Re: [PSA] Clojars scp disabled until further notice
Phil, I've used scp uploads in the past. They're much easier when e.g. you wanna upload a java library you've forked. Without scp uploads (or an easy copy/paste curl alternative), you have to go through getting the project to build with lein by itself. It's not *too* difficult to get a maven based project uploaded to clojars (https://github.com/ato/clojars-web/wiki/Pushing has an easy to follow section), but getting ant or other projects up there is painful. Other than that, I've happily converted over to `lein deploy` for my lein-based projects. Tom On Wednesday, 24 September 2014 17:57:49 UTC-5, Phil Hagelberg wrote: Greetings, Clojure hackers. Due to the recent vulnerability in Bash[1], the scp-based deploy services on clojars.org has been disabled for the time being. If you have been using this (as opposed to the HTTPS deploy used by `lein deploy clojars` and `maven deploy`), we'd be interested in hearing From you. In particular we would like to know reasons why you haven't upgraded, assuming it's not just I started on scp and it worked well, so I never saw the need to change anything. If you haven't tried HTTPS-based deploys, now would be a great time to do so and see if they work for you. If not, let us know why, either here or on the Leiningen issue tracker[2]. The HTTPS-based deploys are definitely a superior implementation that we encourage. We would like to bring scp deploys back online in the near future, but as you know Clojars is a volunteer-run service without many resources, and we have no immediate timeline for this. -Phil [1] - http://seclists.org/oss-sec/2014/q3/650 [2] - https://github.com/technomancy/leiningen/issues/new -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
I noticed 'lein deploy clojars' for SNAPSHOT is actually more convenient than the scp upload method because, besides not needing the signing stuff, there is no need to manually delete the .m2 cache when a new snapshot is uploaded. As for signing, I finally had an opportunity to do it and it went smooth. I even got to promote the artifact! It failed only the first time I used a passphrase. It told me to set up a gpg agent. Maybe it is a useful addition to 'lein help gpg'. Carlos -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
Hey Nelson, I would love to help out with raising funds for Clojars. I've got a great idea that I need to talk to you about. I can provide execution and promotion. Let's talk. Eric On Wednesday, October 8, 2014 7:49:38 PM UTC-5, Bridget wrote: On Friday, September 26, 2014 11:09:55 AM UTC-4, Nelson Morris wrote: Clojars has become a critical part of the clojure ecosystem. As a small sample, it hosts artifacts for: * Web development - ring, compojure, hoplon, hiccup, enlive, friend, immutant * Tooling - lein templates/plugins, cider-nrepl, clojure-complete, gorilla-repl * Clojurescript - lein-cljsbuild, austin, om, reagent, sente * Misc - Clojurewerkz projects, storm, incanter, clj-time, cheshire, clj-http, * Company projects - pedestal, dommy, schema Just want to take this opportunity to say, yet again - because it can't be said enough - THANK YOU to Nelson (and Phil, of course!) for all of the hard - and unpaid - work that you put into Clojars. I hope that some sponsors can step forward to say thank you in a more concrete way. Bridget -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
On Friday, September 26, 2014 11:09:55 AM UTC-4, Nelson Morris wrote: Clojars has become a critical part of the clojure ecosystem. As a small sample, it hosts artifacts for: * Web development - ring, compojure, hoplon, hiccup, enlive, friend, immutant * Tooling - lein templates/plugins, cider-nrepl, clojure-complete, gorilla-repl * Clojurescript - lein-cljsbuild, austin, om, reagent, sente * Misc - Clojurewerkz projects, storm, incanter, clj-time, cheshire, clj-http, * Company projects - pedestal, dommy, schema Just want to take this opportunity to say, yet again - because it can't be said enough - THANK YOU to Nelson (and Phil, of course!) for all of the hard - and unpaid - work that you put into Clojars. I hope that some sponsors can step forward to say thank you in a more concrete way. Bridget -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
On 27 September 2014 at 09:32:13, Sean Corfield (s...@corfield.org) wrote: If Clojars' scp remains unavailable, will that pain be sufficient to switch library maintainers to https deploy? Or will those maintainers just stop making releases and abandon their libraries? I've had to do a few releases last weekend and had to urgently do one today. `lein clojars deploy` works for some projects but fails with others. The docs cover deploying to private repos in a lot of detail but do not mention Clojars-specific configuration (e.g. if I don't have the time to fight GnuPG and want to just disable signing altogether with clojars). In general, my experience as library maintainer has gone from it's trivial to deploy a new release, I do it all the time to deploying libraries is a nightmare, I'd rather do it as late as possible. I have no choice to go through this whole GnuPG dance all the way — you can't maintain 30+ libraries otherwise — but I'm really unhappy about having to do that. -- @michaelklishin, github.com/michaelklishin -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
