subject:"\[ANN\] Deploy tokens for Clojars"

Re: [ANN] Deploy tokens for Clojars

2020-05-18 Thread Sean Corfield

This thread has illuminated something that wasn't at all clear from your
original post: namely that all tooling can continue exactly as-is, just
with user tokens swapped for passwords, and no code changes are required.

If all it takes is for users of Clojars to set CLOJARS_PASSWORD to a token
obtained from clojars.org instead of their original password, that's not
much of a burden at all.


On Mon, May 18, 2020 at 5:38 AM Toby Crawley  wrote:

> Thanks for the feedback Sean. In my experience, it doesn't matter if
> you give users a week, a month, or a year to switch - the majority
> won't until their first password-based deploy fails. And to be clear -
> all a user has to do is log in to Clojars, create a token, and use the
> token string in place of their Clojars password, which shouldn't be to
> onerous. Clojars will respond with a status message that briefly
> explains the issue and links to the wiki if a password is used after
> the switchover.
>
> That said, I have no strong attachment to switching over on June 27th
> - I would be open to discussing other dates. If someone does want to
> argue for a later date, please file an issue at
> https://github.com/clojars/clojars-web/issues/new?template=issue.md
> and we can chat there.
>
> It looks like Erik has already updated the deps-deploy documentation
> (thanks Erik!).
>
> - Toby
>
> On Mon, May 18, 2020 at 12:25 AM Sean Corfield  wrote:
> >
> > Here's a project that is documented to use the Clojars password and is
> fairly widely used: https://github.com/slipset/deps-deploy -- all
> projects created by clj-new rely on this and all of them will have the same
> documentation to use the Clojars password.
> >
> > Forcing everyone to change their deployment processes across the board
> within just over a month seems a bit... aggressive...
> >
> > On Sun, May 17, 2020 at 1:56 PM Toby Crawley  wrote:
> >>
> >> Howdy folks!
> >>
> >> Just letting you know that Clojars[1] now allows you to create and use
> >> deploy tokens[2] in place of passwords when deploying. If you don't
> >> deploy OSS projects to Clojars, feel free to stop reading now.
> >>
> >> The deploy tokens are to be used in place of a password when
> >> deploying, and can optionally be scoped to only allow deployment of a
> >> single artifact or any artifact within a group[2].
> >>
> >> We now consider deploying with your Clojars password deprecated, and
> >> will *disable deploying with a password on or after 2020-06-27*. So
> >> please switch to using deploy tokens as soon as you can, and please
> >> file an issue[3] or get in touch via the #clojars channel on the
> >> Clojurians slack if you encounter any problems.
> >>
> >> Also please file an issue[3] if you know of any public documentation
> >> that should be updated to mention deploy tokens.
> >>
> >> We are currently working with GitHub to enable secret scanning[4] for
> >> these tokens. Once that is in place, any token that GitHub discovers
> >> in source code will automatically be disabled and Clojars will email
> >> you about it.
> >>
> >> This work is being sponsored by Clojurists Together[5]. Please
> >> consider joining to sponsor this and other OSS work in the Clojure
> >> community if you aren't already a member. If you are already a member:
> >> thank you!
> >>
> >> - Toby
> >>
> >> [1]: https://clojars.org
> >> [2]: https://github.com/clojars/clojars-web/wiki/Deploy-Tokens
> >> [3]:
> https://github.com/clojars/clojars-web/issues/new?template=issue.md
> >> [4]: https://developer.github.com/partnerships/secret-scanning/
> >> [5]:
> https://www.clojuriststogether.org/news/clojurists-together-is-funding-clojars/
> >>
> >> --
> >> You received this message because you are subscribed to the Google
> >> Groups "Clojure" group.
> >> To post to this group, send email to clojure@googlegroups.com
> >> Note that posts from new members are moderated - please be patient with
> your first post.
> >> To unsubscribe from this group, send email to
> >> clojure+unsubscr...@googlegroups.com
> >> For more options, visit this group at
> >> http://groups.google.com/group/clojure?hl=en
> >> ---
> >> You received this message because you are subscribed to the Google
> Groups "Clojure" group.
> >> To unsubscribe from this group and stop receiving emails from it, send
> an email to clojure+unsubscr...@googlegroups.com.
> >> To view this discussion on the web visit
> https://groups.google.com/d/msgid/clojure/CAA3HuyZiAFk8Bb4gRjrKuO-fs4psK9TPvR0FZX00w-01ZGhhSQ%40mail.gmail.com
> .
> >
> >
> >
> > --
> > Sean A Corfield -- (904) 302-SEAN
> > An Architect's View -- https://corfield.org/
> > World Singles Networks, LLC. -- https://worldsinglesnetworks.com/
> >
> > "Perfection is the enemy of the good."
> > -- Gustave Flaubert, French realist novelist (1821-1880)
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Clojure" group.
> > To post to this group, send email to clojure@googlegroups.com
> > Note that posts

