Clojurians Log v2

Clojure programming

Channels

# 100-days-of-code # aatree # admin-announcements # adventofcode # ai # alda # aleph # all-the-channels # announcements # arachne # architecture # asami # atlanta-clojurians # atom-editor # autochrome-github # avi # aws # aws-lambda # babashka # babashka-sci-dev # bangalore-clj # beginners # berlin # biff # bigdata # bitcoin # boot # boot-dev # boulder-clojurians # braid-chat # braveandtrue # brevis # bristol-clojurians # business # calva # capetown # carry # cbus # cestmeetup # chestnut # chlorine-clover # cider # circleci # clara # clj-commons # cljdoc # cljfx # clj-http # clj-kondo # clj-on-windows # cljs-dev # cljs-experience # cljsfiddle # cljsjs # cljsrn # cljtogether # clojars # clojure # clojure-android # clojure-argentina # clojure-art # clojure-austin # clojure-australia # clojure-austria # clojure-bangladesh # clojure-bay-area # clojure-beijing # clojure-belgium # clojure-berlin # clojure-boston # clojure-brasil # clojurebridge # clojurebridge-ams # clojure-canada # clojure-chennai # clojure-chicago # clojure-china # clojure-colombia # clojure-conj # clojurecup # clojure-czech # clojured # clojure-denmark # clojure-denver # clojure-derby # clojuredesign-podcast # clojure-dev # clojure-dusseldorf # clojure-ecuador # clojure-egypt # clojure-estonia # clojure-europe # clojure-filipino # clojure-finland # clojure-france # clojure-gamedev # clojure-germany # clojure-greece # clojure-guangzhou # clojure-hamburg # clojure-hk # clojure-houston # clojure-hungary # clojure-india # clojureindia # clojure-indonesia # clojure-ireland # clojure-israel # clojure-italy # clojure-japan # clojure-kc # clojure-korea # clojure-losangeles # clojure-madison # clojure-mexico # clojure-miami # clojure-mk # clojure-mke # clojure-morsels # clojure-my # clojure-new-zealand # clojure-nl # clojure-nlp # clojure-norway # clojure-poland # clojure-portugal # clojure-provo # clojure-quebec # clojureremote # clojure-romania # clojure-russia # clojure-sanfrancisco # clojurescript # clojurescript-ios # clojure-sdn # clojure-seattle # clojure-serbia # clojure-sg # clojure-shanghai # clojure-spain # clojure-spec # clojuresque # clojure-survey # clojure-sweden # clojure-switzerland # clojure-taiwan # clojure-turkiye # clojure-uk # clojure-ukraine # clojureverse-ops # clojurewerkz # clojurewest # clojurex # clojure-za # clojurian-chat-app # clojutre # cloverage # cloxp # clr # code-art # code-reviews # community-development # component # conf-proposals # conjure # consulting # contributions-welcome # copenhagen-clojurians # core-async # core-logic # core-matrix # core-typed # cryogen # crypto # css # cursive # cz-clojure # d2q # datacrypt # datahike # datalevin # datalog # data-oriented-programming # data-science # datascript # datavis # dato # datomic # defnpodcast # deps-new # depstar # devcards # devops # dirac # docker # docs # domino-clj # duct # dunaj # eastwood # editors # emacs # error-message-catalog # etaoin # ethereum # euroclojure # events # exercism # expound # figwheel # figwheel-main # flambo # fulcro # funcool # functionalprogramming # funimage # garden # ghostwheel # girouette # gis # google-cloud # gorilla # graalvm # graalvm-mobile # graclj # graphql # gratitude # gsoc # hammock-driven-dev # helix # heroku # hispano # holy-lambda # honeysql # hoplon # hugsql # humor # hypercrud # hyperfiddle # immutant # improve-getting-started # incanter # indycljs # inf-clojure # instaparse # integrant # interceptors # interop # introduce-yourself # iot # iotivity # ipfs # jackdaw # jaunt # java # javascript # javelin # jobs # jobs-discuss # jobs-rus # joker # jukebox # juxt # jvm # kaocha # keechma # kekkonen # keyboards # klipse # kosmos # lambdaisland # ldnclj # ldnproclodo # lein-figwheel # leiningen # liberator # liquid # livestream # local-first-clojure # london-clojurians # lsp # luminus # lumo # mail # malli # mathematics # meander # melbourne # membrane # mental-health # microservices # mid-cities-meetup # midje # minecraft # minimallist # missionary # monads # mount # music # new-channels # new-clojure # nextjournal # nginx # nrepl # numerical-computing # nyc # observability # off-topic # om # om-next # onyx # other-languages # other-lisps # overtone # pamela # parinfer # pathom # pedestal # perun # philosophy # phzr # planck # plastic # play-clj # podcasts # polylith # portal # portkey # portland-or # powderkeg # practicalli # precept # prelude # programming-beginners # project-updates # proletarian # proton # protorepl # pulsar # pure-frame # qa # qlkit # quil # random # rdf # react # reactive # reading-clojure # reagent # reclojure # re-frame # reitit # releases # remote-jobs # respo # rethinkdb # reveal # rewrite-clj # ring # ring-swagger # robots # rum # schema # sci # sfcljs # shadow-cljs # _silence # sim-testing # sioux-falls # slack-help # sneer # sneer-br # spacemacs # specmonstah # specter # speculative # spirituality-ethics # sql # startup-in-a-month # sydney # test200 # test-check # testing # thejaloniki # timbre # tmp-json-parsing # tools-build # tools-deps # trading # tree-sitter # uncomplicate # unrepl # untangled # utah-clojurians # videos # vim # vrac # vscode # wasm # web-security # windows # xtdb # yada # yleinen

Apps

clojars

http://clojars.org discussion and “support”, see http://status.clojars.org for status.

