clojars

tony.kay 2023-04-11T19:03:55.681419Z

Hey. I’ve been deploying to clojars for years. This morning I’m getting:

Uploaded to clojars:  (146 kB at 65 kB/s)
Downloading from clojars: 
Downloaded from clojars:  (6.7 kB at 28 kB/s)
Uploading to clojars: 
Uploaded to clojars:  (1.1 kB at 610 B/s)
Uploading to clojars: 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  9.102 s
[INFO] Finished at: 2023-04-11T12:02:09-07:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:3.1.0:deploy (default-deploy) on project fulcro-rad: Failed to deploy metadata: Could not transfer metadata com.fulcrologic:fulcro-rad/maven-metadata.xml from/to clojars (): status code: 403, reason phrase: Forbidden - no checksums provided for fulcro-rad-1.4.9-20230411.190200-1.pom.asc (403) -> [Help 1]

tony.kay 2023-04-11T19:04:08.659709Z

it can write the files, but the checksums are failing…ideas?

tony.kay 2023-04-11T19:04:44.744599Z

ah…seems like others are having this issue..I’ll read earlier thread 🙂

tony.kay 2023-04-11T19:07:43.519459Z

seems like signing stopped working? I’ve been signing my artifacts forever (and yes my public key is published in the GPG ecosystem). It seems so odd to not sign artifacts to me, and this is a regression. I’ve uploaded signed stuff for literally my entire existence as an OSS developer.

tony.kay 2023-04-11T19:08:56.508759Z

it does work if I turn off signing 😞

2023-04-11T19:11:24.532469Z

Hi @tony.kay! Nothing has changed on the Clojars side in years, but based on the other thread, it sounds like maven/aether stopped providing checksum files for signatures in a recent release. There's a workaround in that thread for a sysprop to turn it back on, but if the maven folks don't care about checksums for signature files, maybe clojars shouldn't either?

tony.kay 2023-04-11T19:11:46.417749Z

Ah!

tony.kay 2023-04-11T19:11:55.715339Z

Yes, I did update maven last night, I forgot!

tony.kay 2023-04-11T19:12:53.201149Z

I don’t see why you’d ever care about a checksum on a signature…the signature is already a proof. It the checksum is wrong the proof will fail, and ppl will consider it a bad release (if they care to check)

tony.kay 2023-04-11T19:14:08.854839Z

could you point me to the thread?

tony.kay 2023-04-11T19:14:17.539339Z

this is going to affect all 16+ of my OSS projects 😕

2023-04-11T19:15:06.041539Z

That's a good point. When I implemented the validation, all tools sent checksums with the signatures (along with checksums for all files), so the validation was "if you send a checksum, you have to send a checksum for everything". But that no longer makes sense.

2023-04-11T19:15:31.797299Z

To enable them again, you have to set aether.checksums.omitChecksumsForExtensions explicitly to an empty string (`""`)

tony.kay 2023-04-11T19:15:49.898599Z

ok, thanks

2023-04-11T19:16:37.283849Z

Based on discussion here https://github.com/slipset/deps-deploy/pull/53, linked from this thread: https://clojurians.slack.com/archives/C0H28NMAS/p1679955780176239 (no need to read that thread, just linking for completeness)

2023-04-11T19:18:17.185379Z

I created https://github.com/clojars/clojars-web/issues/859 to fix this, but I'm not sure when I'll be able to get to it.

tony.kay 2023-04-11T19:25:22.454519Z

For those using raw maven, here is the fix: Edit your ~/.m2/settings.xml, and add this section:

<settings>
  ...

  <profiles>
    <profile>
      <id>checksums</id>
      <activation>
        <activeByDefault>true</activeByDefault>
      </activation>
      <properties>
        <aether.checksums.omitChecksumsForExtensions></aether.checksums.omitChecksumsForExtensions>
      </properties>
    </profile>
  </profiles>

  <activeProfiles>
    <activeProfile>checksums</activeProfile>
  </activeProfiles>
</settings>

tony.kay 2023-04-11T19:25:57.672049Z

I just retried my deploy of a snapshot and it works again. Thanks @tcrawley

2023-04-11T19:51:56.683139Z

My pleasure!