Hi, I wonder how big the problem is when a domain is lost after verifying it on clojars and releasing libs that are used by others. Any comments? I guess it is a problem in terms that on other public registries the new owner of the domain would be able to release malicious libs under the same name, right?
Once a group is verified (or just used for a deploy in the pre-verification days), it can only be used by users assigned to that group in Clojars. So even if someone else gets the domain, that doesn't give them the right to deploy. But if a user in that group has an email address that uses that domain, then the new owner could reset their password, as they now control that email.
so, it should be safe to continue as is then. nice.
ok cool, but if the new owner of the domain publishes a package with the same name under this domain on e.g. maven then maybe this package gets pulled in by lein/clj and maybe has malicious behaviour?!
the risk is if the new owner claims the domain on another repo folks depend on (ex maven central)
then you're at the mercy of what your build tool decides to hit first
for me that'd make that dependency dangerous under the old group-id
what domain / lib is it @timok - just out of curiosity
and you can be sure malicious actors monitor these kind of occurences
it's nothing new
It would be handy to be able to specify :mvn/repo at coord level... but last time it was discussed it was mentioned it's not something doable with the lib that's used internally by t.deps
Yes, someone could verify the domain with maven central, then deploy a shadow release there. And build tooling generally checks maven central first by default.
Clojars does not allow you to deploy a group/project that exists on central, but central has no reciprocal check that I know of.
There are two types of domains that are safer here:
⢠net|org.clojars.<username>, as those domains will always belong to clojars
⢠com.github.<gh-org-or-username>, as long as the owner doesn't give the org or username up/away
Maven itself by its design is a decentralized system and libs are not scoped to a repo. As a user, you choose the repos to check and their order (for all libs). In 25 year hindsight, this has some issues.
Maven / lein can also pick up new repos to check via transitive deps, which is particularly dangerous for shadowing (clj does not)
> As a user, you choose the repos to check and their order Is that really true? At least with tools.deps ordering/priority is not controllable afaik
Given it's a map
Yes, I was talking about Maven there
ah
tools.deps checks Maven central, then clojars, then (unordered) your repos
Future room for improvements
-> that bit I suppose https://github.com/clojure/tools.deps/blob/master/src/main/clojure/clojure/tools/deps/util/maven.clj#L163
Is it truly unordered, or ordered for small maps (as they are array-maps) but only as an impl detail?
if we could pass a vec of pairs (which is somewhat backward compatible with a map) that could be already an improvement
Anyway, I suppose there are probably more concerns that could influence a potential solution.
Not something Iām trying to fix today, few people ever use more than one external repo