I just want to chime in to note that not everyone who works in Clojure, and for whom Clojars is the obvious (only?) reasonable way to share libraries, is a professional developer. Some of us are, for example, researchers or students in a range of fields for which reading complex security stuff is not actually part of our jobs. I've scheduled some time next week to sit down with a student and work through lein help gpg (thanks for the pointer, Phil!) and try to get lein deploy working (again -- we did try once but gave up when we hit errors that we didn't understand), so that we can resume use of Clojars in our work. I'm hopeful that it will go smoothly and that we'll be back up and running soon. But in any case I wanted to warn against making too many assumptions about the user base (or potential user base). -Lee On Sep 27, 2014, at 1:32 AM, Sean Corfield s...@corfield.org wrote: I grumbled about the GPG stuff when it came up but after a chat with Phil I decided this was something I just needed to learn as a developer. Sure, it means you have to read complex security stuff but we have to read lots of complex stuff as developers - that's just part of our job. I switched to lein deploy clojars a long time ago and, frankly, after that initial hour or two for a one-off setup, I never had to worry about GPG again. Perhaps #shellshock is a good opportunity for a lot more developers to learn some better security health? If Clojars' scp remains unavailable, will that pain be sufficient to switch library maintainers to https deploy? Or will those maintainers just stop making releases and abandon their libraries? Sean -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
Lee Spector lspec...@hampshire.edu writes: I just want to chime in to note that not everyone who works in Clojure, and for whom Clojars is the obvious (only?) reasonable way to share libraries, is a professional developer. Some of us are, for example, researchers or students in a range of fields for which reading complex security stuff is not actually part of our jobs. Makes sense. For clarification; while GPG is used by default for Leiningen deploys, it is not currently a requirement for either Leiningen or Clojars. You can always set :sign-releases false in your :repositories entry if your artifacts are intended for hobbyist or academic use rather than inside a production environment. -Phil pgpUtD7BdWoOk.pgp Description: PGP signature
Re: [PSA] Clojars scp disabled until further notice
Thanks Phil. We'll definitely look into :sign-releases false when we try to get this working next week. -Lee On Sep 27, 2014, at 7:52 PM, Phil Hagelberg p...@hagelb.org wrote: Lee Spector lspec...@hampshire.edu writes: I just want to chime in to note that not everyone who works in Clojure, and for whom Clojars is the obvious (only?) reasonable way to share libraries, is a professional developer. Some of us are, for example, researchers or students in a range of fields for which reading complex security stuff is not actually part of our jobs. Makes sense. For clarification; while GPG is used by default for Leiningen deploys, it is not currently a requirement for either Leiningen or Clojars. You can always set :sign-releases false in your :repositories entry if your artifacts are intended for hobbyist or academic use rather than inside a production environment. -Phil -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
I'd love to kick in a few bucks per week. Gratipay might work for you; it doesn't skim anything after credit card fees (full disclosure, I am friends with the person who runs it). On Friday, September 26, 2014 3:30:29 PM UTC-4, Nelson Morris wrote: I have no expectations for anyone. Clojars has been free to use (push/pull,individual/corp) since it started. I have no intentions of changing that. My belief is there is value to maintenance/dev, and hope that it can financed in a sustainable way. If it can be done by being spread out among people deriving that value, then even better. I'll plan to set up something for individuals in the future, though that will wait until after I talk to businesses. As for numbers, I don't have a direct answer for you. It comes down to the value the company can get back. I'm starting with conversations with businesses that are interested, and will determine from there. On Fri, Sep 26, 2014 at 1:44 PM, Howard M. Lewis Ship hls...