Re: [ANN] Important upcoming changes to Clojars
17 views
Skip to first unread message
Toby Crawley
Apr 18, 2021, 3:16:08 PM4/18/21
to clo...@googlegroups.com, clojars-maintainers
These changes have now been completed - you will need to use a verified group when deploying a *new* project to Clojars. These changes will only impact folks deploying to Clojars; consumption of artifacts from Clojars is unchanged. A summary of the current state:
- *existing* projects can still deploy new versions even if the group isn't verified. This won't change.
- *new* projects can only be deployed to verified groups
- *new* groups can only be created via a group verification request and must meet the guidelines for reverse-domain-based groups[1]
- if you don't want to/aren't able to verify a group, there are several groups that are automatically verified for you[2]
Please file an issue[3] if you run in to any issues with deploying.
- Toby
[1]:https://github.com/clojars/clojars-web/wiki/Groups#creating-a-group
[2]:https://github.com/clojars/clojars-web/wiki/Groups#personal-groups
[3]:https://github.com/clojars/clojars-web/issues/new/choose
On Mon, Mar 1, 2021, at 08:46, Toby Crawley wrote:
> Howdy folks! We have two separate changes coming for the Clojars system
> that you need to be aware of.
>
> First, the tl;dr:
>
> - After 2021-04-15, versions of Java older than 7u25 will no longer be
> able to access the Clojars repository
> - After 2021-04-18, a Clojars group name must have verified ownership
> before a new library can be deployed to it
>
> Now, the details:
>
> # Dropping support for old Java versions
>
> The repository itself is hosted behind a Fastly CDN, and Fastly is
> forcing all accounts to switch to SNI[1] for TLS connections. Clojars
> will be migrated on or after 2021-04-15, so this will cause requests
> from older Java clients to fail (SNI support was added to Java in
> version 7u25 in 2011). So you will need to upgrade if you are still
> using an old Java for building or for running an artifact proxy. This
> change only affects connections to the repo.clojars.org hostname (and
> clojars.org/repo/, since it redirects to repo.clojars.org).
>
> [1]: https://en.wikipedia.org/wiki/Server_Name_Indication
>
> # Requiring verified group names
>
> In light of the recent announcement[2] of a method to inject libraries
> into internal builds by shadowing internal names (aka 'Dependency
> Confusion'), we have decided to take steps to make Clojars more secure.
> Clojars will soon require that all **new** libraries have a verified
> group name, and that group name needs to be reverse-domain-based. This
> will help protect against Clojars being used in the following attack
> vectors:
>
> - shadowing a company-internal library name, causing the version
> published on Clojars to be used instead in some situations
> - shadowing a library name that is also published to Maven Central or
> another public repository (Clojars already has checks in place to
> prevent shadowing anything on Maven Central, but they are brittle and
> could be removed once verification is in place)
> - "typo-squatting" - a library that is named very similarly to one
> published elsewhere; designed to capture cases where a developer makes
> a typo in the dependency specification
>
> The schedule for releasing this change should allow enough time for us
> to get the Clojars changes in place and to communicate the changes
> throughout the community:
>
> - Today:
> - net.clojars.<clojars-username>/org.clojars.<clojars-username>
> groups are already verified for all existing and future users (see
> below for details)
> - the Clojars admins can start processing any manual verification
> requests (see below for details)
> - **creating new non-verified groups and creating new libraries in
> non-verified groups is still allowed**
> - 2021-03-07:
> - com.github.<github-username> and io.github.<github-username> groups
> will be verified automatically when when you log in via GitHub
> - 2021-03-21:
> - login via GitLab will be released
> - com.gitlab.<gitlab-username> groups verified automatically when you
> login via GitLab
> - 2021-04-18:
> - **creating new non-verified groups and creating new libraries in
> non-verified groups will be disabled**
>
> [2]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
>
> ## FAQ
>
> ### What is a reverse-domain-based group name?
>
> A reverse-domain-based group name is one that when reversed resolves to
> a DNS-resolvable domain, or a domain and a well known identifier within
> that domain. For example, com.github.clojars maps to
> https://github.com/clojars/, and org.clojars maps to
> https://clojars.org. This namespacing mechanism has a long history in
> Java for package names and libraries released to Maven Central[3].
> Clojars has historically been less stringent, and using verifiable
> group names brings us closer to the standards followed by much of the
> broader JVM community.
>
> [3]:
> https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories
>
> ### Do I have to have my own domain name to publish to Clojars?