Re: [ANN] Deploy tokens for Clojars

2020-05-18 Thread Toby Crawley

Thanks for the feedback Sean. In my experience, it doesn't matter if
you give users a week, a month, or a year to switch - the majority
won't until their first password-based deploy fails. And to be clear -
all a user has to do is log in to Clojars, create a token, and use the
token string in place of their Clojars password, which shouldn't be to
onerous. Clojars will respond with a status message that briefly
explains the issue and links to the wiki if a password is used after
the switchover.

That said, I have no strong attachment to switching over on June 27th
- I would be open to discussing other dates. If someone does want to
argue for a later date, please file an issue at
https://github.com/clojars/clojars-web/issues/new?template=issue.md
and we can chat there.

It looks like Erik has already updated the deps-deploy documentation
(thanks Erik!).

- Toby

On Mon, May 18, 2020 at 12:25 AM Sean Corfield  wrote:
>
> Here's a project that is documented to use the Clojars password and is fairly 
> widely used: https://github.com/slipset/deps-deploy -- all projects created 
> by clj-new rely on this and all of them will have the same documentation to 
> use the Clojars password.
>
> Forcing everyone to change their deployment processes across the board within 
> just over a month seems a bit... aggressive...
>
> On Sun, May 17, 2020 at 1:56 PM Toby Crawley  wrote:
>>
>> Howdy folks!
>>
>> Just letting you know that Clojars[1] now allows you to create and use
>> deploy tokens[2] in place of passwords when deploying. If you don't
>> deploy OSS projects to Clojars, feel free to stop reading now.
>>
>> The deploy tokens are to be used in place of a password when
>> deploying, and can optionally be scoped to only allow deployment of a
>> single artifact or any artifact within a group[2].
>>
>> We now consider deploying with your Clojars password deprecated, and
>> will *disable deploying with a password on or after 2020-06-27*. So
>> please switch to using deploy tokens as soon as you can, and please
>> file an issue[3] or get in touch via the #clojars channel on the
>> Clojurians slack if you encounter any problems.
>>
>> Also please file an issue[3] if you know of any public documentation
>> that should be updated to mention deploy tokens.
>>
>> We are currently working with GitHub to enable secret scanning[4] for
>> these tokens. Once that is in place, any token that GitHub discovers
>> in source code will automatically be disabled and Clojars will email
>> you about it.
>>
>> This work is being sponsored by Clojurists Together[5]. Please
>> consider joining to sponsor this and other OSS work in the Clojure
>> community if you aren't already a member. If you are already a member:
>> thank you!
>>
>> - Toby
>>
>> [1]: https://clojars.org
>> [2]: https://github.com/clojars/clojars-web/wiki/Deploy-Tokens
>> [3]: https://github.com/clojars/clojars-web/issues/new?template=issue.md
>> [4]: https://developer.github.com/partnerships/secret-scanning/
>> [5]: 
>> https://www.clojuriststogether.org/news/clojurists-together-is-funding-clojars/
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Clojure" group.
>> To post to this group, send email to clojure@googlegroups.com
>> Note that posts from new members are moderated - please be patient with your 
>> first post.
>> To unsubscribe from this group, send email to
>> clojure+unsubscr...@googlegroups.com
>> For more options, visit this group at
>> http://groups.google.com/group/clojure?hl=en
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "Clojure" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to clojure+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/clojure/CAA3HuyZiAFk8Bb4gRjrKuO-fs4psK9TPvR0FZX00w-01ZGhhSQ%40mail.gmail.com.
>
>
>
> --
> Sean A Corfield -- (904) 302-SEAN
> An Architect's View -- https://corfield.org/
> World Singles Networks, LLC. -- https://worldsinglesnetworks.com/
>
> "Perfection is the enemy of the good."
> -- Gustave Flaubert, French realist novelist (1821-1880)
>
> --
> You received this message because you are subscribed to the Google
> Groups "Clojure" group.
> To post to this group, send email to clojure@googlegroups.com
> Note that posts from new members are moderated - please be patient with your 
> first post.
> To unsubscribe from this group, send email to
> clojure+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/clojure?hl=en
> ---
> You received this message because you are subscribed to the Google Groups 
> "Clojure" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to clojure+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
>

Re: [ANN] Deploy tokens for Clojars

2020-05-17 Thread Erik Assum

D’oh, please disregard. After reading the docs, I see that no changes would be 
needed, apart from updating the docs.

