clj-commons

qerub 2020-10-23T18:37:13.009900Z

I'm thinking about configuring https://github.com/clj-commons/camel-snake-kebab/ to let GitHub handle deploy to Clojars to make it less dependent on myself, but I feel a bit uneasy about storing the GPG private key in "secrets" since so many people will have access to it. Has this been discussed before?

borkdude 2020-10-23T18:39:15.010200Z

@qerub I do store clojars tokens in CircleCI

borkdude 2020-10-23T18:39:18.010400Z

to deploy

borkdude 2020-10-23T18:39:30.010700Z

but I don't use the signing stuff

qerub 2020-10-23T18:42:20.011100Z

Interesting: "[CircleCI] environment variables let you add sensitive data (e.g. API keys) to your jobs rather than placing them in the repository. The value of the variables cannot be read or edited in the app once they are set."

qerub 2020-10-23T18:42:36.011500Z

That will make it hard to extract the secrets without leaving a trail.

borkdude 2020-10-23T18:42:59.011700Z

I think Github supports the same

borkdude 2020-10-23T18:43:28.012100Z

In fact, I'm also using that (as a backup for when CircleCI doesn't work)

qerub 2020-10-23T18:44:00.012500Z

I think you're right: "[GitHub] secrets are environment variables that are encrypted and only exposed to selected actions. Anyone with collaborator access to this repository can use these secrets in a workflow."

seancorfield 2020-10-23T18:51:23.013400Z

@qerub I'm curious as to why you bother signing stuff? Clojars no longer has the two-tier/promotion system and basically ignores the signed stuff.

qerub 2020-10-23T18:52:29.014Z

@seancorfield: Old habit, I guess. Thanks for bringing this to my attention.

seancorfield 2020-10-23T18:57:59.016100Z

Unless you have a widespread "web of trust" the signatures really don't provide any security anyway. Phil Hagelberg (technomancy) tried hard to get that going by doing in-person key exchanges at conferences etc but it never became widespread, and the Clojars' maintainers decided to abandon all of the two-tier promotion system because hardly anyone was using it, so it just wasn't worth maintaining the complexity of it...

slipset 2020-10-23T19:44:49.017900Z

I just sign because lein tells me to by default.

seancorfield 2020-10-23T19:49:16.018100Z

> cat ~/.lein/profiles.clj 
{:socket
  {:jvm-opts ["-Dclojure.server.lein={:port 55555, :accept clojure.core.server/repl}"]}
 :clojars {:repositories {"clojars" {:url "" :sign-releases false}}}
}
🙂 🙂 🙂

seancorfield 2020-10-23T19:49:29.018400Z

lein with-profile clojars deploy clojars

seancorfield 2020-10-23T19:49:48.018900Z

(not that I've actually used lein to deploy anything for a very long time)

seancorfield 2020-10-23T19:53:15.019400Z

@slipset I'm surprised you, in particular, use Leiningen to deploy anything?

slipset 2020-10-23T19:56:40.021100Z

It’s quite ironic. Up until yesterday I was not able to sign releases with depa-deploy. And I thought that was somewhat a thing to do.

🤣 3