>
> No, you have quite a few automatically verified options if you don't
> have a domain name, don't want to use your own, or don't want to go
> through the manual verification process:
>
> - org.clojars.<clojars-username>: this group exists for each Clojars
> user, and is automatically verified. These groups have existed since
> the early days of Clojars, and have typically been used as
> sandboxes/for non-canonical forks. We recommend using
> net.clojars.<clojars-username> for "official" releases instead.
> - net.clojars.<clojars-username>: this group exists for each Clojars
> user, and is automatically verified
> - com.github.<github-username> / io.github.<github-username>: both of
> these groups will be verified automatically when you login via GitHub
> after 2021-03-07. See below if you want to verify
> (com|io).github.<github-organization-name>.
> - com.gitlab.<gitlab-username>: this group will be verified
> automatically when you login via GitLab after 2021-03-21. See below if
> you want to verify com.gitlab.<gitlab-organization-name>.
>
> ### How do I verify a group name?
>
> If you aren't using one of the auto-verified group names above, you
> will need to open a verification request[4] with the Clojars staff.
>
> If the group name matches a GitHub/GitLab organization name
> (com.github.<org>/com.gitlab.<org>/io.github.<org>), then we'll ask you
> to create a public repository with a specific name under that
> organization to prove ownership.
>
> If the group name is some other reverse-domain-based name, we'll ask
> you to create a TXT DNS record under that domain (or some alternate
> method) to prove ownership.
>
> If the group name isn't reverse-domain-based, it won't be verified.
>
> If this is a new group (no libraries have yet been released to it), you
> will need to verify it before deploying the library after 2021-04-18.
>
> [4]:
> https://github.com/clojars/administration/issues/new?template=group_verification.md
>
> ### How does this impact existing libraries published to Clojars?
>
> This won't have an impact on releasing new versions of existing
> libraries; the group does not need to be verified for new versions.
> These changes only impact new libraries.
>
> ### Do I have to rename my existing libraries that I publish to Clojars?
>
> Nope - existing libraries can continue to release new versions under
> their existing names and be referred to by their existing names.
>
> ### Does this impact how Clojure namespaces have to be named within libraries?
>
> Not at all - there is no relationship between the name of a library and
> the namespaces it provides (but zero correspondence between them might
> be confusing).
>
> ### Can I verify an existing group name?
>
> Yes, as long as the group name is reverse-domain-based and you are a
> member of the group. Otherwise, no.
>
> ### What does this mean for single-named libraries?
>
> Libraries with a "single name" (like hiccup, cheshire, clj-http) are
> implemented under the hood as a library where the group and artifact
> name are the same (hiccup/hiccup, cheshire/cheshire, etc). Existing
> libraries named in that fashion will continue to be releasable, but no
> new ones will be allowed to be created (that's not 100% accurate - you
> _could_ verify a domain-based-group, then use the group name as the
> artifact name as well, but that seems unlikely).
>
> ### I never publish libraries to Clojars, only use them. How does this
> impact me?
>
> This should have no impact on you other than the improved security.
>
> ### How can I help?
>
> Great question! You can help by:
>
> - bringing any community documentation that needs to be updated to our
> attention, or updating it yourself
> - sharing this information throughout the community. The bulk of this
> message is also available on the Clojars wiki at
> https://github.com/clojars/clojars-web/wiki/Verified-Group-Names
>
> ## Implementation
>
> The plan to implement these changes is being tracked in
> https://github.com/clojars/clojars-web/projects/1 if you are interested
> following along.
>
> ## Discussion/feedback
>
> If you have questions or concerns that aren't answered here, feel free
> to comment on the discussion at
> https://github.com/clojars/administration/discussions/2.
>
> # Sponsors
>
> Thanks for reading this far! I want to take this opportunity to thank
> the sponsors that make Clojars possible.
>
> - Clojurists Together (https://www.clojuriststogether.org/) (and all of
> its members): Clojurists Together funds my maintenance work on Clojars
> - Clubhouse Software (https://clubhouse.io/): Clubhouse covers our
> hosting costs, and is flexible enough as my employer to allow me to
> address any Clojars emergencies
> - Fastly (http://fastly.com/): Fastly provides the CDN that fronts
> `repo.clojars.org` at no cost
> - DNSimple (https://dnsimple.link/resolving-clojars): DNSimple provides
> free DNS services for Clojars
> - Deps (https://www.deps.co/): Deps covers Daniel Compton's time for
> Clojars Administration
> - Both Pingometer (https://pingometer.com/) and Sentry
> (http://sentry.io/) provide free service for monitoring
> - Statuspage (https://www.statuspage.io/) provides free hosting for
> http://status.clojars.org/
>
- *existing* projects can still deploy new versions even if the group isn't verified. This won't change.
