clojars

2023-03-27T11:19:04.619429Z

@corasaurus-hex They are based on the Maven LATEST and RELEASE metaversions, described here: https://www.baeldung.com/maven-dependency-latest-version#1-deprecated-syntax So latest_version corresponds to LATEST, and is the most recent snapshot or non-snapshot. latest_release is always the latest non-snapshot, and corresponds to RELEASE.

Cora (she/her) 2023-03-27T12:25:38.745579Z

ooooh thanks!! do you mean latest_release in that last sentence?

2023-03-27T12:26:06.736009Z

Yes :) It was too early! I'll edit it.

😅 1
hlship 2023-03-27T22:23:00.176239Z

I'm having trouble deploying to Clojars:

Created: target/pretty-1.4.jar
Sending io/aviso/pretty/1.4/pretty-1.4.jar (25k)to 
Sending io/aviso/pretty/1.4/pretty-1.4.pom (1k)to 
Sending io/aviso/pretty/1.4/pretty-1.4.jar.asc (1k)
    to 
Sending io/aviso/pretty/1.4/pretty-1.4.pom.asc (1k)
    to 
Retrieving io/aviso/pretty/maven-metadata.xml (2k)from 
Sending io/aviso/pretty/maven-metadata.xml (2k)to 
Could not transfer metadata io.aviso:pretty/maven-metadata.xml from/to clojars (): Authorization failed for  403 Forbidden - no checksums provided for pretty-1.4.jar.asc
{:clojure.main/message
 "Execution error (AuthorizationException) at org.apache.maven.wagon.shared.http.AbstractHttpClientWagon/put (AbstractHttpClientWagon.java:806).\nAuthorization failed for  403 Forbidden - no checksums provided for pretty-1.4.jar.asc\n",
 :clojure.main/triage
 {:clojure.error/class
  org.apache.maven.wagon.authorization.AuthorizationException,
  :clojure.error/line 806,
  :clojure.error/cause
  "Authorization failed for  403 Forbidden - no checksums provided for pretty-1.4.jar.asc",
  :clojure.error/symbol
  org.apache.maven.wagon.shared.http.AbstractHttpClientWagon/put,
  :clojure.error/source "AbstractHttpClientWagon.java",
  :clojure.error/phase :execution},
 :clojure.main/trace
 {:via
I don't remember seeing this before, does this error ring any bells? My deploy scripts uses slipset/deps-deploy {:mvn/version "0.2.0"} to deploy, which appears to be upto date.

seancorfield 2023-03-27T22:31:53.549169Z

Do you have CLOJARS_PASSWORD env var set to a valid deploy token? (not a password)

seancorfield 2023-03-27T22:32:05.898869Z

(and CLOJARS_USERNAME)

hlship 2023-03-27T22:32:09.888289Z

It should be, let me double check.

hlship 2023-03-27T22:32:57.418379Z

Yes to both, not changed since last time I did some deploys.

seancorfield 2023-03-27T22:33:51.072439Z

Hmm, that's the only thing I can think of right now...

hlship 2023-03-27T22:34:48.836729Z

I've been using this token since Jun 2020 AFAIK.

hlship 2023-03-27T22:36:18.628169Z

And slipset did create .asc files for the pom and jar as normal.

hlship 2023-03-27T22:36:25.624499Z

So I wonder if something's changed recently at clojars?

seancorfield 2023-03-27T22:36:37.925789Z

https://github.com/slipset/deps-deploy/issues/11 seems similar...?

seancorfield 2023-03-27T22:37:36.765029Z

"Determined that the bug is only present when signing jars."

hlship 2023-03-27T22:43:29.458139Z

Odd, been using the same version of slipset, and the build tool does rename the pom.

hlship 2023-03-27T22:44:34.424329Z

`

hlship 2023-03-27T22:45:05.171179Z

Authorization failed for  403 Forbidden - no checksums provided for pretty-1.4.jar.asc"
That seems relevant but not enough details to see how.

2023-03-28T00:21:27.084789Z

This is the validation on the clojars side expecting every file uploaded to have either an md5 or sha1 checksum file uploaded for each file. It runs the validations when the maven-metadata.xml file is uploaded, and throws on the first failure. Looking at the output, I don't see any sha1 or md5 files being uploaded, so that would cause this. I've never used deps-deploy, so don't know how to configure it/what it is supposed to do. I would think that aether would handle that for you though. I'll check the logs to see if any checksum files were uploaded, but not reported in the output.

