This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
- # 100-days-of-code (1)
- # announcements (7)
- # beginners (84)
- # boot (1)
- # cider (22)
- # cljdoc (14)
- # cljs-dev (45)
- # cljsrn (6)
- # clojure (65)
- # clojure-conj (7)
- # clojure-finland (1)
- # clojure-italy (7)
- # clojure-nl (2)
- # clojure-serbia (1)
- # clojure-uk (111)
- # clojurescript (58)
- # cursive (8)
- # datomic (68)
- # duct (1)
- # emacs (33)
- # figwheel (3)
- # figwheel-main (9)
- # fulcro (33)
- # graphql (1)
- # juxt (30)
- # kaocha (4)
- # off-topic (22)
- # pathom (47)
- # pedestal (4)
- # planck (6)
- # re-frame (1)
- # reagent (1)
- # reitit (13)
- # shadow-cljs (49)
- # spacemacs (7)
- # sql (6)
- # tools-deps (60)
I see that https://github.com/healthfinch/depstar/ and https://github.com/juxt/pack.alpha both are in the business of packaging your project where
depstar seems a bit more focussed on uberjars. Any thoughts on this?
Reason I’m asking is that I’m pondering creating a
deps-shipit which would generate/refresh the pom, update the versions in it, create your choice of (skinny/uber) jar and then upload it to Clojars.
@slipset fwiw, I'd be interesting in a tool which only concerns itself with uploading jars to maven repos. Maybe with support for s3 wagons too.
Having a tool which starts a JVM to run this shell script isn't immediately on my list of problems I need solving:
#!/bin/sh clojure -A:pack -m … clojure -Spom clojure -A:shipit output.jar pom.xml
This is fantastic ❤️ 2 comments:
1. Can we look at getting gpg support for credentials, I think this is really important. Environment variables are far from secure.
2. I'd love to have this replace my current documentation in pack for using
I asked for this to exist about a week ago, so I'm glad it now does. I'm going to have to try imagining more things. Pile of Gold. Pile of Gold.
In fact, I was about to submit a PR against
pack suggesting the use of
deps-deploy this morning 🙂
@dominicm the gpg support for credentials, that would basically be supporting passing
aether, right? https://github.com/cemerick/pomegranate/blob/master/src/main/clojure/cemerick/pomegranate/aether.clj#L325
Ok, then if you could outline a solution in a ticket, I’d be very happy. I haven’t worked much with gpg.
I've put quickly jotted down some thoughts, I've tried to capture my overarching goal of "moar secure" and provide some options.
Btw, concerning a potential
deps-shipit, you’d actually end up just firing up one jvm, as the plan for
deps-shipit would be to compose the three steps you are outlining into one.
I know 🙂 But it's similar to this also:
Having said that, I'm usually happier to automate myself than others are 🙂
#!/usr/bin/env clojure (require '[pack.onejar]) (require '[deploy]) (require '[t.d.a]) (pack.onejar/jar) (t.d.a/generate-pom) (deploy/deploy jar pom)
Supporting jar signing seems important too, trying to find some good references on it
yeah. Reading the source looks like the best option, given that maven + gpg signing isn't giving me anything useful.
In my experience
lein has been a bit awkward to setup… and I’ve seen lots of people struggle to do it. Is there an option to use something like bouncy castle here ( https://www.bouncycastle.org/java.html )? Or perhaps something that ships with the JVM?
I’m assuming the main thing
gpg brings to the table (aside from the crypto) is being able to interact with the OS keychain.
@rickmoynihan You've highlighted my concern with BouncyCastle immediately. It would be good to enumerate the exact issues people have. I would expect it's around gpg vs gpg2. But I'm potentially projecting the issue I personally have.
I would expect using Bouncy Castle with PGP brings in a new class of issues, like support smart cards.
One option is to search & present options. e.g. if only gpg/gpg2 are found, use those. If both, then ask the user.
Yeah; I suspect gpg/gpg2 are the best options… as lein and others have been through this before and everyone always seem to settle on gpg. It’s just frustrating that that choice often leaves to brittleness and installation/configuration issues… but I guess it’s always going to be a bit of a cross platform nightmare 😞
I can’t really recall my issues with gpg… it could well have been gpg vs gpg2. IIRC mine might also have been due to config cruft from
.bashrc which I ported from linux to mac years back. In my experience it’s just one of those areas which can be fiddly, where you really don’t want something fiddly.
What I mean is, if gpg is easy to shoot yourself in the foot with, that's gpg's problem. I don't think it's a good use of time to handle the thousands of config combinations.
lein actually prompts me for my gpg thing (if I don’t turn off the signed artifacts thingy)
After some updates to software on my Mac I could never get gpg working again so I just told leiningen not to sign things. I mostly use boot to upload to clojars to avoid gpg anyway.
And I have my clojars credentials in my dot file unencyrpted - again so I can avoid trying to deal with gpg.
Phil was always the one pushing gpg. No one used to bother until he bugged everyone 🙃 and the boot crowd never pushed it.
@seancorfield do you mean exclusively with lein it broke, or it's broken altogether?
@slipset I was thinking more about prompting if both commands
gpg2 are available. Things like that.
I’d be really happy if you could comment on my comment there so I have something to hammock on 🙂
We have a large number of (non-)errors in a production environment at the moment, only way I can stay sane
FWIW on mac with GPG this is what I use and it seems to work: https://gpgtools.org/
Yeah, that's what I was using but it stopped working and uninstalling/reinstalling didn't fix it so I gave up. The whole thing seemed more hassle than it was worth -- given the only thing that seemed to care about it was Leiningen...
I consider gpg an important part of my security system, I think its a shame more people don't use it with jars. But I can't speak to how well the gnu toolchain works elsewhere.
I'll see if I can get it working with my smart card. Looking at the code, I don't expect it will, as I don't have a gpg passphrase.