- *new* projects can only be deployed to verified groups
- *new* groups can only be created via a group verification request and must meet the guidelines for reverse-domain-based groups[1]
- if you don't want to/aren't able to verify a group, there are several groups that are automatically verified for you[2]
Please file an issue[3] if you run in to any issues with deploying.
- Toby
[1]:https://github.com/clojars/clojars-web/wiki/Groups#creating-a-group
[2]:https://github.com/clojars/clojars-web/wiki/Groups#personal-groups
[3]:https://github.com/clojars/clojars-web/issues/new/choose
On Mon, Mar 1, 2021, at 08:46, Toby Crawley wrote:
> Howdy folks! We have two separate changes coming for the Clojars system
> that you need to be aware of.
>
> First, the tl;dr:
>
> - After 2021-04-15, versions of Java older than 7u25 will no longer be
> able to access the Clojars repository
> - After 2021-04-18, a Clojars group name must have verified ownership
> before a new library can be deployed to it
>
> Now, the details:
>
> # Dropping support for old Java versions
>
> The repository itself is hosted behind a Fastly CDN, and Fastly is
> forcing all accounts to switch to SNI[1] for TLS connections. Clojars
> will be migrated on or after 2021-04-15, so this will cause requests
> from older Java clients to fail (SNI support was added to Java in
> version 7u25 in 2011). So you will need to upgrade if you are still
> using an old Java for building or for running an artifact proxy. This
> change only affects connections to the repo.clojars.org hostname (and
> clojars.org/repo/, since it redirects to repo.clojars.org).
>
> [1]: https://en.wikipedia.org/wiki/Server_Name_Indication
>
> # Requiring verified group names
>
> In light of the recent announcement[2] of a method to inject libraries
> into internal builds by shadowing internal names (aka 'Dependency
> Confusion'), we have decided to take steps to make Clojars more secure.
> Clojars will soon require that all **new** libraries have a verified
> group name, and that group name needs to be reverse-domain-based. This
> will help protect against Clojars being used in the following attack
> vectors:
>
> - shadowing a company-internal library name, causing the version
> published on Clojars to be used instead in some situations
> - shadowing a library name that is also published to Maven Central or
> another public repository (Clojars already has checks in place to
> prevent shadowing anything on Maven Central, but they are brittle and
> could be removed once verification is in place)
> - "typo-squatting" - a library that is named very similarly to one
> published elsewhere; designed to capture cases where a developer makes
> a typo in the dependency specification
>
> The schedule for releasing this change should allow enough time for us
> to get the Clojars changes in place and to communicate the changes
> throughout the community:
>
> - Today:
> - net.clojars.<clojars-username>/org.clojars.<clojars-username>
> groups are already verified for all existing and future users (see
> below for details)
> - the Clojars admins can start processing any manual verification
> requests (see below for details)
> - **creating new non-verified groups and creating new libraries in
> non-verified groups is still allowed**
> - 2021-03-07:
> - com.github.<github-username> and io.github.<github-username> groups
> will be verified automatically when when you log in via GitHub
> - 2021-03-21:
> - login via GitLab will be released
> - com.gitlab.<gitlab-username> groups verified automatically when you
> login via GitLab
> - 2021-04-18:
> - **creating new non-verified groups and creating new libraries in
> non-verified groups will be disabled**
>
> [2]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
>
> ## FAQ
>
> ### What is a reverse-domain-based group name?
>
> A reverse-domain-based group name is one that when reversed resolves to
> a DNS-resolvable domain, or a domain and a well known identifier within
> that domain. For example, com.github.clojars maps to
> https://github.com/clojars/, and org.clojars maps to
> https://clojars.org. This namespacing mechanism has a long history in
> Java for package names and libraries released to Maven Central[3].
> Clojars has historically been less stringent, and using verifiable
> group names brings us closer to the standards followed by much of the
> broader JVM community.
>
> [3]:
> https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories
>
> ### Do I have to have my own domain name to publish to Clojars?
>
> No, you have quite a few automatically verified options if you don't
> have a domain name, don't want to use your own, or don't want to go
> through the manual verification process:
>
> - org.clojars.<clojars-username>: this group exists for each Clojars
> user, and is automatically verified. These groups have existed since
> the early days of Clojars, and have typically been used as
> sandboxes/for non-canonical forks. We recommend using
> net.clojars.<clojars-username> for "official" releases instead.
