[ANN] Deploy tokens for Clojars
138 views
Skip to first unread message
Toby Crawley
May 17, 2020, 4:56:25 PM5/17/20
to clo...@googlegroups.com
Howdy folks!
Just letting you know that Clojars[1] now allows you to create and use
deploy tokens[2] in place of passwords when deploying. If you don't
deploy OSS projects to Clojars, feel free to stop reading now.
The deploy tokens are to be used in place of a password when
deploying, and can optionally be scoped to only allow deployment of a
single artifact or any artifact within a group[2].
We now consider deploying with your Clojars password deprecated, and
will *disable deploying with a password on or after 2020-06-27*. So
please switch to using deploy tokens as soon as you can, and please
file an issue[3] or get in touch via the #clojars channel on the
Clojurians slack if you encounter any problems.
Also please file an issue[3] if you know of any public documentation
that should be updated to mention deploy tokens.
We are currently working with GitHub to enable secret scanning[4] for
these tokens. Once that is in place, any token that GitHub discovers
in source code will automatically be disabled and Clojars will email
you about it.
This work is being sponsored by Clojurists Together[5]. Please
consider joining to sponsor this and other OSS work in the Clojure
community if you aren't already a member. If you are already a member:
thank you!
- Toby
[1]: https://clojars.org
[2]: https://github.com/clojars/clojars-web/wiki/Deploy-Tokens
[3]: https://github.com/clojars/clojars-web/issues/new?template=issue.md
[4]: https://developer.github.com/partnerships/secret-scanning/
[5]: https://www.clojuriststogether.org/news/clojurists-together-is-funding-clojars/
Just letting you know that Clojars[1] now allows you to create and use
deploy tokens[2] in place of passwords when deploying. If you don't
deploy OSS projects to Clojars, feel free to stop reading now.
The deploy tokens are to be used in place of a password when
deploying, and can optionally be scoped to only allow deployment of a
single artifact or any artifact within a group[2].
We now consider deploying with your Clojars password deprecated, and
will *disable deploying with a password on or after 2020-06-27*. So
please switch to using deploy tokens as soon as you can, and please
file an issue[3] or get in touch via the #clojars channel on the
Clojurians slack if you encounter any problems.
Also please file an issue[3] if you know of any public documentation
that should be updated to mention deploy tokens.
We are currently working with GitHub to enable secret scanning[4] for
these tokens. Once that is in place, any token that GitHub discovers
in source code will automatically be disabled and Clojars will email
you about it.
This work is being sponsored by Clojurists Together[5]. Please
consider joining to sponsor this and other OSS work in the Clojure
community if you aren't already a member. If you are already a member:
thank you!
- Toby
[1]: https://clojars.org
[2]: https://github.com/clojars/clojars-web/wiki/Deploy-Tokens
[3]: https://github.com/clojars/clojars-web/issues/new?template=issue.md
[4]: https://developer.github.com/partnerships/secret-scanning/
[5]: https://www.clojuriststogether.org/news/clojurists-together-is-funding-clojars/
Sean Corfield
May 18, 2020, 12:25:41 AM5/18/20
to Clojure Mailing List
Here's a project that is documented to use the Clojars password and is fairly widely used: https://github.com/slipset/deps-deploy -- all projects created by clj-new rely on this and all of them will have the same documentation to use the Clojars password.
Forcing everyone to change their deployment processes across the board within just over a month seems a bit... aggressive...
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clo...@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/CAA3HuyZiAFk8Bb4gRjrKuO-fs4psK9TPvR0FZX00w-01ZGhhSQ%40mail.gmail.com.
Sean A Corfield -- (904) 302-SEAN
An Architect's View -- https://corfield.org/
World Singles Networks, LLC. -- https://worldsinglesnetworks.com/
"Perfection is the enemy of the good."
-- Gustave Flaubert, French realist novelist (1821-1880)
An Architect's View -- https://corfield.org/
World Singles Networks, LLC. -- https://worldsinglesnetworks.com/
"Perfection is the enemy of the good."
-- Gustave Flaubert, French realist novelist (1821-1880)
Erik Assum
May 18, 2020, 1:38:40 AM5/18/20
to clo...@googlegroups.com
I think I agree with Sean that the time frame is a bit short. One thing is making deps-deploy
(and also pomegranate) work with tokens (which I’m confident I can handle).
Another thing is that I would imagine both leiningen and boot would need new
releases and people would need to adopt those releases?
On a positive note, I think the deploy-token per artefact is super for clj-commons, since we
then have a way to publish artefacts under the original groupid/artefactid.
Erik.
To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/CAD4thx-VRp3NbVjLrZ5-iihxeO9r66WD%3DqpAhNwj_HQ7Vuq-cg%40mail.gmail.com.
Erik Assum
May 18, 2020, 1:41:37 AM5/18/20
to clo...@googlegroups.com
D’oh, please disregard. After reading the docs, I see that no changes would be needed, apart from updating the docs.
Mea culpa, sorry for the noise.
Erik.
Toby Crawley
May 18, 2020, 8:38:34 AM5/18/20
to clo...@googlegroups.com
Thanks for the feedback Sean. In my experience, it doesn't matter if
you give users a week, a month, or a year to switch - the majority
won't until their first password-based deploy fails. And to be clear -
all a user has to do is log in to Clojars, create a token, and use the
token string in place of their Clojars password, which shouldn't be to
onerous. Clojars will respond with a status message that briefly
explains the issue and links to the wiki if a password is used after
the switchover.
That said, I have no strong attachment to switching over on June 27th
- I would be open to discussing other dates. If someone does want to
argue for a later date, please file an issue at
https://github.com/clojars/clojars-web/issues/new?template=issue.md
and we can chat there.
It looks like Erik has already updated the deps-deploy documentation
(thanks Erik!).
- Toby
> To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/CAD4thx-VRp3NbVjLrZ5-iihxeO9r66WD%3DqpAhNwj_HQ7Vuq-cg%40mail.gmail.com.
you give users a week, a month, or a year to switch - the majority
won't until their first password-based deploy fails. And to be clear -
all a user has to do is log in to Clojars, create a token, and use the
token string in place of their Clojars password, which shouldn't be to
onerous. Clojars will respond with a status message that briefly
explains the issue and links to the wiki if a password is used after
the switchover.
That said, I have no strong attachment to switching over on June 27th
- I would be open to discussing other dates. If someone does want to
argue for a later date, please file an issue at
https://github.com/clojars/clojars-web/issues/new?template=issue.md
and we can chat there.
It looks like Erik has already updated the deps-deploy documentation
(thanks Erik!).
- Toby
Sean Corfield
May 19, 2020, 12:42:23 AM5/19/20
to Clojure Mailing List
This thread has illuminated something that wasn't at all clear from your original post: namely that all tooling can continue exactly as-is, just with user tokens swapped for passwords, and no code changes are required.
If all it takes is for users of Clojars to set CLOJARS_PASSWORD to a token obtained from clojars.org instead of their original password, that's not much of a burden at all.
To view this discussion on the web visit https://groups.google.com/d/msgid/clojure/CAA3HuybbcbEv4a2Fq10Npwc_KW6u%3D1aR9fB4bZCDfz2MUKU02w%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages