[ANN] Important upcoming changes to Clojars

467 views
Skip to first unread message

Toby Crawley

unread,
Mar 1, 2021, 8:47:05 AM3/1/21
to clo...@googlegroups.com
Howdy folks! We have two separate changes coming for the Clojars system that you need to be aware of.

First, the tl;dr:

- After 2021-04-15, versions of Java older than 7u25 will no longer be able to access the Clojars repository
- After 2021-04-18, a Clojars group name must have verified ownership before a new library can be deployed to it

Now, the details:

# Dropping support for old Java versions

The repository itself is hosted behind a Fastly CDN, and Fastly is forcing all accounts to switch to SNI[1] for TLS connections. Clojars will be migrated on or after 2021-04-15, so this will cause requests from older Java clients to fail (SNI support was added to Java in version 7u25 in 2011). So you will need to upgrade if you are still using an old Java for building or for running an artifact proxy. This change only affects connections to the repo.clojars.org hostname (and clojars.org/repo/, since it redirects to repo.clojars.org).

[1]: https://en.wikipedia.org/wiki/Server_Name_Indication

# Requiring verified group names

In light of the recent announcement[2] of a method to inject libraries into internal builds by shadowing internal names (aka 'Dependency Confusion'), we have decided to take steps to make Clojars more secure. Clojars will soon require that all **new** libraries have a verified group name, and that group name needs to be reverse-domain-based. This will help protect against Clojars being used in the following attack vectors:

- shadowing a company-internal library name, causing the version published on Clojars to be used instead in some situations
- shadowing a library name that is also published to Maven Central or another public repository (Clojars already has checks in place to prevent shadowing anything on Maven Central, but they are brittle and could be removed once verification is in place)
- "typo-squatting" - a library that is named very similarly to one published elsewhere; designed to capture cases where a developer makes a typo in the dependency specification

The schedule for releasing this change should allow enough time for us to get the Clojars changes in place and to communicate the changes throughout the community:

- Today:
- net.clojars.<clojars-username>/org.clojars.<clojars-username> groups are already verified for all existing and future users (see below for details)
- the Clojars admins can start processing any manual verification requests (see below for details)
- **creating new non-verified groups and creating new libraries in non-verified groups is still allowed**
- 2021-03-07:
- com.github.<github-username> and io.github.<github-username> groups will be verified automatically when when you log in via GitHub
- 2021-03-21:
- login via GitLab will be released
- com.gitlab.<gitlab-username> groups verified automatically when you login via GitLab
- 2021-04-18:
- **creating new non-verified groups and creating new libraries in non-verified groups will be disabled**

[2]: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610

## FAQ

### What is a reverse-domain-based group name?

A reverse-domain-based group name is one that when reversed resolves to a DNS-resolvable domain, or a domain and a well known identifier within that domain. For example, com.github.clojars maps to https://github.com/clojars/, and org.clojars maps to https://clojars.org. This namespacing mechanism has a long history in Java for package names and libraries released to Maven Central[3]. Clojars has historically been less stringent, and using verifiable group names brings us closer to the standards followed by much of the broader JVM community.

[3]: https://blog.sonatype.com/why-namespacing-matters-in-public-open-source-repositories

### Do I have to have my own domain name to publish to Clojars?

No, you have quite a few automatically verified options if you don't have a domain name, don't want to use your own, or don't want to go through the manual verification process:

- org.clojars.<clojars-username>: this group exists for each Clojars user, and is automatically verified. These groups have existed since the early days of Clojars, and have typically been used as sandboxes/for non-canonical forks. We recommend using net.clojars.<clojars-username> for "official" releases instead.
- net.clojars.<clojars-username>: this group exists for each Clojars user, and is automatically verified
- com.github.<github-username> / io.github.<github-username>: both of these groups will be verified automatically when you login via GitHub after 2021-03-07. See below if you want to verify (com|io).github.<github-organization-name>.
- com.gitlab.<gitlab-username>: this group will be verified automatically when you login via GitLab after 2021-03-21. See below if you want to verify com.gitlab.<gitlab-organization-name>.

### How do I verify a group name?

If you aren't using one of the auto-verified group names above, you will need to open a verification request[4] with the Clojars staff.

If the group name matches a GitHub/GitLab organization name (com.github.<org>/com.gitlab.<org>/io.github.<org>), then we'll ask you to create a public repository with a specific name under that organization to prove ownership.

If the group name is some other reverse-domain-based name, we'll ask you to create a TXT DNS record under that domain (or some alternate method) to prove ownership.

If the group name isn't reverse-domain-based, it won't be verified.

If this is a new group (no libraries have yet been released to it), you will need to verify it before deploying the library after 2021-04-18.

[4]: https://github.com/clojars/administration/issues/new?template=group_verification.md

### How does this impact existing libraries published to Clojars?

This won't have an impact on releasing new versions of existing libraries; the group does not need to be verified for new versions. These changes only impact new libraries.

### Do I have to rename my existing libraries that I publish to Clojars?

Nope - existing libraries can continue to release new versions under their existing names and be referred to by their existing names.

### Does this impact how Clojure namespaces have to be named within libraries?

Not at all - there is no relationship between the name of a library and the namespaces it provides (but zero correspondence between them might be confusing).