@gmail.com javascript: wrote: There's a number of options out there for collecting small recurring payments. I already make regular payments to Wikipedia and a couple of others (including GitHub), and would be willing to kick in some money towards Clojars. The question is: what is a reasonable amount? This is tricky; I'm comfortable, as a self-employed, individual developer, to kick in $3-$5 per month. What kind of numbers are you looking at for the more corporate users of Clojars? What would you expect for an organization that simply pulls for Clojars, vs. one that distributes code via Clojars? On Friday, 26 September 2014 08:09:55 UTC-7, Nelson Morris wrote: Clojars has become a critical part of the clojure ecosystem. As a small sample, it hosts artifacts for: * Web development - ring, compojure, hoplon, hiccup, enlive, friend, immutant * Tooling - lein templates/plugins, cider-nrepl, clojure-complete, gorilla-repl * Clojurescript - lein-cljsbuild, austin, om, reagent, sente * Misc - Clojurewerkz projects, storm, incanter, clj-time, cheshire, clj-http, * Company projects - pedestal, dommy, schema Vulnerabilities like shellshock and heartbleed always require quick response. An insecure clojars service could lead to compromised systems in multiple companies, potentially any project that used an artifact from it. A similar situation exist for maven central, rubygems, apt, and other repositories. There are other administration tasks such as verifying backups, server updates, better response time to deletion requests, and potentially the need to handle unexpected downtime. Additionally, development time is needed for the releases repo w/ signatures, CDN deployments, additional UI work, and more. Currently clojars is maintained by a collaboration between 3 very spare time people. Vulnerabilities get attention due to the damage potential. However, being a spare time project many of the other tasks languish until required, or wait behind the queue of life's requirements. I'd love to change that. I've been a co-maintainer for clojars for two years. I implemented the https deployment, better search, and download statistics for clojars. I've handled most of the deletion requests over the past year. I've also got work in leiningen including almost everything related to dependency resolution and trees. I want your help. Do you work at a company that runs clojure in production? Does it have a financial interest in a well maintained and secure clojars service? Would it be interested in sponsorships, business features, or another arrangement that produces value? Then I request you email me. I want to create a sustainable path for this critical piece of the clojure ecosystem. Thanks, Nelson Morris -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clo...@googlegroups.com javascript: Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+u...@googlegroups.com javascript: For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+u...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this
Re: [PSA] Clojars scp disabled until further notice
FWIW, I followed the lein deploy clojars instructions (around March this year) and it did work for me. I recall being a bit confused by the GPG stuff, but following the notes on the wiki did do the trick. Jony On Friday, 26 September 2014 04:21:41 UTC+1, Phil Hagelberg wrote: Carlos Fontes ccfo...@gmail.com javascript: writes: Some immemorial time ago I tried `lein deploy clojars` which lead me to read complex security stuff. I really tried to make it work, I did.. but it didn't just work, it didn't work with some work and even with more work, so now I just use `lein push`. I see. Perhaps if you could use more detail than it didn't work we might be able to help get this working. Btw, is Clojars still down for SCP uploads? Still having trouble here: com.jcraft.jsch.JSchException: Auth fail Yes, the vulnerability has not been patched. -Phil -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
Clojars has become a critical part of the clojure ecosystem. As a small sample, it hosts artifacts for: * Web development - ring, compojure, hoplon, hiccup, enlive, friend, immutant * Tooling - lein templates/plugins, cider-nrepl, clojure-complete, gorilla-repl * Clojurescript - lein-cljsbuild, austin, om, reagent, sente * Misc - Clojurewerkz projects, storm, incanter, clj-time, cheshire, clj-http, * Company projects - pedestal, dommy, schema Vulnerabilities like shellshock and heartbleed always require quick response. An insecure clojars service could lead to compromised systems in multiple companies, potentially any project that used an artifact from it. A similar situation exist for maven central, rubygems, apt, and other repositories. There are other administration tasks such as verifying backups, server updates, better response time to deletion requests, and potentially the need to handle unexpected downtime. Additionally, development time is needed for the releases repo w/ signatures, CDN deployments, additional UI work, and more. Currently clojars is maintained by a collaboration between 3 very spare time people. Vulnerabilities get attention due to the damage potential. However, being a spare time project many of the other