I see that https://github.com/healthfinch/depstar/ and https://github.com/juxt/pack.alpha both are in the business of packaging your project where depstar seems a bit more focussed on uberjars. Any thoughts on this?

Reason I’m asking is that I’m pondering creating a deps-shipit which would generate/refresh the pom, update the versions in it, create your choice of (skinny/uber) jar and then upload it to Clojars.

Uberjars aren't really suitable for uploading to clojars

true enough

@slipset fwiw, I'd be interesting in a tool which only concerns itself with uploading jars to maven repos. Maybe with support for s3 wagons too.

Having a tool which starts a JVM to run this shell script isn't immediately on my list of problems I need solving:

#!/bin/sh

clojure -A:pack -m …
clojure -Spom

clojure -A:shipit output.jar pom.xml

oh, like https://github.com/slipset/deps-deploy ?

This is fantastic ❤️ 2 comments: 1. Can we look at getting gpg support for credentials, I think this is really important. Environment variables are far from secure. 2. I'd love to have this replace my current documentation in pack for using mvn:deploy-file 🙂

1) Yes. If I could ask you to file an issue/submit PR, that’d be fantastic

I asked for this to exist about a week ago, so I'm glad it now does. I'm going to have to try imagining more things. Pile of Gold. Pile of Gold.

2) I’m more than happy to improve it in any way 🙂

In fact, I was about to submit a PR against pack suggesting the use of deps-deploy this morning 🙂

@dominicm the gpg support for credentials, that would basically be supporting passing private-key-file to aether, right? https://github.com/cemerick/pomegranate/blob/master/src/main/clojure/cemerick/pomegranate/aether.clj#L325

@slipset I don't think so. I am not aware of that feature at all though 🙂

Ok, then if you could outline a solution in a ticket, I’d be very happy. I haven’t worked much with gpg.

I've put quickly jotted down some thoughts, I've tried to capture my overarching goal of "moar secure" and provide some options.

Thank you! I’ll have a closer look this evening.

Btw, concerning a potential deps-shipit, you’d actually end up just firing up one jvm, as the plan for deps-shipit would be to compose the three steps you are outlining into one.

I know 🙂 But it's similar to this also:

#!/usr/bin/env clojure

(require '[pack.onejar])
(require '[deploy])
(require '[t.d.a])

(pack.onejar/jar)
(t.d.a/generate-pom)
(deploy/deploy jar pom)

🙂

Supporting jar signing seems important too, trying to find some good references on it

Shouldn’t be too hard, lein already provides this. Just need to RTFS a bit.

yeah. Reading the source looks like the best option, given that maven + gpg signing isn't giving me anything useful.

In my experience gpg and lein has been a bit awkward to setup… and I’ve seen lots of people struggle to do it. Is there an option to use something like bouncy castle here ( https://www.bouncycastle.org/java.html )? Or perhaps something that ships with the JVM? I’m assuming the main thing gpg brings to the table (aside from the crypto) is being able to interact with the OS keychain.

Not sure if bouncy castle has any support for that

@rickmoynihan You've highlighted my concern with BouncyCastle immediately. It would be good to enumerate the exact issues people have. I would expect it's around gpg vs gpg2. But I'm potentially projecting the issue I personally have.

I would expect using Bouncy Castle with PGP brings in a new class of issues, like support smart cards.

One option is to search & present options. e.g. if only gpg/gpg2 are found, use those. If both, then ask the user.

Yeah; I suspect gpg/gpg2 are the best options… as lein and others have been through this before and everyone always seem to settle on gpg. It’s just frustrating that that choice often leaves to brittleness and installation/configuration issues… but I guess it’s always going to be a bit of a cross platform nightmare 😞

It doesn't have to be I think 🙂

Lein also doesn't prompt the user ever. There are other mistakes there.

I can’t really recall my issues with gpg… it could well have been gpg vs gpg2. IIRC mine might also have been due to config cruft from .bashrc which I ported from linux to mac years back. In my experience it’s just one of those areas which can be fiddly, where you really don’t want something fiddly.

If gpg is hard to use, I'd be inclined to not tackle the problem 🙂

But that's just me.

What I mean is, if gpg is easy to shoot yourself in the foot with, that's gpg's problem. I don't think it's a good use of time to handle the thousands of config combinations.

lein actually prompts me for my gpg thing (if I don’t turn off the signed artifacts thingy)

@slipset your gpg passphrase you mean?

yes, I guess that’s the correct term.

After some updates to software on my Mac I could never get gpg working again so I just told leiningen not to sign things. I mostly use boot to upload to clojars to avoid gpg anyway.

And I have my clojars credentials in my dot file unencyrpted - again so I can avoid trying to deal with gpg.

(And I was never able to get anything to work on windows in this area)

Phil was always the one pushing gpg. No one used to bother until he bugged everyone 🙃 and the boot crowd never pushed it.

@seancorfield do you mean exclusively with lein it broke, or it's broken altogether?

@slipset I was thinking more about prompting if both commands gpg and gpg2 are available. Things like that.

@dominicm I’ll look into https://github.com/slipset/deps-deploy/issues/2 later tonight.

No rush. I think it's good to think on & compare.

Hammock time 🙂

I’d be really happy if you could comment on my comment there so I have something to hammock on 🙂

Sorry, I've got my emails turned off 😄

Nothing to be sorry about, it’s actually very smart if you want to get things done 🙂

We have a large number of (non-)errors in a production environment at the moment, only way I can stay sane

FWIW on mac with GPG this is what I use and it seems to work: https://gpgtools.org/

Yeah, that's what I was using but it stopped working and uninstalling/reinstalling didn't fix it so I gave up. The whole thing seemed more hassle than it was worth -- given the only thing that seemed to care about it was Leiningen...

I consider gpg an important part of my security system, I think its a shame more people don't use it with jars. But I can't speak to how well the gnu toolchain works elsewhere.

@dominicm https://github.com/slipset/deps-deploy/pull/4 if you could have a look?

I used gpg --encrypt .clojars_creds.edn to encrypt my creds.

which may or may not be what you were asking for, as this is a symmetric encryption.

I'll see if I can get it working with my smart card. Looking at the code, I don't expect it will, as I don't have a gpg passphrase.

May I ask what kind of smart card you have?

Yubikey