[ANN] Important upcoming changes to Clojars
Howdy folks! We have two separate changes coming for the Clojars system that you need to be aware of. First, the tl;dr: - After 2021-04-15, versions of Java older than 7u25 will no longer be able to access the Clojars repository - After 2021-04-18, a Clojars group name must have verified ownership before a new library can be deployed to it Now, the details: # Dropping support for old Java versions The repository itself is hosted behind a Fastly CDN, and Fastly is forcing all accounts to switch to SNI[1] for TLS connections. Clojars will be migrated on or after 2021-04-15, so this will cause requests from older Java clients to fail (SNI support was added to Java in version 7u25 in 2011). So you will need to upgrade if you are still using an old Java for building or for running an artifact proxy. This change only affects connections to the repo.clojars.org hostname (and clojars.org/repo/, since it redirects to repo.clojars.org). [1]: https://en.wikipedia.org/wiki/Server_Name_Indication # Requiring verified group names In light of the recent announcement[2] of a method to inject libraries into internal builds by shadowing internal names (aka 'Dependency Confusion'), we have decided to take steps to make Clojars more secure. Clojars will soon require that all **new** libraries have a verified group name, and that group name needs to be reverse-domain-based. This will help protect against Clojars being used in the following attack vectors: - shadowing a company-internal library name, causing the version published on Clojars to be used instead in some situations - shadowing a library name that is also published to Maven Central or another public repository (Clojars already has checks in place to prevent shadowing anything on Maven Central, but they are brittle and could be removed once verification is in place) - "typo-squatting" - a library that is named very similarly to one published elsewhere; designed to capture cases where a developer makes a typo in the dependency specification The schedule for releasing this change should allow enough time for us to get the Clojars changes in place and to communicate the changes throughout the community: - Today: - net.clojars./org.clojars. groups are already verified for all existing and future users (see below for details) - the Clojars admins can start processing any manual verification requests (see below for details) - **creating new non-verified groups and creating new libraries in non-verified groups is still allowed** - 2021-03-07: - com.github. and io.github. groups will be verified automatically when when you log in via GitHub - 2021-03-21: - login via GitLab will be released - com.gitlab. groups verified automatically when you login via GitLab - 2021-04-18: - **creating new non-verified groups and creating new libraries in non-verified groups will be disabled** [2]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 ## FAQ ### What is a reverse-domain-based group name? A reverse-domain-based group name is one that when reversed resolves to a DNS-resolvable domain, or a domain and a well known identifier within that domain. For example, com.github.clojars maps to https://github.com/clojars/, and org.clojars maps to https://clojars.org. This namespacing mechanism has a long history in Java for package names and libraries released to Maven Central[3]. Clojars has historically been less stringent, and using verifiable group names brings us closer to the standards followed by much of the broader JVM community. [3]: https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories ### Do I have to have my own domain name to publish to Clojars? No, you have quite a few automatically verified options if you don't have a domain name, don't want to use your own, or don't want to go through the manual verification process: - org.clojars.: this group exists for each Clojars user, and is automatically verified. These groups have existed since the early days of Clojars, and have typically been used as sandboxes/for non-canonical forks. We recommend using net.clojars. for "official" releases instead. - net.clojars.: this group exists for each Clojars user, and is automatically verified - com.github. / io.github.: both of these groups will be verified automatically when you login via GitHub after 2021-03-07. See below if you want to verify (com|io).github.. - com.gitlab.: this group will be verified automatically when you login via GitLab after 2021-03-21. See below if you want to verify com.gitlab.. ### How do I verify a group name? If you aren't using one of the auto-verified group names above, you will need to open a verification request[4] with the Clojars staff. If the group name matches a GitHub/GitLab organization name (com.github./com.gitlab./io.github.), then we'll ask you to create a public repository with a specific name under that organiz
[JOB] backend clojure dev in Austin
Skipp.co is seeking a Clojure developer in Austin, TX. We are an early-stage, VC-backed startup using AI and data-driven development to make home renovation predictable. Think "Instant Kitchen" or "Instant Bathroom" through a touchless, digital process. We're using Clojure (of course), Clojurescript, Datomic, AWS, and more. If you're interested and to see more information, see: https://angel.co/company/skipp-3/jobs/1213491-clojure-developer Marc Limotte CTO and Co-founder, Skipp Technologies -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/CAAQjde7QDToWqpKPmzTJUUXJDzsHG9psVpb6t9vdyV-DpBtX7g%40mail.gmail.com.
