Hello folks! In light of the recent break-in to the Node.js package hosting site (https://gist.github.com/2001456), I've decided to bump the priority of increasing the security on Clojars. I've deployed a fix that uses bcrypt (http://codahale.com/how-to-safely-store-a-password/) for password hashing. The first time you log in, it will re-hash your password using bcrypt and wipe the old weak hash.
Note that Clojars has NOT had a security breach at this time. This is a preventative measure to protect your password in the event of a future breach. We are also looking into allowing signed jars (and possibly requiring them for releases). If you're interested in helping out with this effort, (design or code) please join the clojars-maintainers mailing list: http://groups.google.com/group/clojars-maintainers Because we can't ensure that everyone will log in to re-hash their password, at some point in the future (probably 2-3 weeks out) we will WIPE all the old password hashes. Otherwise users who have stopped using Clojars or missed the announcement could have their passwords exposed in the event of a future break-in. I will be sure to send out a few more warnings before this happens, but even if your password has been wiped it's easy to reset it via the "forgot password" functionality. If you have any applications storing passwords hashed with SHA1 (even if you use a salt) I highly recommend you take the same steps; refer to http://codahale.com/how-to-safely-store-a-password/ for details. tl;dr: please log into Clojars to re-hash your password. Thanks for your attention. -Phil -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en
