Howdy folks! We have two separate changes coming for the Clojars system that you need to be aware of.
First, the tl;dr:
- After 2021-04-15, versions of Java older than 7u25 will no longer be able to access the Clojars repository
- After 2021-04-18, a Clojars group name must have verified ownership before a new library can be deployed to it
Now, the details:
# Dropping support for old Java versions
The repository itself is hosted behind a Fastly CDN, and Fastly is forcing all accounts to switch to SNI[1] for TLS connections. Clojars will be migrated on or after 2021-04-15, so this will cause requests from older Java clients to fail (SNI support was added to Java in version 7u25 in 2011). So you will need to upgrade if you are still using an old Java for building or for running an artifact proxy. This change only affects connections to the
repo.clojars.org hostname (and
clojars.org/repo/, since it redirects to
repo.clojars.org).
[1]:
https://en.wikipedia.org/wiki/Server_Name_Indication
# Requiring verified group names
In light of the recent announcement[2] of a method to inject libraries into internal builds by shadowing internal names (aka 'Dependency Confusion'), we have decided to take steps to make Clojars more secure. Clojars will soon require that all **new** libraries have a verified group name, and that group name needs to be reverse-domain-based. This will help protect against Clojars being used in the following attack vectors:
- shadowing a company-internal library name, causing the version published on Clojars to be used instead in some situations
- shadowing a library name that is also published to Maven Central or another public repository (Clojars already has checks in place to prevent shadowing anything on Maven Central, but they are brittle and could be removed once verification is in place)
- "typo-squatting" - a library that is named very similarly to one published elsewhere; designed to capture cases where a developer makes a typo in the dependency specification
The schedule for releasing this change should allow enough time for us to get the Clojars changes in place and to communicate the changes throughout the community:
- Today:
- net.clojars.<clojars-username>/org.clojars.<clojars-username> groups are already verified for all existing and future users (see below for details)
- the Clojars admins can start processing any manual verification requests (see below for details)
- **creating new non-verified groups and creating new libraries in non-verified groups is still allowed**
- 2021-03-07:
- com.github.<github-username> and io.github.<github-username> groups will be verified automatically when when you log in via GitHub
- 2021-03-21:
- login via GitLab will be released
- com.gitlab.<gitlab-username> groups verified automatically when you login via GitLab
- 2021-04-18:
- **creating new non-verified groups and creating new libraries in non-verified groups will be disabled**
[2]:
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
## FAQ
### What is a reverse-domain-based group name?
A reverse-domain-based group name is one that when reversed resolves to a DNS-resolvable domain, or a domain and a well known identifier within that domain. For example, com.github.clojars maps to
https://github.com/clojars/, and org.clojars maps to
https://clojars.org. This namespacing mechanism has a long history in Java for package names and libraries released to Maven Central[3]. Clojars has historically been less stringent, and using verifiable group names brings us closer to the standards followed by much of the broader JVM community.
[3]:
https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories
### Do I have to have my own domain name to publish to Clojars?
No, you have quite a few automatically verified options if you don't have a domain name, don't want to use your own, or don't want to go through the manual verification process:
- org.clojars.<clojars-username>: this group exists for each Clojars user, and is automatically verified. These groups have existed since the early days of Clojars, and have typically been used as sandboxes/for non-canonical forks. We recommend using net.clojars.<clojars-username> for "official" releases instead.
- net.clojars.<clojars-username>: this group exists for each Clojars user, and is automatically verified
- com.github.<github-username> / io.github.<github-username>: both of these groups will be verified automatically when you login via GitHub after 2021-03-07. See below if you want to verify (com|io).github.<github-organization-name>.
- com.gitlab.<gitlab-username>: this group will be verified automatically when you login via GitLab after 2021-03-21. See below if you want to verify com.gitlab.<gitlab-organization-name>.
### How do I verify a group name?
If you aren't using one of the auto-verified group names above, you will need to open a verification request[4] with the Clojars staff.
If the group name matches a GitHub/GitLab organization name (com.github.<org>/com.gitlab.<org>/io.github.<org>), then we'll ask you to create a public repository with a specific name under that organization to prove ownership.
If the group name is some other reverse-domain-based name, we'll ask you to create a TXT DNS record under that domain (or some alternate method) to prove ownership.
If the group name isn't reverse-domain-based, it won't be verified.
If this is a new group (no libraries have yet been released to it), you will need to verify it before deploying the library after 2021-04-18.
[4]:
https://github.com/clojars/administration/issues/new?template=group_verification.md
### How does this impact existing libraries published to Clojars?
This won't have an impact on releasing new versions of existing libraries; the group does not need to be verified for new versions. These changes only impact new libraries.
### Do I have to rename my existing libraries that I publish to Clojars?
Nope - existing libraries can continue to release new versions under their existing names and be referred to by their existing names.
### Does this impact how Clojure namespaces have to be named within libraries?
Not at all - there is no relationship between the name of a library and the namespaces it provides (but zero correspondence between them might be confusing).
### Can I verify an existing group name?
Yes, as long as the group name is reverse-domain-based and you are a member of the group. Otherwise, no.
### What does this mean for single-named libraries?
Libraries with a "single name" (like hiccup, cheshire, clj-http) are implemented under the hood as a library where the group and artifact name are the same (hiccup/hiccup, cheshire/cheshire, etc). Existing libraries named in that fashion will continue to be releasable, but no new ones will be allowed to be created (that's not 100% accurate - you _could_ verify a domain-based-group, then use the group name as the artifact name as well, but that seems unlikely).
### I never publish libraries to Clojars, only use them. How does this impact me?
This should have no impact on you other than the improved security.
### How can I help?
Great question! You can help by:
- bringing any community documentation that needs to be updated to our attention, or updating it yourself
- sharing this information throughout the community. The bulk of this message is also available on the Clojars wiki at
https://github.com/clojars/clojars-web/wiki/Verified-Group-Names
## Implementation
The plan to implement these changes is being tracked in
https://github.com/clojars/clojars-web/projects/1 if you are interested following along.
## Discussion/feedback
If you have questions or concerns that aren't answered here, feel free to comment on the discussion at
https://github.com/clojars/administration/discussions/2.
# Sponsors
Thanks for reading this far! I want to take this opportunity to thank the sponsors that make Clojars possible.
- Clojurists Together (
https://www.clojuriststogether.org/) (and all of its members): Clojurists Together funds my maintenance work on Clojars
- Clubhouse Software (
https://clubhouse.io/): Clubhouse covers our hosting costs, and is flexible enough as my employer to allow me to address any Clojars emergencies
- Fastly (
http://fastly.com/): Fastly provides the CDN that fronts `
repo.clojars.org` at no cost
- DNSimple (
https://dnsimple.link/resolving-clojars): DNSimple provides free DNS services for Clojars
- Deps (
https://www.deps.co/): Deps covers Daniel Compton's time for Clojars Administration
- Both Pingometer (
https://pingometer.com/) and Sentry (
http://sentry.io/) provide free service for monitoring
- Statuspage (
https://www.statuspage.io/) provides free hosting for
http://status.clojars.org/