Mea culpa, sorry for the noise.

Erik.

> On 18 May 2020, at 07:38, Erik Assum  wrote:
> 
> I think I agree with Sean that the time frame is a bit short. One thing is 
> making deps-deploy
> (and also pomegranate) work with tokens (which I’m confident I can handle).
> Another thing is that I would imagine both leiningen and boot would need new
> releases and people would need to adopt those releases?
> 
> On a positive note, I think the deploy-token per artefact is super for 
> clj-commons, since we
> then have a way to publish artefacts under the original groupid/artefactid.
> 
> Erik.
> 
>> On 18 May 2020, at 06:25, Sean Corfield > > wrote:
>> 
>> Here's a project that is documented to use the Clojars password and is 
>> fairly widely used: https://github.com/slipset/deps-deploy 
>>  -- all projects created by clj-new 
>> rely on this and all of them will have the same documentation to use the 
>> Clojars password.
>> 
>> Forcing everyone to change their deployment processes across the board 
>> within just over a month seems a bit... aggressive...
>> 
>> On Sun, May 17, 2020 at 1:56 PM Toby Crawley > > wrote:
>> Howdy folks!
>> 
>> Just letting you know that Clojars[1] now allows you to create and use
>> deploy tokens[2] in place of passwords when deploying. If you don't
>> deploy OSS projects to Clojars, feel free to stop reading now.
>> 
>> The deploy tokens are to be used in place of a password when
>> deploying, and can optionally be scoped to only allow deployment of a
>> single artifact or any artifact within a group[2].
>> 
>> We now consider deploying with your Clojars password deprecated, and
>> will *disable deploying with a password on or after 2020-06-27*. So
>> please switch to using deploy tokens as soon as you can, and please
>> file an issue[3] or get in touch via the #clojars channel on the
>> Clojurians slack if you encounter any problems.
>> 
>> Also please file an issue[3] if you know of any public documentation
>> that should be updated to mention deploy tokens.
>> 
>> We are currently working with GitHub to enable secret scanning[4] for
>> these tokens. Once that is in place, any token that GitHub discovers
>> in source code will automatically be disabled and Clojars will email
>> you about it.
>> 
>> This work is being sponsored by Clojurists Together[5]. Please
>> consider joining to sponsor this and other OSS work in the Clojure
>> community if you aren't already a member. If you are already a member:
>> thank you!
>> 
>> - Toby
>> 
>> [1]: https://clojars.org 
>> [2]: https://github.com/clojars/clojars-web/wiki/Deploy-Tokens 
>> 
>> [3]: https://github.com/clojars/clojars-web/issues/new?template=issue.md 
>> 
>> [4]: https://developer.github.com/partnerships/secret-scanning/ 
>> 
>> [5]: 
>> https://www.clojuriststogether.org/news/clojurists-together-is-funding-clojars/
>>  
>> 
>> 
>> -- 
>> You received this message because you are subscribed to the Google
>> Groups "Clojure" group.
>> To post to this group, send email to clojure@googlegroups.com 
>> 
>> Note that posts from new members are moderated - please be patient with your 
>> first post.
>> To unsubscribe from this group, send email to
>> clojure+unsubscr...@googlegroups.com 
>> 
>> For more options, visit this group at
>> http://groups.google.com/group/clojure?hl=en 
>> 
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "Clojure" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to clojure+unsubscr...@googlegroups.com 
>> .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/clojure/CAA3HuyZiAFk8Bb4gRjrKuO-fs4psK9TPvR0FZX00w-01ZGhhSQ%40mail.gmail.com
>>  
>> .
>> 
>> 
>> -- 
>> Sean A Corfield -- (904) 302-SEAN
>> An Architect's View -- https://corfield.org/ 
>> World Singles Networks, LLC. -- https://worldsinglesnetworks.com/ 
>> 
>> 
>> "Perfection is the enemy of the good."
>> -- Gustave Flaubert, French realist novelist (1821-1880)
>> 
>> -- 
>> You received this message because you are subscribed to the Google
>> Groups "Clojure" group.
>> To post to this group, send

Re: [ANN] Deploy tokens for Clojars

2020-05-17 Thread Erik Assum

I think I agree with Sean that the time frame is a bit short. One thing is 
making deps-deploy
(and also pomegranate) work with tokens (which I’m confident I can handle).
Another thing is that I would imagine both leiningen and boot would need new
releases and people would need to adopt those releases?

