clojars

manas_marthi 2022-03-07T12:54:06.675289Z

Hi All, are all jars in clojars pushed to Maven repo? Our company artifactory does not allow connection to clojars as of now.

2022-03-07T12:56:12.901339Z

No, Clojars is not pushed to Maven Central.

manas_marthi 2022-03-07T13:14:17.097959Z

I guess, it was something considered in the past and rejected?

2022-03-07T13:17:19.981889Z

I don't know if it was ever considered since Clojars supports group names that aren't compatible with maven's rules. You can no longer create incompatible group names, but must projects on clojars predate that change, so couldn't be synced.

manas_marthi 2022-03-07T13:32:20.623549Z

That looks like a solvable problem. Is there a committee whom I can reach and make a request a to create a auto maven sync process.

manas_marthi 2022-03-07T13:33:18.330579Z

A project owner can come up with a compatible group name and add it in their lein configuration. And the workflow can take care of pushing the jars to maven.

manas_marthi 2022-03-07T13:33:49.068489Z

The abandoned projects would still be leftout. But we will have something future proof.

manas_marthi 2022-03-07T13:35:22.545099Z

I just saw https://github.com/clojars/clojars-web/wiki/Contact and realized you are that committee. LOL

2022-03-07T13:38:59.083889Z

Indeed :) I'd be willing to look at what this would take, but I do think it would require a large community-wide effort to make happen, and it's not clear what the benefit would be other than "it's easier to use Clojure in places where dependency resolution is locked down". I don't think it is fair to consider stable projects on Clojars that haven't had releases as "abandoned" though.

manas_marthi 2022-03-07T14:35:14.701979Z

The case I would like to make is that it will make enterprise adaption easier.

manas_marthi 2022-03-07T14:35:20.538419Z

We have less people to convince

manas_marthi 2022-03-07T14:36:09.233139Z

We have to seek approvals from artifactory people, devOps people, security folks, blackduck license scan people , open source governance body etc

manas_marthi 2022-03-07T14:36:29.508259Z

Making Jars available in Maven make it a much smaller problem.

manas_marthi 2022-03-07T14:38:46.904349Z

I have not seen many developers who have the persuasion skills needed to answer questions raised in opposition.

2022-03-07T16:33:56.469469Z

I think you may be overestimating the number of jars on Clojars that meet Central requirements (https://central.sonatype.org/publish/requirements/) . I suspect it is < 0.1%. Any jar that we did want to push would need to: • be gpg-signed (most jars likely meet this requirement) • have accompanying javadocs & sources jars (few to none meet this requirement) • have a verified reverse-domain group name (very few meet this requirement) Getting folks to release new versions of jars to meet the above requirements would be a huge effort.

manas_marthi 2022-03-07T17:19:03.459919Z

Oh I didn't know about these rules

manas_marthi 2022-03-07T17:19:08.955429Z

Thank you

seancorfield 2022-03-07T18:38:26.813089Z

Given that only Leiningen "required" signing (and that could be disabled) and the default for Boot and the various CLI tools has been unsigned -- for years -- I'd be inclined to believe a "lot" of Clojars artifacts are not signed these days. I haven't signed any of my JARs for maybe 6-7 years now (since I stopped using Leiningen). Using GPG is a giant pain, especially on Windows.

➕ 1
seancorfield 2022-03-07T18:39:21.173299Z

Even before I switched away from Leiningen, GPG had broken on my Mac and I was never able to get it working again, so I'd had to disable signing in project.clj files to be able to continue pushing JARs to Clojars.

2022-03-07T18:49:55.677469Z

That's a good point Sean. I'll admit that I can't remember the last time I actually released a project on Clojars (other than test ones), so I don't know what most folks do these days.

seancorfield 2022-03-07T19:54:42.395989Z

deps-deploy is probably the most common CLI/`deps.edn` tool for deployment and its default is unsigned, but it has added support for signing because some folks requested that. So some folks are still signing their JARs 🙂

Alex Miller (Clojure team) 2022-03-07T21:57:20.596709Z

even if jars are signed, nothing about that is checked by either Maven Central or the vast majority of consumers of said jars

Alex Miller (Clojure team) 2022-03-07T22:00:05.914469Z

I have been (slowly) working towards signing most commits in the clojure repos, and signing commits and release tags for automated releases using the same gpg key that we use for maven jar signing (info about that key is published here for verification: https://clojure.org/releases/download_key)

Alex Miller (Clojure team) 2022-03-07T22:02:58.844929Z

also fyi, the javadoc and source requirements can be waived on request for non-Java artifacts in Maven central

👍🏽 1
manas_marthi 2022-03-07T22:25:52.999999Z

Thanks Alex

manas_marthi 2022-03-07T21:45:57.101589Z

[Starting new thread for followup questions ( based on responses from sean and @tcrawley)] 1. Can I write a macro that generates malicious code on the fly? If so, does it pass Veracode scan . 2. There was an issue in the npm world couple of years ago, where a malicious package was injected into npm. How difficult is it to inject malicious jars in place of genuine jars owned by someone else? 3. Did anyone pentest http://clojars.org?

Alex Miller (Clojure team) 2022-03-07T22:15:17.043299Z

1. Yes, and I don't think it's possible to prevent detect that in the general case. This is probably not a different situation than many other languages though. 2. It's probably quite difficult to replace an existing jar. I think the real scenario here is whether you could release a new version of an existing jar and have users include that artifact without knowing it had malicious code. If the actual owner did this, probably very possible - many consumers automatically bump version deps. That's really on you as a consumer and the amount of diligence you have around deps (in general, I think we should have much higher awareness than we do now). A malicious user would require authentication access to be able to deploy a new jar version (what this is depends on the repository as its a decentralized system), so you're back to "how secure are your passwords"/2FA kind of questions. http is by default not allowed, and there have been other changes in Maven recently to reduce the possibility of MITM.

manas_marthi 2022-03-07T22:26:18.880219Z

Noted. Thank you.

seancorfield 2022-03-07T22:39:17.192739Z

Given that Veracode only really understands Java/JavaScript, I don't know how it could scan Clojure source code. It can check artifact dependencies but it's pretty much only going to know about CVEs in Java libraries, not Clojure ones (we run clj-watson against our dependencies at work to highlight such CVEs and help us fix them).

manas_marthi 2022-03-07T22:42:07.859489Z

Vulnerability investigation in OSS clojure code, pentesting of http://clojars.org web site needed. I do not know if it is already being done, if not what sort of money is needed for it

manas_marthi 2022-03-07T22:42:43.686629Z

"Thinking of log4j2"

seancorfield 2022-03-07T22:43:28.529169Z

Since Clojure libraries are nearly always deployed as source JARs, not bytecode, and are often small and focused, I suspect some people just read the source 🙂

seancorfield 2022-03-07T22:44:40.646039Z

But you're right: some enterprise-level companies are going to be much more concerned about that kind of thing and could mandate that sort of investigation -- and therefore make Clojure unusable for themselves.

2022-03-08T01:11:44.379319Z

There hasn't been any pentesting of http://clojars.org. I have no idea how much it would cost to do so. My current focus is improving security when I have time to work on it.