Re: [ANN] Important upcoming changes to Clojars
This is an interesting change, and essentially enforces a de-facto package naming scheme for Clojure. I don't see this as a bad thing, though. Have you considered automatically validating domain name ownership by supplying a challenge token and then looking for it at a well-known location on the domain? On Mon, 1 Mar 2021, at 1:46 PM, Toby Crawley wrote: > Howdy folks! We have two separate changes coming for the Clojars system that > you need to be aware of. > > First, the tl;dr: > > - After 2021-04-15, versions of Java older than 7u25 will no longer be able > to access the Clojars repository > - After 2021-04-18, a Clojars group name must have verified ownership before > a new library can be deployed to it > > Now, the details: > > # Dropping support for old Java versions > > The repository itself is hosted behind a Fastly CDN, and Fastly is forcing > all accounts to switch to SNI[1] for TLS connections. Clojars will be > migrated on or after 2021-04-15, so this will cause requests from older Java > clients to fail (SNI support was added to Java in version 7u25 in 2011). So > you will need to upgrade if you are still using an old Java for building or > for running an artifact proxy. This change only affects connections to the > repo.clojars.org hostname (and clojars.org/repo/, since it redirects to > repo.clojars.org). > > [1]: https://en.wikipedia.org/wiki/Server_Name_Indication > > # Requiring verified group names > > In light of the recent announcement[2] of a method to inject libraries into > internal builds by shadowing internal names (aka 'Dependency Confusion'), we > have decided to take steps to make Clojars more secure. Clojars will soon > require that all **new** libraries have a verified group name, and that group > name needs to be reverse-domain-based. This will help protect against Clojars > being used in the following attack vectors: > > - shadowing a company-internal library name, causing the version published on > Clojars to be used instead in some situations > - shadowing a library name that is also published to Maven Central or another > public repository (Clojars already has checks in place to prevent shadowing > anything on Maven Central, but they are brittle and could be removed once > verification is in place) > - "typo-squatting" - a library that is named very similarly to one published > elsewhere; designed to capture cases where a developer makes a typo in the > dependency specification > > The schedule for releasing this change should allow enough time for us to get > the Clojars changes in place and to communicate the changes throughout the > community: > > - Today: > - net.clojars./org.clojars. groups are > already verified for all existing and future users (see below for details) > - the Clojars admins can start processing any manual verification requests > (see below for details) > - **creating new non-verified groups and creating new libraries in > non-verified groups is still allowed** > - 2021-03-07: > - com.github. and io.github. groups will > be verified automatically when when you log in via GitHub > - 2021-03-21: > - login via GitLab will be released > - com.gitlab. groups verified automatically when you login > via GitLab > - 2021-04-18: > - **creating new non-verified groups and creating new libraries in > non-verified groups will be disabled** > > [2]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 > > ## FAQ > > ### What is a reverse-domain-based group name? > > A reverse-domain-based group name is one that when reversed resolves to a > DNS-resolvable domain, or a domain and a well known identifier within that > domain. For example, com.github.clojars maps to https://github.com/clojars/, > and org.clojars maps to https://clojars.org. This namespacing mechanism has a > long history in Java for package names and libraries released to Maven > Central[3]. Clojars has historically been less stringent, and using > verifiable group names brings us closer to the standards followed by much of > the broader JVM community. > > [3]: > https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories > > ### Do I have to have my own domain name to publish to Clojars? > > No, you have quite a few automatically verified options if you don't have a > domain name, don't want to use your own, or don't want to go through the > manual verification process: > > - org.clojars.: this group exists for each Clojars user, > and is automatically verified. These groups have existed since the early days > of Clojars, and have typically been used as sandboxes/for non-canonical > forks. We recommend using net.clojars. for "official" > releases instead. > - net.clojars.: this group exists for each Clojars user, > and is automatically verified > - com.github. / io.github.: both of these > groups will be verified automatically when you login via GitHub after > 2021-03-07
Re: [ANN] Important upcoming changes to Clojars
On Mon, Mar 1, 2021, at 11:08, James Reeves wrote: > Have you considered automatically validating domain name ownership by > supplying a challenge token and then looking for it at a well-known location > on the domain? That's a good suggestion - I have considered that as a verification option. The plan doesn't currently include automatic verification because I wanted to focus on getting all of the other pieces implemented first, and wanted to gain more knowledge about what methods would work for users as part of the manual verification process. - Toby -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/2de157aa-72c0-4b93-be32-77dcbade473c%40www.fastmail.com.
