This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
- # bangalore-clj (1)
- # beginners (24)
- # boot (134)
- # boulder-clojurians (2)
- # cider (3)
- # cljs-dev (2)
- # cljsjs (44)
- # clojars (9)
- # clojure (60)
- # clojure-greece (2)
- # clojure-quebec (1)
- # clojure-russia (44)
- # clojure-spec (15)
- # clojure-uk (1)
- # clojurescript (37)
- # core-matrix (1)
- # datomic (7)
- # emacs (1)
- # hoplon (154)
- # liberator (3)
- # mount (2)
- # om (20)
- # onyx (2)
- # pedestal (3)
- # planck (12)
- # re-frame (26)
- # reagent (32)
- # uncomplicate (4)
@keatondunsford I'm a digital currency consultant myself - I wrote the mining algorithm with Vitalik for Ethereum back in the day.
I honestly found the audicity of claiming the thing is "Web 3.0" rather pretentious, but yeah, Ethereum is in general pretty cool.
@xcthulhu That’s awesome! Hey, being pretentious is cool so long as you’re right. 😉 Which it’s starting to seem like y’all are. The progress has been amazing.
Hey folks, I’m a Clojars admin, along with Toby, just wanted to clear up a few things about Clojars
1. JAR deletions are an entirely manual process from Toby or I. Our policy is here https://github.com/clojars/clojars-web/wiki/About#how-do-i-delete-a-jar, but we have a different take on things to NPM. Deletions happen for three main reasons: 1. Someone pushed private info/private JAR, 2. Security issues with a JAR (e.g. a hacker pushed a JAR which takes over people’s computers), 3. People accidentally pushed a JAR and there have been few if any downloads.
2. There are some security mechanisms in place to detect modified JARs (say someone hacked the server and replaced a bunch of JARs with malicious code). Not sure how much I can say about this at the moment
3. JAR signing is very much on our radar, would be super keen to have input from y’all on https://github.com/clojars/clojars-web/issues/560
the machanics of signing jars can be paved over in boot/leiningen tasks pretty easily i think
the fundamental problem is given a jar that is verified to be signed with a specific key, how do i know whether to trust that key?
the only way i can imagine right now is to get a real certificate from a recognized certificate authority, like verisign or whatever
4. There used to be two repos on Clojars: a free for all, and a signed repo. You would promote JARs from free for all to signed, but as has been discussed before, there was no meaningful security benefit for signing the JARs without a web of trust
GPG signatures by themselves are of questionable value, totally agree, unless you can get a web of trust bootstrapped
how is this better than using a professional CA that is legally responsible in court for their security?
i don't know about how secure github and twitter are, and their security totally hinges on the security of their SSL certs
it might not be, could you describe what the mechanics would be for using a professional CA? All devs have to get a certificate from a CA which they sign JARs with?
It all hinges back down to bootstrapping trust. How would a CA verify a developers identity? It’s relatively simple to verify if someone controls a site, you can check the site. Not sure what it would mean to verify their identity
That on it’s own doesn’t address WOT though, anyone can sign a JAR for anyone elses code no?
i don't think so, you need to specify the organization info when you apply for a cert, no?
All of the pages I can see about getting a CA cert for JAR signing seem to talk about it in the context of a desktop app, where Java will pop up a window saying “This app is signed by Acme Corporation Ltd, do you want to trust it?”. I don’t see anywhere https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR185&actp=search&viewlocale=en_US about entering a package name or group ID for signing
this all sounds promising anyway, would you be able to write up your proposal on that GH issue?
(At Metosin currently the packages are signed by one making the release, but that is bad way, we will probably setup a CI which signs everyhing using one key)
yeah it seems to me that what you need is a way to match a crypto signature to a real human being who is responsible for that key
https://github.com/miikka/lein-pinkeys <- a tool to pin the keys of package so that you notice if the key changes between versions, this helps a bit even without WoT
http://vapaus.org/varpushaukka/feed.xml <- a report from list of packages about status of signature
Doesn't matter, it is not used currently and people won't start using it "just for security"
It would be really hard to convince everyone to change package names (or namespaces)
I would hope it can be solved in a way that it is so easy to setup that nearly everyone would use it
seems pretty important to have an area for professionals as well as one for open source
it's pretty scary how much trust is put in software that nobody knows wtf it's really doing
And some Clojure libraries bring in crazy amount (or crazy large) transitive dependecies
If a library includes 40MB (uncompressed) classfiles, there is not way to know what it does
Is there a separate channel for this yet? I only read the discussion from point when Daniel joined here
Probably something like automated check that contact name is the same as domain whois info or something