-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello folks.
I'm happy to announce that the new Clojars releases repository is open
for business.
With the releases repository we are aiming for a middle ground in
between the anything-goes nature of the current repository and the
bureaucracy of the Central repository. There are a few different things
motivating this:
* You should be able to pull in stable versions of Clojure repositories
without adding a snapshots repo to your configuration since this has
adverse affects upon dependency resolution time and can introduce
unexpected results in the context of version ranges.
* We want to ensure that the new repository doesn't contain anything
that's missing crucial metadata such as the project's URL,
description, or license.
* It needs to be possible to verify that your dependencies were
published by a trusted source, so the releases repository only
accepts artifacts that have been properly signed.
What does this mean for you? If you have been deploying your libraries
with a Leiningen 2 preview, there isn't much to do--Leiningen will warn
you if you are missing the necessary metadata, and it will sign releases
before sending them to Clojars. All that's necessary is for you to log
into clojars.org and paste your public key in the "PGP Public Key" field
in your profile.
If you don't have a key yet, generate one with `gpg --gen-key`. The
default settings are pretty good, though I'd recommend making it expire
in a year or two. Next find your key ID. It's the 8-character part after
the slash on the line beginning with "pub":
$ gpg --list-keys
↓↓↓↓↓↓↓↓
pub 2048R/77E77DDC 2011-07-17 [expires: 2014-07-16]
uid Phil Hagelberg <technoma...@gmail.com>
sub 2048R/39EFEE7D 2011-07-17
Then you can show it with `gpg --export -a $KEY_ID`. Grab that
(including the "-----BEGIN PGP PUBLIC KEY BLOCK-----" parts) and paste
it into your Clojars profile.
Once you have done this you can redeploy to trigger promotion to the
releases repo if your jar is qualified, or you can visit the jar page in
the Clojars web UI (while logged in) to see if there are reasons it's
not qualified. Note that deployments actually go to the classic
repository originally, so `lein deploy clojars` should do the trick. If
something is amiss here please let us know either on this thread or in
the #leiningen channel on freenode; it hasn't been tested widely yet and
is still fairly new code.
The Releases repository is the final missing piece of the puzzle for a
final release of Leiningen 2. But the time isn't yet right because
version 2 will only check Central and the Clojars Releases repo by
default. So since the new Releases repo only has a handful of jars, it
would be a jarring transition to switch at this point. That's why we're
hoping library maintainers can do what's necessary to ensure their
libraries make it into the new repository.
Thanks!
- -Phil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJQqOjnAAoJEK9We5d3533cUEoH/2UC4n+RlbMCgP5J/Aj9JwXN
Z7yWHP/tHqcqCUoawY0B8cdYtMjgCLzjZ0pLkQ+TnAiWHucS5O3D2MHuPLxxZ1L/
DWDppR4iHkDUp81KQWxd57FWo7dseYkMmfOyLiuO3Ma2KvklP1Ue2wUdMvFo8UN1
b3fPF+1SnQNCIQA9k8rof4NFD1FlyhEvRflFgj0vDyy9Of80OUcEYPXVseNosV5Y
oZ1ELTkkCPSVabf/NwEZdN77xxA89uU5k2HkX5uA+/2yGlN7NHgcpud5AyHexUta
iRgC1taRcp+LEtRzY2ACMyIx4Tt1j6es1byIVbj7kMkjEPIyRXon/Synpe8LgkY=
=GMbM
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