On a positive note, I think the deploy-token per artefact is super for 
clj-commons, since we
then have a way to publish artefacts under the original groupid/artefactid.

Erik.

> On 18 May 2020, at 06:25, Sean Corfield  wrote:
> 
> Here's a project that is documented to use the Clojars password and is fairly 
> widely used: https://github.com/slipset/deps-deploy 
>  -- all projects created by clj-new 
> rely on this and all of them will have the same documentation to use the 
> Clojars password.
> 
> Forcing everyone to change their deployment processes across the board within 
> just over a month seems a bit... aggressive...
> 
> On Sun, May 17, 2020 at 1:56 PM Toby Crawley  > wrote:
> Howdy folks!
> 
> Just letting you know that Clojars[1] now allows you to create and use
> deploy tokens[2] in place of passwords when deploying. If you don't
> deploy OSS projects to Clojars, feel free to stop reading now.
> 
> The deploy tokens are to be used in place of a password when
> deploying, and can optionally be scoped to only allow deployment of a
> single artifact or any artifact within a group[2].
> 
> We now consider deploying with your Clojars password deprecated, and
> will *disable deploying with a password on or after 2020-06-27*. So
> please switch to using deploy tokens as soon as you can, and please
> file an issue[3] or get in touch via the #clojars channel on the
> Clojurians slack if you encounter any problems.
> 
> Also please file an issue[3] if you know of any public documentation
> that should be updated to mention deploy tokens.
> 
> We are currently working with GitHub to enable secret scanning[4] for
> these tokens. Once that is in place, any token that GitHub discovers
> in source code will automatically be disabled and Clojars will email
> you about it.
> 
> This work is being sponsored by Clojurists Together[5]. Please
> consider joining to sponsor this and other OSS work in the Clojure
> community if you aren't already a member. If you are already a member:
> thank you!
> 
> - Toby
> 
> [1]: https://clojars.org 
> [2]: https://github.com/clojars/clojars-web/wiki/Deploy-Tokens 
> 
> [3]: https://github.com/clojars/clojars-web/issues/new?template=issue.md 
> 
> [4]: https://developer.github.com/partnerships/secret-scanning/ 
> 
> [5]: 
> https://www.clojuriststogether.org/news/clojurists-together-is-funding-clojars/
>  
> 
> 
> -- 
> You received this message because you are subscribed to the Google
> Groups "Clojure" group.
> To post to this group, send email to clojure@googlegroups.com 
> 
> Note that posts from new members are moderated - please be patient with your 
> first post.
> To unsubscribe from this group, send email to
> clojure+unsubscr...@googlegroups.com 
> 
> For more options, visit this group at
> http://groups.google.com/group/clojure?hl=en 
> 
> --- 
> You received this message because you are subscribed to the Google Groups 
> "Clojure" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to clojure+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/clojure/CAA3HuyZiAFk8Bb4gRjrKuO-fs4psK9TPvR0FZX00w-01ZGhhSQ%40mail.gmail.com
>  
> .
> 
> 
> -- 
> Sean A Corfield -- (904) 302-SEAN
> An Architect's View -- https://corfield.org/ 
> World Singles Networks, LLC. -- https://worldsinglesnetworks.com/ 
> 
> 
> "Perfection is the enemy of the good."
> -- Gustave Flaubert, French realist novelist (1821-1880)
> 
> -- 
> You received this message because you are subscribed to the Google
> Groups "Clojure" group.
> To post to this group, send email to clojure@googlegroups.com
> Note that posts from new members are moderated - please be patient with your 
> first post.
> To unsubscribe from this group, send email to
> clojure+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/clojure?hl=en 
> 
> --- 
>

Re: [ANN] Deploy tokens for Clojars

2020-05-17 Thread Sean Corfield

Here's a project that is documented to use the Clojars password and is
fairly widely used: https://github.com/slipset/deps-deploy -- all projects
created by clj-new rely on this and all of them will have the same
documentation to use the Clojars password.

Forcing everyone to change their deployment processes across the board
within just over a month seems a bit... aggressive...