2023-03-28T00:22:25.670339Z

There haven't been any recent changes to clojars that would effect this

2023-03-28T00:24:44.264009Z

It is sending md5 sums for the jar & pom, but not for the asc files;

50.220.102.134 - hlship [27/Mar/2023:22:15:37 +0000] "PUT /repo/io/aviso/pretty/1.4/pretty-1.4.jar.md5 HTTP/1.1" 201 5 "-" "Aether"
50.220.102.134 - hlship [27/Mar/2023:22:15:39 +0000] "PUT /repo/io/aviso/pretty/1.4/pretty-1.4.pom.md5 HTTP/1.1" 201 5 "-" "Aether"
50.220.102.134 - hlship [27/Mar/2023:22:17:38 +0000] "PUT /repo/io/aviso/pretty/1.4/pretty-1.4.jar.md5 HTTP/1.1" 201 5 "-" "Aether"
50.220.102.134 - hlship [27/Mar/2023:22:17:40 +0000] "PUT /repo/io/aviso/pretty/1.4/pretty-1.4.pom.md5 HTTP/1.1" 201 5 "-" "Aether"
50.220.102.134 - hlship [27/Mar/2023:22:44:01 +0000] "PUT /repo/io/aviso/pretty/1.4/pretty-1.4.jar.md5 HTTP/1.1" 201 5 "-" "Aether"
50.220.102.134 - hlship [27/Mar/2023:22:44:03 +0000] "PUT /repo/io/aviso/pretty/1.4/pretty-1.4.pom.md5 HTTP/1.1" 201 5 "-" "Aether"

2023-03-28T00:25:11.167589Z

Do you normally sign pretty releases @hlship?

2023-03-28T00:57:45.423869Z

https://github.com/slipset/deps-deploy/commit/fd8ff2de9c4bda82a1c69c387d56217473b394be appears to be the fix for this (found via https://github.com/slipset/deps-deploy/pull/53), but it doesn't look like it is released.

seancorfield 2023-03-28T01:26:47.493139Z

Good detective work @tcrawley! Maybe this will encourage @slipset to cut a release? But I guess you could depend on it via git coords to get past this @hlship?

hlship 2023-03-28T03:19:41.877189Z

Great advice; I can tackle this tomorrow.

hlship 2023-03-28T03:20:55.133099Z

And, yes I GPG sign my uploads to all projects. I don’t get why I haven’t hit this before though.

hlship 2023-03-28T23:55:04.872959Z

Even using latest deps-deploy, I had to turn artifact signing off to deploy.

slipset 2023-03-29T06:11:51.285599Z

I’ll try to find some time to look into this. Out of curiosity, where do you publish your public signing key @hlship ? Reason I’m asking is that I’m also signing stuff, but haven’t published my key anywhere, so it’s basically useless. Likewise, I would have no idea how to go about verifying any of your things if I were so inclined. Basically what I’m saying is that I find that there are some missing pieces of infrastructure which would make the signing of artifacts so more useful if it existed.

slipset 2023-03-29T06:46:20.539899Z

FWIW, I just published deps-deploy 0.2.1, signed:

erik@keep deps-deploy % env CLOJARS_USERNAME=erik CLOJARS_PASSWORD=CLOJARS_<redacted> clj -X:deploy
gpg passphrase:
gpg passphrase:
Deploying slipset/deps-deploy-0.2.1 to repository clojars as erik
Sending slipset/deps-deploy/0.2.1/deps-deploy-0.2.1.pom (2k)
    to 
Sending slipset/deps-deploy/0.2.1/deps-deploy-0.2.1.jar (8k)
    to 
Sending slipset/deps-deploy/0.2.1/deps-deploy-0.2.1.pom.asc (1k)
    to 
Sending slipset/deps-deploy/0.2.1/deps-deploy-0.2.1.jar.asc (1k)
    to 
Retrieving slipset/deps-deploy/maven-metadata.xml (1k)
    from 
Sending slipset/deps-deploy/maven-metadata.xml (1k)
    to 
done.

erik@keep deps-deploy %

hlship 2023-03-30T01:36:39.282409Z

I think I did a signing exchange at Apachecon once, maybe 20 years ago. I think I'm still using the same GPG key.

hlship 2023-03-30T01:36:53.261489Z

Good point about uploading the key somewhere so that the signing is actually useful.

hlship 2023-03-30T01:38:48.317359Z

I'm using deps-deploy-0.2.1 but still getting the error, but probably because of how I'm using it. To hack around the prompt for the GPG passphrase, I sign the file before calling aether/deploy. https://github.com/hlship/build-tools/blob/main/src/net/lewisship/build/jar.clj#L103

hlship 2023-03-30T01:40:07.916829Z

Hm. Maybe I can use some combination of these instead:

:username - username to log in with
      :password - password to log in with
      :passphrase - passphrase to log in wth
      :private-key-file - private key file to log in with

seancorfield 2023-03-30T01:43:10.534129Z

@hlship I remember Phil (technomancy) encouraging folks to do key signing exchanges in person at Clojure/conj events many years ago, when he was trying to get artifact-signing on Clojars more widespread...