tools-deps

dergutemoritz 2024-10-16T10:36:58.643269Z

I noticed that :mvn/repos (as well as the builtin default) doesn't allow to declare priority in any way. What happens when multiple configured repos contain the same Maven coordinate? Seems like the procurer would then choose an arbitrary one?

mpenet 2024-10-16T10:37:32.902099Z

yes

mpenet 2024-10-16T10:38:07.881059Z

I personally would love to have :mvn/repo key per dep that would allow to override this

mpenet 2024-10-16T10:38:20.819739Z

it's also a security concern potentially

dergutemoritz 2024-10-16T10:38:27.955999Z

Right, that's my concern, too

mpenet 2024-10-16T10:38:49.346579Z

I just resort to git/deps as much as I can. It's the only workaround currently

mpenet 2024-10-16T10:39:24.033599Z

for the rest you just have to vet deps and hope maintainers do not let domains expire and claimed their group id in most relevant places

dergutemoritz 2024-10-16T10:39:26.587159Z

i.e. I have a private repo which contains a private artifact. Now somebody could shadow the same coordinate (knowingly or accidentally) and break my build or mount a supply chain attack πŸ€”

dergutemoritz 2024-10-16T10:40:05.501399Z

Pinning a dependency to a specific mvn repo would be nice to fix this, indeed

mpenet 2024-10-16T10:40:09.358669Z

yes, the common case mentioned is with expiring domains, since claiming is done via DNS TXT entry

dergutemoritz 2024-10-16T10:40:18.837119Z

Or declaring the private repo to be of highest priority

mpenet 2024-10-16T10:40:30.144799Z

it's fine if the account is already claimed, but for new account on servers where the group doesn't exist yet, there's potential for highjacking

dergutemoritz 2024-10-16T10:40:56.985439Z

Ah yes but that would even be the case if one were to use only Maven central, say

mpenet 2024-10-16T10:40:59.210939Z

and vetting deep deps tree aint fun

mpenet 2024-10-16T10:41:10.244699Z

yes

mpenet 2024-10-16T10:41:22.775399Z

someone else can always claim on clojars later

mpenet 2024-10-16T10:41:27.412209Z

if the domain has expired

mpenet 2024-10-16T10:41:39.446589Z

(assuming it doesn't exist there yet)

dergutemoritz 2024-10-16T10:41:55.585119Z

right...

dergutemoritz 2024-10-16T10:42:22.637529Z

I would love to use a git dep but the library in question is pure Java πŸ˜•

mpenet 2024-10-16T10:42:26.337849Z

we talked about this in the past, I think the main issue currently is that the maven deps resolution is done via a lib that doesn't help with fixing this easily

dergutemoritz 2024-10-16T10:42:36.280039Z

IC

dergutemoritz 2024-10-16T10:43:24.203469Z

my current workaround is to put a deps.edn into the library with a prep task which invokes mvn compile

dergutemoritz 2024-10-16T10:43:31.050359Z

and then use that via git dep

dergutemoritz 2024-10-16T10:43:53.781109Z

but that doesn't work in all cases (for reasons I won't go into now :D)

mpenet 2024-10-16T10:44:30.737199Z

yes, it's tricky. I personally think that should be a high priority. Often these things are not seen as important until it hurts

dergutemoritz 2024-10-16T10:44:43.966649Z

agreed

dergutemoritz 2024-10-16T10:45:02.342769Z

is there a question on https://ask.clojure.org/ already for this? A quick search didn't turn anything up

mpenet 2024-10-16T10:45:27.056499Z

I don't think so. I talked about it some time back with a few folks here, including @alexmiller

mpenet 2024-10-16T10:45:45.705439Z

and with folks from clj-together at a conference

mpenet 2024-10-16T10:47:19.088439Z

this article came up: https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories

dergutemoritz 2024-10-16T10:48:40.235659Z

I see, thanks! I'll file a question about it for good measure later so that people have something to upvote.

πŸ‘ 1
dergutemoritz 2024-10-16T10:58:02.180999Z

Another way to solve this would be to pin a dependency to a particular signing key

dergutemoritz 2024-10-16T10:58:15.814389Z

and have the signature be mandatory for it then

mpenet 2024-10-16T10:58:29.619989Z

yeah, basically locking

dergutemoritz 2024-10-16T10:58:32.941809Z

but I can't seem to find any support for Maven dependency signatures in tools.deps πŸ€”

mpenet 2024-10-16T10:58:35.986819Z

it's the other way to fix it

mpenet 2024-10-16T10:58:53.687829Z

but mvn/deps on coords seems less intrusive for the end user

dergutemoritz 2024-10-16T10:58:55.803549Z

Hm no locking is a bit different

dergutemoritz 2024-10-16T10:59:22.361739Z

That would only protect you from an in-place modification of an already known version

mpenet 2024-10-16T10:59:35.668539Z

right

dergutemoritz 2024-10-16T10:59:41.673939Z

But when bumping dependencies, you would have to check whether the new release was signed by the (trusted) key

dergutemoritz 2024-10-16T11:08:14.879539Z

How about this: https://ask.clojure.org/index.php/14198/ensure-private-coordinate-cannot-shadowed-public-repository

☝️ 1
Alex Miller (Clojure team) 2024-10-16T13:01:04.184969Z

All of this is at odds with the design of Maven as a distributed repo - none of the APIs have this level of control. I understand the desires though and I do think there’s probably more we can do

πŸ‘ 1