I noticed that :mvn/repos (as well as the builtin default) doesn't allow to declare priority in any way. What happens when multiple configured repos contain the same Maven coordinate? Seems like the procurer would then choose an arbitrary one?
yes
I personally would love to have :mvn/repo key per dep that would allow to override this
it's also a security concern potentially
Right, that's my concern, too
I just resort to git/deps as much as I can. It's the only workaround currently
for the rest you just have to vet deps and hope maintainers do not let domains expire and claimed their group id in most relevant places
i.e. I have a private repo which contains a private artifact. Now somebody could shadow the same coordinate (knowingly or accidentally) and break my build or mount a supply chain attack π€
Pinning a dependency to a specific mvn repo would be nice to fix this, indeed
yes, the common case mentioned is with expiring domains, since claiming is done via DNS TXT entry
Or declaring the private repo to be of highest priority
it's fine if the account is already claimed, but for new account on servers where the group doesn't exist yet, there's potential for highjacking
Ah yes but that would even be the case if one were to use only Maven central, say
and vetting deep deps tree aint fun
yes
someone else can always claim on clojars later
if the domain has expired
(assuming it doesn't exist there yet)
right...
I would love to use a git dep but the library in question is pure Java π
we talked about this in the past, I think the main issue currently is that the maven deps resolution is done via a lib that doesn't help with fixing this easily
IC
my current workaround is to put a deps.edn into the library with a prep task which invokes mvn compile
and then use that via git dep
but that doesn't work in all cases (for reasons I won't go into now :D)
yes, it's tricky. I personally think that should be a high priority. Often these things are not seen as important until it hurts
agreed
is there a question on https://ask.clojure.org/ already for this? A quick search didn't turn anything up
I don't think so. I talked about it some time back with a few folks here, including @alexmiller
and with folks from clj-together at a conference
this article came up: https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories
fyi: https://clojurians.slack.com/archives/C6QH853H8/p1705662316171519
I see, thanks! I'll file a question about it for good measure later so that people have something to upvote.
Another way to solve this would be to pin a dependency to a particular signing key
and have the signature be mandatory for it then
yeah, basically locking
but I can't seem to find any support for Maven dependency signatures in tools.deps π€
it's the other way to fix it
but mvn/deps on coords seems less intrusive for the end user
Hm no locking is a bit different
That would only protect you from an in-place modification of an already known version
right
But when bumping dependencies, you would have to check whether the new release was signed by the (trusted) key
How about this: https://ask.clojure.org/index.php/14198/ensure-private-coordinate-cannot-shadowed-public-repository
All of this is at odds with the design of Maven as a distributed repo - none of the APIs have this level of control. I understand the desires though and I do think thereβs probably more we can do