clojars

timo 2026-01-13T10:23:43.526429Z

Hi, I wonder how big the problem is when a domain is lost after verifying it on clojars and releasing libs that are used by others. Any comments? I guess it is a problem in terms that on other public registries the new owner of the domain would be able to release malicious libs under the same name, right?

2026-01-13T11:25:23.725189Z

Once a group is verified (or just used for a deploy in the pre-verification days), it can only be used by users assigned to that group in Clojars. So even if someone else gets the domain, that doesn't give them the right to deploy. But if a user in that group has an email address that uses that domain, then the new owner could reset their password, as they now control that email.

borkdude 2026-01-13T11:26:55.137119Z

so, it should be safe to continue as is then. nice.

timo 2026-01-13T11:35:13.141519Z

ok cool, but if the new owner of the domain publishes a package with the same name under this domain on e.g. maven then maybe this package gets pulled in by lein/clj and maybe has malicious behaviour?!

šŸ˜“ 1
mpenet 2026-01-13T11:43:52.169799Z

the risk is if the new owner claims the domain on another repo folks depend on (ex maven central)

mpenet 2026-01-13T11:44:20.953329Z

then you're at the mercy of what your build tool decides to hit first

mpenet 2026-01-13T11:45:16.893649Z

for me that'd make that dependency dangerous under the old group-id

borkdude 2026-01-13T11:46:46.101619Z

what domain / lib is it @timok - just out of curiosity

mpenet 2026-01-13T11:46:49.785399Z

and you can be sure malicious actors monitor these kind of occurences

šŸ’Æ 1
mpenet 2026-01-13T11:47:04.448479Z

it's nothing new

mpenet 2026-01-13T11:56:53.748849Z

It would be handy to be able to specify :mvn/repo at coord level... but last time it was discussed it was mentioned it's not something doable with the lib that's used internally by t.deps

2026-01-13T12:05:49.690109Z

Yes, someone could verify the domain with maven central, then deploy a shadow release there. And build tooling generally checks maven central first by default. Clojars does not allow you to deploy a group/project that exists on central, but central has no reciprocal check that I know of. There are two types of domains that are safer here: • net|org.clojars.<username>, as those domains will always belong to clojars • com.github.<gh-org-or-username>, as long as the owner doesn't give the org or username up/away

šŸ‘ 1
Alex Miller (Clojure team) 2026-01-13T14:08:08.540589Z

Maven itself by its design is a decentralized system and libs are not scoped to a repo. As a user, you choose the repos to check and their order (for all libs). In 25 year hindsight, this has some issues.

Alex Miller (Clojure team) 2026-01-13T14:10:06.736669Z

Maven / lein can also pick up new repos to check via transitive deps, which is particularly dangerous for shadowing (clj does not)

mpenet 2026-01-13T14:12:38.374159Z

> As a user, you choose the repos to check and their order Is that really true? At least with tools.deps ordering/priority is not controllable afaik

mpenet 2026-01-13T14:12:48.609989Z

Given it's a map

Alex Miller (Clojure team) 2026-01-13T14:13:10.049449Z

Yes, I was talking about Maven there

mpenet 2026-01-13T14:13:16.530589Z

ah

Alex Miller (Clojure team) 2026-01-13T14:13:40.739459Z

tools.deps checks Maven central, then clojars, then (unordered) your repos

Alex Miller (Clojure team) 2026-01-13T14:14:04.724669Z

Future room for improvements

2026-01-13T14:14:32.396509Z

Is it truly unordered, or ordered for small maps (as they are array-maps) but only as an impl detail?

mpenet 2026-01-13T14:15:00.000339Z

if we could pass a vec of pairs (which is somewhat backward compatible with a map) that could be already an improvement

mpenet 2026-01-13T14:16:21.094579Z

Anyway, I suppose there are probably more concerns that could influence a potential solution.

Alex Miller (Clojure team) 2026-01-13T14:20:45.706189Z

Not something I’m trying to fix today, few people ever use more than one external repo