### Can I verify an existing group name?

Yes, as long as the group name is reverse-domain-based and you are a member of the group. Otherwise, no.

### What does this mean for single-named libraries?

Libraries with a "single name" (like hiccup, cheshire, clj-http) are implemented under the hood as a library where the group and artifact name are the same (hiccup/hiccup, cheshire/cheshire, etc). Existing libraries named in that fashion will continue to be releasable, but no new ones will be allowed to be created (that's not 100% accurate - you _could_ verify a domain-based-group, then use the group name as the artifact name as well, but that seems unlikely).

### I never publish libraries to Clojars, only use them. How does this impact me?

This should have no impact on you other than the improved security.

### How can I help?

Great question! You can help by:

- bringing any community documentation that needs to be updated to our attention, or updating it yourself
- sharing this information throughout the community. The bulk of this message is also available on the Clojars wiki at https://github.com/clojars/clojars-web/wiki/Verified-Group-Names

## Implementation

The plan to implement these changes is being tracked in https://github.com/clojars/clojars-web/projects/1 if you are interested following along.

## Discussion/feedback

If you have questions or concerns that aren't answered here, feel free to comment on the discussion at https://github.com/clojars/administration/discussions/2.

# Sponsors

Thanks for reading this far! I want to take this opportunity to thank the sponsors that make Clojars possible.

- Clojurists Together (https://www.clojuriststogether.org/) (and all of its members): Clojurists Together funds my maintenance work on Clojars
- Clubhouse Software (https://clubhouse.io/): Clubhouse covers our hosting costs, and is flexible enough as my employer to allow me to address any Clojars emergencies
- Fastly (http://fastly.com/): Fastly provides the CDN that fronts `repo.clojars.org` at no cost
- DNSimple (https://dnsimple.link/resolving-clojars): DNSimple provides free DNS services for Clojars
- Deps (https://www.deps.co/): Deps covers Daniel Compton's time for Clojars Administration
- Both Pingometer (https://pingometer.com/) and Sentry (http://sentry.io/) provide free service for monitoring
- Statuspage (https://www.statuspage.io/) provides free hosting for http://status.clojars.org/

James Reeves

unread,
Mar 1, 2021, 11:26:17 AM3/1/21
to 'EuAndreh' via Clojure
This is an interesting change, and essentially enforces a de-facto package naming scheme for Clojure. I don't see this as a bad thing, though.

Have you considered automatically validating domain name ownership by supplying a challenge token and then looking for it at a well-known location on the domain?
-- 
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clo...@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
For more options, visit this group at
--- 
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+u...@googlegroups.com.


--
James Reeves


Toby Crawley

unread,
Mar 1, 2021, 6:32:10 PM3/1/21
to clo...@googlegroups.com
On Mon, Mar 1, 2021, at 11:08, James Reeves wrote:
Have you considered automatically validating domain name ownership by supplying a challenge token and then looking for it at a well-known location on the domain?

That's a good suggestion - I have considered that as a verification option. The plan doesn't currently include automatic verification because I wanted to focus on getting all of the other pieces implemented first, and wanted to gain more knowledge about what methods would work for users as part of the manual verification process.

- Toby

Toby Crawley

unread,
Mar 26, 2021, 3:56:04 PM3/26/21
to Clojure
A followup on:

On Monday, March 1, 2021 at 8:47:05 AM UTC-5 Toby Crawley wrote:
# Dropping support for old Java versions

The repository itself is hosted behind a Fastly CDN, and Fastly is forcing all accounts to switch to SNI[1] for TLS connections. Clojars will be migrated on or after 2021-04-15, so this will cause requests from older Java clients to fail (SNI support was added to Java in version 7u25 in 2011). So you will need to upgrade if you are still using an old Java for building or for running an artifact proxy. This change only affects connections to the repo.clojars.org hostname (and clojars.org/repo/, since it redirects to repo.clojars.org).

[1]: https://en.wikipedia.org/wiki/Server_Name_Indication
 

It looks like Fastly migrated us earlier than expected - the change went through earlier today.

Please file an issue at https://github.com/clojars/administration/issues/new/choose if you are having issues accessing the repo with a Java version of 7u25 or newer, or with a non-Java client.

- Toby

Toby Crawley

unread,
Apr 18, 2021, 3:16:19 PM4/18/21
to clo...@googlegroups.com, clojars-maintainers
These changes have now been completed - you will need to use a verified group when deploying a *new* project to Clojars. These changes will only impact folks deploying to Clojars; consumption of artifacts from Clojars is unchanged. A summary of the current state:

- *existing* projects can still deploy new versions even if the group isn't verified. This won't change.
- *new* projects can only be deployed to verified groups
- *new* groups can only be created via a group verification request and must meet the guidelines for reverse-domain-based groups[1]
- if you don't want to/aren't able to verify a group, there are several groups that are automatically verified for you[2]

Please file an issue[3] if you run in to any issues with deploying.

- Toby

[1]:https://github.com/clojars/clojars-web/wiki/Groups#creating-a-group
[2]:https://github.com/clojars/clojars-web/wiki/Groups#personal-groups
[3]:https://github.com/clojars/clojars-web/issues/new/choose
Reply all
Reply to author
Forward
0 new messages