tasks languish until required, or wait behind the queue of life's requirements. I'd love to change that. I've been a co-maintainer for clojars for two years. I implemented the https deployment, better search, and download statistics for clojars. I've handled most of the deletion requests over the past year. I've also got work in leiningen including almost everything related to dependency resolution and trees. I want your help. Do you work at a company that runs clojure in production? Does it have a financial interest in a well maintained and secure clojars service? Would it be interested in sponsorships, business features, or another arrangement that produces value? Then I request you email me. I want to create a sustainable path for this critical piece of the clojure ecosystem. Thanks, Nelson Morris -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
I'm not very familiar with Clojars so please forgive the naive question: Why not host jar files themsevles on Maven central and Clojars becomes a catalog of Clojure related artifacts? On Friday, September 26, 2014 8:09:55 AM UTC-7, Nelson Morris wrote: Clojars has become a critical part of the clojure ecosystem. As a small sample, it hosts artifacts for: * Web development - ring, compojure, hoplon, hiccup, enlive, friend, immutant * Tooling - lein templates/plugins, cider-nrepl, clojure-complete, gorilla-repl * Clojurescript - lein-cljsbuild, austin, om, reagent, sente * Misc - Clojurewerkz projects, storm, incanter, clj-time, cheshire, clj-http, * Company projects - pedestal, dommy, schema Vulnerabilities like shellshock and heartbleed always require quick response. An insecure clojars service could lead to compromised systems in multiple companies, potentially any project that used an artifact from it. A similar situation exist for maven central, rubygems, apt, and other repositories. There are other administration tasks such as verifying backups, server updates, better response time to deletion requests, and potentially the need to handle unexpected downtime. Additionally, development time is needed for the releases repo w/ signatures, CDN deployments, additional UI work, and more. Currently clojars is maintained by a collaboration between 3 very spare time people. Vulnerabilities get attention due to the damage potential. However, being a spare time project many of the other tasks languish until required, or wait behind the queue of life's requirements. I'd love to change that. I've been a co-maintainer for clojars for two years. I implemented the https deployment, better search, and download statistics for clojars. I've handled most of the deletion requests over the past year. I've also got work in leiningen including almost everything related to dependency resolution and trees. I want your help. Do you work at a company that runs clojure in production? Does it have a financial interest in a well maintained and secure clojars service? Would it be interested in sponsorships, business features, or another arrangement that produces value? Then I request you email me. I want to create a sustainable path for this critical piece of the clojure ecosystem. Thanks, Nelson Morris -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
Many of the projects already deployed are not compatible with central's requirements, including group-ids and signatures. There are other reasons, but that one already makes it impossible. On Sep 26, 2014 10:18 AM, Mark markaddle...@gmail.com wrote: I'm not very familiar with Clojars so please forgive the naive question: Why not host jar files themsevles on Maven central and Clojars becomes a catalog of Clojure related artifacts? On Friday, September 26, 2014 8:09:55 AM UTC-7, Nelson Morris wrote: Clojars has become a critical part of the clojure ecosystem. As a small sample, it hosts artifacts for: * Web development - ring, compojure, hoplon, hiccup, enlive, friend, immutant * Tooling - lein templates/plugins, cider-nrepl, clojure-complete, gorilla-repl * Clojurescript - lein-cljsbuild, austin, om, reagent, sente * Misc - Clojurewerkz projects, storm, incanter, clj-time, cheshire, clj-http, * Company projects - pedestal, dommy, schema Vulnerabilities like shellshock and heartbleed always require quick response. An insecure clojars service could lead to compromised systems in multiple companies, potentially any project that used an artifact from it. A similar situation exist for maven central, rubygems, apt, and other repositories. There are other administration tasks such as verifying backups, server updates, better response time to deletion requests, and potentially the need to handle unexpected downtime. Additionally, development time is needed for the releases repo w/ signatures, CDN deployments, additional UI work, and more. Currently clojars is maintained by a collaboration between 3 very spare time people. Vulnerabilities get attention due to the damage potential. However, being a spare time project many of the other tasks languish