Would it make sense to allow mvn coords to include which repo they should check. Thinking about that in the context of possible supply chain attacks that could take place with folks registering expired domain that match a group-id and then creating a verified account in a mvn repo that doesn't know about this group yet
ex someone registering a domain matching a group-id that exists on clojars but not on maven central . registering/verifing it on maven central and then putting malicious artifacts with the same versions as the ones on clojars
then you're at the mercy of the repo checking ordering of the tool you're using
(I know you can check signatures, but I am intentionally ignoring this for now, or just use git deps :))
it would seem that allowing {:mvn/repo "..." :mvn/version "...") type coords could mitigate the issue
also related: https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications
We piggyback on the Maven ecosystem and the Maven resolver libs so to some degree this is not a feature we can add over the top - Maven would have to add it first.
I suspected that
We do have a couple differences that mitigate some of the risk: 1. We always check Maven central, then clojars before other repos. You can’t usurp those with other repos. 2. We ignore repos declared in transitive deps — you have to declare all repos you are using across all deps in your deps.edn
There are still gaps if you can usurp the groupId (say in clojars over something in central) and push a newer version
1. it's possible to hijack clojars deps using maven central as well
especially if it's checked first
Yes
but there's no mitigation I can think of right now other than having per dep repo coords, or carefully vetting, then vendoring deps on an artifact repo you control
or use git deps 🙂
I guess some repo servers might allow you to specify where to mirror a group from
For Clojure, we’ve claimed control in both places, and only publish on central. Our key info for verification is at https://clojure.org/releases/download_key
I am aware of that. That's good. I am more worried about (potentially popular) libraries that do not have claimed on both sides
Many enterprises use a proxy like Nexus, not sure if there are additional features in that for additional verification on sourcing. Certainly there are possibilities to fix a problem if you detect it
This is for sure something I worry about too and I would love to be doing more about it at the ecosystem level (like SALSA).
SALSA?
oh right
Maven was not designed with this stuff in mind, I’m not expecting it to magically save us. We need to add a layer of info to our artifacts and a means to verify it, I think ideally leveraging info from git. Clojure is unique in that as a source based language it’s actually pretty easy to compare source in jar to source in git commit and get content checking
That doesn't work for everything tho. ex for artifacts that are binary "public" but without available sources (or repo)
ex datomic
it also wouldn't save you from an hijack that only tries to create new versions of something and wait for you to blindly upgrade after your tooling tells you some new version of foo is available (ex via antq or something)
Yes, this is a big problem with many things to solve. I’m hoping to work on it some day