This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2016-09-11
Channels
- # bangalore-clj (1)
- # beginners (24)
- # boot (134)
- # boulder-clojurians (2)
- # cider (3)
- # cljs-dev (2)
- # cljsjs (44)
- # clojars (9)
- # clojure (60)
- # clojure-greece (2)
- # clojure-quebec (1)
- # clojure-russia (44)
- # clojure-spec (15)
- # clojure-uk (1)
- # clojurescript (37)
- # core-matrix (1)
- # datomic (7)
- # emacs (1)
- # hoplon (154)
- # liberator (3)
- # mount (2)
- # om (20)
- # onyx (2)
- # pedestal (3)
- # planck (12)
- # re-frame (26)
- # reagent (32)
- # uncomplicate (4)
@keatondunsford I'm a digital currency consultant myself - I wrote the mining algorithm with Vitalik for Ethereum back in the day.
I honestly found the audicity of claiming the thing is "Web 3.0" rather pretentious, but yeah, Ethereum is in general pretty cool.
@xcthulhu That’s awesome! Hey, being pretentious is cool so long as you’re right. 😉 Which it’s starting to seem like y’all are. The progress has been amazing.
Hey folks, I’m a Clojars admin, along with Toby, just wanted to clear up a few things about Clojars
1. JAR deletions are an entirely manual process from Toby or I. Our policy is here https://github.com/clojars/clojars-web/wiki/About#how-do-i-delete-a-jar, but we have a different take on things to NPM. Deletions happen for three main reasons: 1. Someone pushed private info/private JAR, 2. Security issues with a JAR (e.g. a hacker pushed a JAR which takes over people’s computers), 3. People accidentally pushed a JAR and there have been few if any downloads.
We wouldn’t delete a ‘spam’ jar like FS
And we wouldn’t delete any JAR that had any significant number of downloads
"Don’t break the build” is the motto
You can see some of our reasoning played out on issues like https://github.com/clojars/clojars-web/issues/484 and https://github.com/clojars/clojars-web/issues/537
2. There are some security mechanisms in place to detect modified JARs (say someone hacked the server and replaced a bunch of JARs with malicious code). Not sure how much I can say about this at the moment
3. JAR signing is very much on our radar, would be super keen to have input from y’all on https://github.com/clojars/clojars-web/issues/560
the machanics of signing jars can be paved over in boot/leiningen tasks pretty easily i think
the fundamental problem is given a jar that is verified to be signed with a specific key, how do i know whether to trust that key?
the only way i can imagine right now is to get a real certificate from a recognized certificate authority, like verisign or whatever
4. There used to be two repos on Clojars: a free for all, and a signed repo. You would promote JARs from free for all to signed, but as has been discussed before, there was no meaningful security benefit for signing the JARs without a web of trust
GPG signatures by themselves are of questionable value, totally agree, unless you can get a web of trust bootstrapped
So keybase seems like it may be able to help there
Don’t think so anymore? https://github.com/keybase/client
also have a read of https://keybase.io/docs/server_security if you haven't
what do you mean by ‘built on NPM’?
looks like they’ve switched over to Go anyway
Lets you tie your github account to your identity
how is this better than using a professional CA that is legally responsible in court for their security?
i don't know about how secure github and twitter are, and their security totally hinges on the security of their SSL certs
it might not be, could you describe what the mechanics would be for using a professional CA? All devs have to get a certificate from a CA which they sign JARs with?
and in that cert, they have all of the groupID’s that they can sign for?
It all hinges back down to bootstrapping trust. How would a CA verify a developers identity? It’s relatively simple to verify if someone controls a site, you can check the site. Not sure what it would mean to verify their identity
like send your ID in?
Can they do it for something that isn’t a website though?
That on it’s own doesn’t address WOT though, anyone can sign a JAR for anyone elses code no?
i don't think so, you need to specify the organization info when you apply for a cert, no?
All of the pages I can see about getting a CA cert for JAR signing seem to talk about it in the context of a desktop app, where Java will pop up a window saying “This app is signed by Acme Corporation Ltd, do you want to trust it?”. I don’t see anywhere https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR185&actp=search&viewlocale=en_US about entering a package name or group ID for signing
this all sounds promising anyway, would you be able to write up your proposal on that GH issue?
gotta go
thanks for the good discussion!
Btw. One problem with Keybase I think is that it deals with personal keys mostly
What about companies and other groups making software?
(At Metosin currently the packages are signed by one making the release, but that is bad way, we will probably setup a CI which signs everyhing using one key)
yeah it seems to me that what you need is a way to match a crypto signature to a real human being who is responsible for that key
My co-worker has done some work recently for checking signatures
(he's probably sleeping already :D)
https://github.com/miikka/lein-pinkeys <- a tool to pin the keys of package so that you notice if the key changes between versions, this helps a bit even without WoT
http://vapaus.org/varpushaukka/feed.xml <- a report from list of packages about status of signature
How can certs be validated if they don't correspond to a domain?
Hmm, the common name is the group id?
but what data would you use when you create the cert request?
Or group id?
Yeah but that is not something you use with Clojure
Doesn't matter, it is not used currently and people won't start using it "just for security"
Solution has to be something that works with currently libs
It would be really hard to convince everyone to change package names (or namespaces)
Maybe I'm pessimist
I would hope it can be solved in a way that it is so easy to setup that nearly everyone would use it
seems pretty important to have an area for professionals as well as one for open source
it's pretty scary how much trust is put in software that nobody knows wtf it's really doing
And some Clojure libraries bring in crazy amount (or crazy large) transitive dependecies
If a library includes 40MB (uncompressed) classfiles, there is not way to know what it does
Is there a separate channel for this yet? I only read the discussion from point when Daniel joined here
Re: CAs, I don't think they do nearly any human check for basic level certs
Probably something like automated check that contact name is the same as domain whois info or something
Or hmm. CSR doesn't have any contact info, pretty much only CN
Hmm.. yeah. Been some time since I last renewed a cert.
Email address is required, it is not included in the final cert I think.
I'm quite sure Let's encrypt is purely automated, no humans checks
The only check is that you have control of the domain you request cert for
Discussion in #clojars would be good