until required, or wait behind the queue of life's requirements. I'd love to change that. I've been a co-maintainer for clojars for two years. I implemented the https deployment, better search, and download statistics for clojars. I've handled most of the deletion requests over the past year. I've also got work in leiningen including almost everything related to dependency resolution and trees. I want your help. Do you work at a company that runs clojure in production? Does it have a financial interest in a well maintained and secure clojars service? Would it be interested in sponsorships, business features, or another arrangement that produces value? Then I request you email me. I want to create a sustainable path for this critical piece of the clojure ecosystem. Thanks, Nelson Morris -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
There's a number of options out there for collecting small recurring payments. I already make regular payments to Wikipedia and a couple of others (including GitHub), and would be willing to kick in some money towards Clojars. The question is: what is a reasonable amount? This is tricky; I'm comfortable, as a self-employed, individual developer, to kick in $3-$5 per month. What kind of numbers are you looking at for the more corporate users of Clojars? What would you expect for an organization that simply pulls for Clojars, vs. one that distributes code via Clojars? On Friday, 26 September 2014 08:09:55 UTC-7, Nelson Morris wrote: Clojars has become a critical part of the clojure ecosystem. As a small sample, it hosts artifacts for: * Web development - ring, compojure, hoplon, hiccup, enlive, friend, immutant * Tooling - lein templates/plugins, cider-nrepl, clojure-complete, gorilla-repl * Clojurescript - lein-cljsbuild, austin, om, reagent, sente * Misc - Clojurewerkz projects, storm, incanter, clj-time, cheshire, clj-http, * Company projects - pedestal, dommy, schema Vulnerabilities like shellshock and heartbleed always require quick response. An insecure clojars service could lead to compromised systems in multiple companies, potentially any project that used an artifact from it. A similar situation exist for maven central, rubygems, apt, and other repositories. There are other administration tasks such as verifying backups, server updates, better response time to deletion requests, and potentially the need to handle unexpected downtime. Additionally, development time is needed for the releases repo w/ signatures, CDN deployments, additional UI work, and more. Currently clojars is maintained by a collaboration between 3 very spare time people. Vulnerabilities get attention due to the damage potential. However, being a spare time project many of the other tasks languish until required, or wait behind the queue of life's requirements. I'd love to change that. I've been a co-maintainer for clojars for two years. I implemented the https deployment, better search, and download statistics for clojars. I've handled most of the deletion requests over the past year. I've also got work in leiningen including almost everything related to dependency resolution and trees. I want your help. Do you work at a company that runs clojure in production? Does it have a financial interest in a well maintained and secure clojars service? Would it be interested in sponsorships, business features, or another arrangement that produces value? Then I request you email me. I want to create a sustainable path for this critical piece of the clojure ecosystem. Thanks, Nelson Morris -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
I have no expectations for anyone. Clojars has been free to use (push/pull,individual/corp) since it started. I have no intentions of changing that. My belief is there is value to maintenance/dev, and hope that it can financed in a sustainable way. If it can be done by being spread out among people deriving that value, then even better. I'll plan to set up something for individuals in the future, though that will wait until after I talk to businesses. As for numbers, I don't have a direct answer for you. It comes down to the value the company can get back. I'm starting with conversations with businesses that are interested, and will determine from there. On Fri, Sep 26, 2014 at 1:44 PM, Howard M. Lewis Ship hls...