Fork me on GitHub
#clojars
<
2023-03-29
>
slipset06:03:20

Hey, I’ve been grappling with the issue of verifying signed artifacts for a while. It would be really nice if Clojars in one way or another could show that a given signed artifact was in fact signed by some verified key. First thought that came to mind was that one could publish the public signing key in the repo that contains the code under a known file name and that Clojars then would have enough information to actually verify. What’s wrong with an approach like that?

tcrawley11:03:28

Clojars used to support you storing your GPG key in your account, and did some verification based on that. We got rid of it since there was no straightforward way at the time to verify key ownership. Technomancy has done some work/thinking on using ssh keys instead, so there may be opportunity there as well: https://groups.google.com/u/1/g/clojars-maintainers/c/D5x44EIIV1w There is a discussion here as well to work on improving this: https://github.com/clojars/clojars-web/discussions/834 I think it would be worthwhile to add your suggestion there to restart that conversation and track it in one place.

slipset11:03:09

Comment added with some more flavor.

Mark Wardle10:03:59

Hi all. I have removed a dependency from deps.edn as it is optional. It would therefore be :scope provided using older tooling... (although I never used lein myself). However, this now means clojars can't build documentation, as one of my namespaces requires that third-party dependency. I've read https://github.com/cljdoc/cljdoc/blob/master/doc/fixing-builds.md but I'm unsure how to fix. Is there a way of providing an alias, or set of aliases to use in the cljdoc build? I don't think deps.edn supports listing optional dependencies except through aliases. I'd be grateful for for any pointers.

tcrawley11:03:08

I'm not familiar with the cljdoc build process - you may have more luck in #C8V0BQ0M6

👍 2
Mark Wardle11:03:44

Hi. Thanks @U06SGCEHJ - I will ask there.

tcrawley11:03:52

My pleasure!