These changes have now been completed - you will need to use a verified group
when deploying a *new* project to Clojars. These changes will only impact folks
deploying to Clojars; consumption of artifacts from Clojars is unchanged. A
summary of the current state:
- *existing* projects can still deploy new versions even if the group isn't
verified. This won't change.
- *new* projects can only be deployed to verified groups
- *new* groups can only be created via a group verification request and must
meet the guidelines for reverse-domain-based groups[1]
- if you don't want to/aren't able to verify a group, there are several groups
that are automatically verified for you[2]
Please file an issue[3] if you run in to any issues with deploying.
- Toby
[1]:https://github.com/clojars/clojars-web/wiki/Groups#creating-a-group
[2]:https://github.com/clojars/clojars-web/wiki/Groups#personal-groups
[3]:https://github.com/clojars/clojars-web/issues/new/choose
On Mon, Mar 1, 2021, at 08:46, Toby Crawley wrote:
> Howdy folks! We have two separate changes coming for the Clojars system
> that you need to be aware of.
>
> First, the tl;dr:
>
> - After 2021-04-15, versions of Java older than 7u25 will no longer be
> able to access the Clojars repository
> - After 2021-04-18, a Clojars group name must have verified ownership
> before a new library can be deployed to it
>
> Now, the details:
>
> # Dropping support for old Java versions
>
> The repository itself is hosted behind a Fastly CDN, and Fastly is
> forcing all accounts to switch to SNI[1] for TLS connections. Clojars
> will be migrated on or after 2021-04-15, so this will cause requests
> from older Java clients to fail (SNI support was added to Java in
> version 7u25 in 2011). So you will need to upgrade if you are still
> using an old Java for building or for running an artifact proxy. This
> change only affects connections to the repo.clojars.org hostname (and
> clojars.org/repo/, since it redirects to repo.clojars.org).
>
> [1]: https://en.wikipedia.org/wiki/Server_Name_Indication
>
> # Requiring verified group names
>
> In light of the recent announcement[2] of a method to inject libraries
> into internal builds by shadowing internal names (aka 'Dependency
> Confusion'), we have decided to take steps to make Clojars more secure.
> Clojars will soon require that all **new** libraries have a verified
> group name, and that group name needs to be reverse-domain-based. This
> will help protect against Clojars being used in the following attack
> vectors:
>
> - shadowing a company-internal library name, causing the version
> published on Clojars to be used instead in some situations
> - shadowing a library name that is also published to Maven Central or
> another public repository (Clojars already has checks in place to
> prevent shadowing anything on Maven Central, but they are brittle and
> could be removed once verification is in place)
> - "typo-squatting" - a library that is named very similarly to one
> published elsewhere; designed to capture cases where a developer makes
> a typo in the dependency specification
>
> The schedule for releasing this change should allow enough time for us
> to get the Clojars changes in place and to communicate the changes
> throughout the community:
>
> - Today:
> - net.clojars./org.clojars.
> groups are already verified for all existing and future users (see
> below for details)
> - the Clojars admins can start processing any manual verification
> requests (see below for details)
> - **creating new non-verified groups and creating new libraries in
> non-verified groups is still allowed**
> - 2021-03-07:
> - com.github. and io.github. groups
> will be verified automatically when when you log in via GitHub
> - 2021-03-21:
> - login via GitLab will be released
> - com.gitlab. groups verified automatically when you
> login via GitLab
> - 2021-04-18:
> - **creating new non-verified groups and creating new libraries in
> non-verified groups will be disabled**
>
> [2]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
>
> ## FAQ
>
> ### What is a reverse-domain-based group name?
>
> A reverse-domain-based group name is one that when reversed resolves to
> a DNS-resolvable domain, or a domain and a well known identifier within
> that domain. For example, com.github.clojars maps to
> https://github.com/clojars/, and org.clojars maps to
> https://clojars.org. This namespacing mechanism has a long history in
> Java for package names and libraries released to Maven Central[3].
> Clojars has historically been less stringent, and using verifiable
> group names brings us closer to the standards followed by much of the
> broader JVM community.
>
> [3]:
> https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories
>
> ### Do I have to have my own domain name to publish to Clojars?
>
> No, you have quite a few automati
