based group name is one that when reversed resolves to > a DNS-resolvable domain, or a domain and a well known identifier within > that domain. For example, com.github.clojars maps to > https://github.com/clojars/, and org.clojars maps to > https://clojars.org. This namespacing mechanism has a long history in > Java for package names and libraries released to Maven Central[3]. > Clojars has historically been less stringent, and using verifiable > group names brings us closer to the standards followed by much of the > broader JVM community. > > [3]: > https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories > > ### Do I have to have my own domain name to publish to Clojars? > > No, you have quite a few automatically verified options if you don't > have a domain name, don't want to use your own, or don't want to go > through the manual verification process: > > - org.clojars.<clojars-username>: this group exists for each Clojars > user, and is automatically verified. These groups have existed since > the early days of Clojars, and have typically been used as > sandboxes/for non-canonical forks. We recommend using > net.clojars.<clojars-username> for "official" releases instead. > - net.clojars.<clojars-username>: this group exists for each Clojars > user, and is automatically verified > - com.github.<github-username> / io.github.<github-username>: both of > these groups will be verified automatically when you login via GitHub > after 2021-03-07. See below if you want to verify > (com|io).github.<github-organization-name>. > - com.gitlab.<gitlab-username>: this group will be verified > automatically when you login via GitLab after 2021-03-21. See below if > you want to verify com.gitlab.<gitlab-organization-name>. > > ### How do I verify a group name? > > If you aren't using one of the auto-verified group names above, you > will need to open a verification request[4] with the Clojars staff. > > If the group name matches a GitHub/GitLab organization name > (com.github.<org>/com.gitlab.<org>/io.github.<org>), then we'll ask you > to create a public repository with a specific name under that > organization to prove ownership. > > If the group name is some other reverse-domain-based name, we'll ask > you to create a TXT DNS record under that domain (or some alternate > method) to prove ownership. > > If the group name isn't reverse-domain-based, it won't be verified. > > If this is a new group (no libraries have yet been released to it), you > will need to verify it before deploying the library after 2021-04-18. > > [4]: > https://github.com/clojars/administration/issues/new?template=group_verification.md > > ### How does this impact existing libraries published to Clojars? > > This won't have an impact on releasing new versions of existing > libraries; the group does not need to be verified for new versions. > These changes only impact new libraries. > > ### Do I have to rename my existing libraries that I publish to Clojars? > > Nope - existing libraries can continue to release new versions under > their existing names and be referred to by their existing names. > > ### Does this impact how Clojure namespaces have to be named within libraries? > > Not at all - there is no relationship between the name of a library and > the namespaces it provides (but zero correspondence between them might > be confusing). > > ### Can I verify an existing group name? > > Yes, as long as the group name is reverse-domain-based and you are a > member of the group. Otherwise, no. > > ### What does this mean for single-named libraries? > > Libraries with a "single name" (like hiccup, cheshire, clj-http) are > implemented under the hood as a library where the group and artifact > name are the same (hiccup/hiccup, cheshire/cheshire, etc). Existing > libraries named in that fashion will continue to be releasable, but no > new ones will be allowed to be created (that's not 100% accurate - you > _could_ verify a domain-based-group, then use the group name as the > artifact name as well, but that seems unlikely). > > ### I never publish libraries to Clojars, only use them. How does this > impact me? > > This should have no impact on you other than the improved security. > > ### How can I help? > > Great question! You can help by: > > - bringing any community documentation that needs to be updated to our > attention, or updating it yourself > - sharing this information throughout the community. The bulk of this > message is also available on the Clojars wiki at > https://github.com/clojars/clojars-web/wiki/Verified-Group-Names > > ## Implementation > > The plan to implement these changes is being tracked in > https://github.com/clojars/clojars-web/projects/1 if you are interested > following along. > > ## Discussion/feedback > > If you have questions or concerns that aren't answered here, feel free > to comment on the discussion at > https://github.com/clojars/administration/discussions/2. > > # Sponsors > > Thanks for reading this far! I want to take this opportunity to thank > the sponsors that make Clojars possible. > > - Clojurists Together (https://www.clojuriststogether.org/) (and all of > its members): Clojurists Together funds my maintenance work on Clojars > - Clubhouse Software (https://clubhouse.io/): Clubhouse covers our > hosting costs, and is flexible enough as my employer to allow me to > address any Clojars emergencies > - Fastly (http://fastly.com/): Fastly provides the CDN that fronts > `repo.clojars.org` at no cost > - DNSimple (https://dnsimple.link/resolving-clojars): DNSimple provides > free DNS services for Clojars > - Deps (https://www.deps.co/): Deps covers Daniel Compton's time for > Clojars Administration > - Both Pingometer (https://pingometer.com/) and Sentry > (http://sentry.io/) provide free service for monitoring > - Statuspage (https://www.statuspage.io/) provides free hosting for > http://status.clojars.org/ > -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/c8f143d1-ad68-48b0-b909-fc49920d72c3%40www.fastmail.com.