On Sun, May 17, 2020 at 1:56 PM Toby Crawley  wrote:

> Howdy folks!
>
> Just letting you know that Clojars[1] now allows you to create and use
> deploy tokens[2] in place of passwords when deploying. If you don't
> deploy OSS projects to Clojars, feel free to stop reading now.
>
> The deploy tokens are to be used in place of a password when
> deploying, and can optionally be scoped to only allow deployment of a
> single artifact or any artifact within a group[2].
>
> We now consider deploying with your Clojars password deprecated, and
> will *disable deploying with a password on or after 2020-06-27*. So
> please switch to using deploy tokens as soon as you can, and please
> file an issue[3] or get in touch via the #clojars channel on the
> Clojurians slack if you encounter any problems.
>
> Also please file an issue[3] if you know of any public documentation
> that should be updated to mention deploy tokens.
>
> We are currently working with GitHub to enable secret scanning[4] for
> these tokens. Once that is in place, any token that GitHub discovers
> in source code will automatically be disabled and Clojars will email
> you about it.
>
> This work is being sponsored by Clojurists Together[5]. Please
> consider joining to sponsor this and other OSS work in the Clojure
> community if you aren't already a member. If you are already a member:
> thank you!
>
> - Toby
>
> [1]: https://clojars.org
> [2]: https://github.com/clojars/clojars-web/wiki/Deploy-Tokens
> [3]: https://github.com/clojars/clojars-web/issues/new?template=issue.md
> [4]: https://developer.github.com/partnerships/secret-scanning/
> [5]:
> https://www.clojuriststogether.org/news/clojurists-together-is-funding-clojars/
>
> --
> You received this message because you are subscribed to the Google
> Groups "Clojure" group.
> To post to this group, send email to clojure@googlegroups.com
> Note that posts from new members are moderated - please be patient with
> your first post.
> To unsubscribe from this group, send email to
> clojure+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/clojure?hl=en
> ---
> You received this message because you are subscribed to the Google Groups
> "Clojure" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to clojure+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/clojure/CAA3HuyZiAFk8Bb4gRjrKuO-fs4psK9TPvR0FZX00w-01ZGhhSQ%40mail.gmail.com
> .
>


-- 
Sean A Corfield -- (904) 302-SEAN
An Architect's View -- https://corfield.org/
World Singles Networks, LLC. -- https://worldsinglesnetworks.com/

"Perfection is the enemy of the good."
-- Gustave Flaubert, French realist novelist (1821-1880)

-- 
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your 
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
--- 
You received this message because you are subscribed to the Google Groups 
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to clojure+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/clojure/CAD4thx-VRp3NbVjLrZ5-iihxeO9r66WD%3DqpAhNwj_HQ7Vuq-cg%40mail.gmail.com.

[ANN] Deploy tokens for Clojars

2020-05-17 Thread Toby Crawley

Howdy folks!

Just letting you know that Clojars[1] now allows you to create and use
deploy tokens[2] in place of passwords when deploying. If you don't
deploy OSS projects to Clojars, feel free to stop reading now.

The deploy tokens are to be used in place of a password when
deploying, and can optionally be scoped to only allow deployment of a
single artifact or any artifact within a group[2].

We now consider deploying with your Clojars password deprecated, and
will *disable deploying with a password on or after 2020-06-27*. So
please switch to using deploy tokens as soon as you can, and please
file an issue[3] or get in touch via the #clojars channel on the
Clojurians slack if you encounter any problems.

Also please file an issue[3] if you know of any public documentation
that should be updated to mention deploy tokens.

We are currently working with GitHub to enable secret scanning[4] for
these tokens. Once that is in place, any token that GitHub discovers
in source code will automatically be disabled and Clojars will email
you about it.

This work is being sponsored by Clojurists Together[5]. Please
consider joining to sponsor this and other OSS work in the Clojure
community if you aren't already a member. If you are already a member:
thank you!

- Toby

[1]: https://clojars.org
[2]: https://github.com/clojars/clojars-web/wiki/Deploy-Tokens
[3]: https://github.com/clojars/clojars-web/issues/new?template=issue.md
[4]: https://developer.github.com/partnerships/secret-scanning/
[5]: 
https://www.clojuriststogether.org/news/clojurists-together-is-funding-clojars/

-- 
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your 
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
--- 
You received this message because you are subscribed to the Google Groups 
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to clojure+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/clojure/CAA3HuyZiAFk8Bb4gRjrKuO-fs4psK9TPvR0FZX00w-01ZGhhSQ%40mail.gmail.com.

Re: [ANN] Deploy tokens for Clojars

Re: [ANN] Deploy tokens for Clojars

Re: [ANN] Deploy tokens for Clojars

Re: [ANN] Deploy tokens for Clojars

Re: [ANN] Deploy tokens for Clojars

[ANN] Deploy tokens for Clojars

6 matches

Site Navigation

Mail list logo

Footer information