tools-deps

mpenet 2024-01-19T11:05:16.171519Z

Would it make sense to allow mvn coords to include which repo they should check. Thinking about that in the context of possible supply chain attacks that could take place with folks registering expired domain that match a group-id and then creating a verified account in a mvn repo that doesn't know about this group yet

mpenet 2024-01-19T11:06:34.493439Z

ex someone registering a domain matching a group-id that exists on clojars but not on maven central . registering/verifing it on maven central and then putting malicious artifacts with the same versions as the ones on clojars

mpenet 2024-01-19T11:07:24.761739Z

then you're at the mercy of the repo checking ordering of the tool you're using

mpenet 2024-01-19T11:09:08.500369Z

(I know you can check signatures, but I am intentionally ignoring this for now, or just use git deps :))

mpenet 2024-01-19T11:12:05.326919Z

it would seem that allowing {:mvn/repo "..." :mvn/version "...") type coords could mitigate the issue

Alex Miller (Clojure team) 2024-01-19T12:54:32.286209Z

We piggyback on the Maven ecosystem and the Maven resolver libs so to some degree this is not a feature we can add over the top - Maven would have to add it first.

mpenet 2024-01-19T12:55:10.610589Z

I suspected that

Alex Miller (Clojure team) 2024-01-19T12:56:33.095569Z

We do have a couple differences that mitigate some of the risk: 1. We always check Maven central, then clojars before other repos. You can’t usurp those with other repos. 2. We ignore repos declared in transitive deps — you have to declare all repos you are using across all deps in your deps.edn

Alex Miller (Clojure team) 2024-01-19T12:57:57.443499Z

There are still gaps if you can usurp the groupId (say in clojars over something in central) and push a newer version

mpenet 2024-01-19T12:58:05.546829Z

1. it's possible to hijack clojars deps using maven central as well

mpenet 2024-01-19T12:58:21.429549Z

especially if it's checked first

Alex Miller (Clojure team) 2024-01-19T12:58:44.110739Z

Yes

mpenet 2024-01-19T12:59:12.423779Z

but there's no mitigation I can think of right now other than having per dep repo coords, or carefully vetting, then vendoring deps on an artifact repo you control

mpenet 2024-01-19T12:59:23.581319Z

or use git deps 🙂

mpenet 2024-01-19T13:00:47.199929Z

I guess some repo servers might allow you to specify where to mirror a group from

Alex Miller (Clojure team) 2024-01-19T13:00:49.272649Z

For Clojure, we’ve claimed control in both places, and only publish on central. Our key info for verification is at https://clojure.org/releases/download_key

mpenet 2024-01-19T13:01:59.464329Z

I am aware of that. That's good. I am more worried about (potentially popular) libraries that do not have claimed on both sides

Alex Miller (Clojure team) 2024-01-19T13:02:56.398769Z

Many enterprises use a proxy like Nexus, not sure if there are additional features in that for additional verification on sourcing. Certainly there are possibilities to fix a problem if you detect it

Alex Miller (Clojure team) 2024-01-19T13:04:13.653359Z

This is for sure something I worry about too and I would love to be doing more about it at the ecosystem level (like SALSA).

mpenet 2024-01-19T13:04:44.652709Z

SALSA?

Alex Miller (Clojure team) 2024-01-19T13:07:41.849109Z

https://slsa.dev

mpenet 2024-01-19T13:09:17.007649Z

oh right

Alex Miller (Clojure team) 2024-01-19T13:14:08.008039Z

Maven was not designed with this stuff in mind, I’m not expecting it to magically save us. We need to add a layer of info to our artifacts and a means to verify it, I think ideally leveraging info from git. Clojure is unique in that as a source based language it’s actually pretty easy to compare source in jar to source in git commit and get content checking

mpenet 2024-01-19T13:15:53.313569Z

That doesn't work for everything tho. ex for artifacts that are binary "public" but without available sources (or repo)

mpenet 2024-01-19T13:15:58.729069Z

ex datomic

mpenet 2024-01-19T13:17:17.809929Z

it also wouldn't save you from an hijack that only tries to create new versions of something and wait for you to blindly upgrade after your tooling tells you some new version of foo is available (ex via antq or something)

Alex Miller (Clojure team) 2024-01-19T13:23:42.722949Z

Yes, this is a big problem with many things to solve. I’m hoping to work on it some day

👍 1