Jon 2017-10-22T13:52:43.000035Z

Need help to setup Clojars on my new Macbook

Jon 2017-10-22T13:52:54.000004Z

any guide?

Jon 2017-10-22T13:53:13.000017Z

mostly on GPG part. I found some existing guide outdated.

gonewest818 2017-10-22T14:48:04.000031Z

@jiyinyiyong It seems to me (I can’t be sure, because I wasn’t using clojure back then) the clojars developers implemented gpg and ssh key verification, but due to whatever problems and confusion it created they backed that functionality out.

gonewest818 2017-10-22T14:48:13.000017Z

So where old documentation says stuff like “create a clojars account, and then go into your clojars profile and upload a ssh and a gpg public key” those screens are no longer in the clojars UI.

gonewest818 2017-10-22T14:51:29.000041Z

In the wiki documentation it now says, simply that it will check “if any signature is uploaded, then every artifact has a signature” but what that is NOT saying is “we confirm the signature belongs to the clojars account that is attempting to do the publishing” https://github.com/clojars/clojars-web/wiki/pushing#validations

gonewest818 2017-10-22T14:59:04.000075Z

If you do a lein deps :verify in an existing project, you’ll probably see a mixture of :signed and :unsigned jars in your projects. If you read the verbose gpg output that gets printed to your shell you’ll also probably see statements like

gpg: WARNING: This key has been revoked by its owner!
gpg:          This could mean that the signature is forged.

and

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

and

gpg: Note: This key has expired!

gonewest818 2017-10-22T15:05:30.000029Z

And clojars developers seem very aware of these issues and (I think correctly) diagnosed the root problem: “...not many people promoted their artifacts, and there were minimal security benefits from signing the JARs, as people didn’t have a web of trust to validate that the GPG signature actually chained to people they trusted.” See for example https://groups.google.com/forum/#!topic/clojure/-AIn1QlWyFs

Jon 2017-10-22T15:14:01.000003Z

slowly reading the words.... does it mean people barely sign their packages?

gonewest818 2017-10-22T15:16:01.000064Z

So the bottom line is, you can take the steps to generate a gpg keypair, sign and publish your public key to a keyserver, and make the necessary changes in profiles.clj to make sure artifacts are signed with the private key. You don’t need to submit your public key to clojars because clojars doesn’t verify signatures anymore. While leiningen can verify signatures, if you lift up that rock you may be disturbed by what you find underneath.

Jon 2017-10-22T15:17:55.000041Z

signed but not used(only for verifying)?

Jon 2017-10-22T15:18:30.000046Z

I'm still struggling to make uploading my package work..

gonewest818 2017-10-22T15:28:40.000002Z

Not sure I would say “people barely sign their jars” because I really don’t know what the statistics are. I suppose one could crawl the clojars repo and count the signed ones and find out. In my view the bigger issue is that even when people sign jars, the signatures aren’t meaningful unless the community makes the investment in building the necessary web of trust around the keys. The web of trust is necessary because it establishes the relationship between the keys and their owners. It’s not enough to have a signature on the file, you also need to know the signature is associated to the right person (the legitimate author of that library) and that you can trust that person.

Jon 2017-10-22T15:32:31.000057Z

good point though.

Jon 2017-10-22T15:33:08.000069Z

I think I'm still on the beginner problems, rather than design choices.

gonewest818 2017-10-22T15:33:26.000032Z

What specifically isn’t working for you?

Jon 2017-10-22T15:33:56.000017Z

the guides showed me GPG stuffs and I thought it was necessary.

Jon 2017-10-22T15:34:31.000014Z

well, I think configuring GPG is too much complexity and want to send unsigned packages to Clojars.

Jon 2017-10-22T15:34:59.000005Z

keep running into errors...

Jon 2017-10-22T15:36:36.000019Z

guides in Lein or Boot just assume the developers are experienced ones... but I actually come from JavaScript and think it in the way of npm. Never really understood we have so many steps to do to release.. packages.

Jon 2017-10-22T15:39:15.000032Z

Thanks. Since I confirmed that there are some people sending artifacts without signing... I can disable it in Boot now...

danielcompton 2017-10-22T20:14:48.000035Z

I think you've mostly got it all correct there. Just to recap, there used to be two repositories, the 'free for all' where anyone could deploy to, and a 'releases' repository which was stricter. You had to deploy to the free-for-all repo and could then promote it to the releases repo if it passed certain requirements including GPG signing. This was very confusing for people, I don't think a lot of people used it, and as you've identified, without a WOT the signatures don't mean a lot. Anyone who had access to a users account (username/password) could also replace the GPG key in their profile. So we pulled out the releases repo and now there is just one repo. You can follow https://github.com/clojars/clojars-web/issues/560 if you're interested for a possible future

1👏1🔑