> - net.clojars.<clojars-username>: this group exists for each Clojars
> user, and is automatically verified
> - com.github.<github-username> / io.github.<github-username>: both of
> these groups will be verified automatically when you login via GitHub
> after 2021-03-07. See below if you want to verify
> (com|io).github.<github-organization-name>.
> - com.gitlab.<gitlab-username>: this group will be verified
> automatically when you login via GitLab after 2021-03-21. See below if
> you want to verify com.gitlab.<gitlab-organization-name>.
>
> ### How do I verify a group name?
>
> If you aren't using one of the auto-verified group names above, you
> will need to open a verification request[4] with the Clojars staff.
>
> If the group name matches a GitHub/GitLab organization name
> (com.github.<org>/com.gitlab.<org>/io.github.<org>), then we'll ask you
> to create a public repository with a specific name under that
> organization to prove ownership.
>
> If the group name is some other reverse-domain-based name, we'll ask
> you to create a TXT DNS record under that domain (or some alternate
> method) to prove ownership.
>
> If the group name isn't reverse-domain-based, it won't be verified.
>
> If this is a new group (no libraries have yet been released to it), you
> will need to verify it before deploying the library after 2021-04-18.
>
> [4]:
> https://github.com/clojars/administration/issues/new?template=group_verification.md
>
> ### How does this impact existing libraries published to Clojars?
>
> This won't have an impact on releasing new versions of existing
> libraries; the group does not need to be verified for new versions.
> These changes only impact new libraries.
>
> ### Do I have to rename my existing libraries that I publish to Clojars?
>
> Nope - existing libraries can continue to release new versions under
> their existing names and be referred to by their existing names.
>
> ### Does this impact how Clojure namespaces have to be named within libraries?
>
> Not at all - there is no relationship between the name of a library and
> the namespaces it provides (but zero correspondence between them might
> be confusing).
>
> ### Can I verify an existing group name?
>
> Yes, as long as the group name is reverse-domain-based and you are a
> member of the group. Otherwise, no.
>
> ### What does this mean for single-named libraries?
>
> Libraries with a "single name" (like hiccup, cheshire, clj-http) are
> implemented under the hood as a library where the group and artifact
> name are the same (hiccup/hiccup, cheshire/cheshire, etc). Existing
> libraries named in that fashion will continue to be releasable, but no
> new ones will be allowed to be created (that's not 100% accurate - you
> _could_ verify a domain-based-group, then use the group name as the
> artifact name as well, but that seems unlikely).
>
> ### I never publish libraries to Clojars, only use them. How does this
> impact me?
>
> This should have no impact on you other than the improved security.
>
> ### How can I help?
>
> Great question! You can help by:
>
> - bringing any community documentation that needs to be updated to our
> attention, or updating it yourself
> - sharing this information throughout the community. The bulk of this
> message is also available on the Clojars wiki at
> https://github.com/clojars/clojars-web/wiki/Verified-Group-Names
>
> ## Implementation
>
> The plan to implement these changes is being tracked in
> https://github.com/clojars/clojars-web/projects/1 if you are interested
> following along.
>
> ## Discussion/feedback
>
> If you have questions or concerns that aren't answered here, feel free
> to comment on the discussion at
> https://github.com/clojars/administration/discussions/2.
>
> # Sponsors
>
> Thanks for reading this far! I want to take this opportunity to thank
> the sponsors that make Clojars possible.
>
> - Clojurists Together (https://www.clojuriststogether.org/) (and all of
> its members): Clojurists Together funds my maintenance work on Clojars
> - Clubhouse Software (https://clubhouse.io/): Clubhouse covers our
> hosting costs, and is flexible enough as my employer to allow me to
> address any Clojars emergencies
> - Fastly (http://fastly.com/): Fastly provides the CDN that fronts
> `repo.clojars.org` at no cost
> - DNSimple (https://dnsimple.link/resolving-clojars): DNSimple provides
> free DNS services for Clojars
> - Deps (https://www.deps.co/): Deps covers Daniel Compton's time for
> Clojars Administration
> - Both Pingometer (https://pingometer.com/) and Sentry
> (http://sentry.io/) provide free service for monitoring
> - Statuspage (https://www.statuspage.io/) provides free hosting for
> http://status.clojars.org/
>
Reply all
Reply to author
Forward
0 new messages