@gmail.com wrote: There's a number of options out there for collecting small recurring payments. I already make regular payments to Wikipedia and a couple of others (including GitHub), and would be willing to kick in some money towards Clojars. The question is: what is a reasonable amount? This is tricky; I'm comfortable, as a self-employed, individual developer, to kick in $3-$5 per month. What kind of numbers are you looking at for the more corporate users of Clojars? What would you expect for an organization that simply pulls for Clojars, vs. one that distributes code via Clojars? On Friday, 26 September 2014 08:09:55 UTC-7, Nelson Morris wrote: Clojars has become a critical part of the clojure ecosystem. As a small sample, it hosts artifacts for: * Web development - ring, compojure, hoplon, hiccup, enlive, friend, immutant * Tooling - lein templates/plugins, cider-nrepl, clojure-complete, gorilla-repl * Clojurescript - lein-cljsbuild, austin, om, reagent, sente * Misc - Clojurewerkz projects, storm, incanter, clj-time, cheshire, clj-http, * Company projects - pedestal, dommy, schema Vulnerabilities like shellshock and heartbleed always require quick response. An insecure clojars service could lead to compromised systems in multiple companies, potentially any project that used an artifact from it. A similar situation exist for maven central, rubygems, apt, and other repositories. There are other administration tasks such as verifying backups, server updates, better response time to deletion requests, and potentially the need to handle unexpected downtime. Additionally, development time is needed for the releases repo w/ signatures, CDN deployments, additional UI work, and more. Currently clojars is maintained by a collaboration between 3 very spare time people. Vulnerabilities get attention due to the damage potential. However, being a spare time project many of the other tasks languish until required, or wait behind the queue of life's requirements. I'd love to change that. I've been a co-maintainer for clojars for two years. I implemented the https deployment, better search, and download statistics for clojars. I've handled most of the deletion requests over the past year. I've also got work in leiningen including almost everything related to dependency resolution and trees. I want your help. Do you work at a company that runs clojure in production? Does it have a financial interest in a well maintained and secure clojars service? Would it be interested in sponsorships, business features, or another arrangement that produces value? Then I request you email me. I want to create a sustainable path for this critical piece of the clojure ecosystem. Thanks, Nelson Morris -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
Please count me in for $500 this month. Contact me off-list user d, domain athena dot com with info where I should send money. I ran the scala-tools.org Scala JAR repo for many years with the help of a few other folks. I understand the challenges of running a repo... the expectation that everything is done perfectly *and* that folks shouldn't have to pay for any of it. Happy to chat off-list about my experience and lend some insights that you may or may not find valuable. -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
I grumbled about the GPG stuff when it came up but after a chat with Phil I decided this was something I just needed to learn as a developer. Sure, it means you have to read complex security stuff but we have to read lots of complex stuff as developers - that's just part of our job. I switched to lein deploy clojars a long time ago and, frankly, after that initial hour or two for a one-off setup, I never had to worry about GPG again. Perhaps #shellshock is a good opportunity for a lot more developers to learn some better security health? If Clojars' scp remains unavailable, will that pain be sufficient to switch library maintainers to https deploy? Or will those maintainers just stop making releases and abandon their libraries? Sean On Thu, Sep 25, 2014 at 7:04 PM, Carlos Fontes ccfon...@gmail.com wrote: I second Michael Klishin. Some immemorial time ago I tried `lein deploy clojars` which lead me to read complex security stuff. I really tried to make it work, I did.. but it didn't just work, it didn't work with some work and even with more work, so now I just use `lein push`. Btw, is Clojars still down for SCP uploads? Still having trouble here: com.jcraft.jsch.JSchException: Auth fail Carlos -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- Sean A Corfield -- (904) 302-SEAN An Architect's View -- http://corfield.org/ World Singles, LLC. -- http://worldsingles.com/ Perfection is the enemy of the good. -- Gustave Flaubert, French realist novelist (1821-1880) -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
On 25 September 2014 at 02:57:39, Phil Hagelberg (p...@hagelb.org) wrote: In particular we would like to know reasons why you haven't upgraded, assuming it's not just I started on scp and it worked well, so I never saw the need to change anything. FWIW, that's exactly the reason I and a few other folks who maintain libraries use scp for deployment. It just works . -- @michaelklishin, github.com/michaelklishin -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
I second Michael Klishin. Some immemorial time ago I tried `lein deploy clojars` which lead me to read complex security stuff. I really tried to make it work, I did.. but it didn't just work, it didn't work with some work and even with more work, so now I just use `lein push`. Btw, is Clojars still down for SCP uploads? Still having trouble here: com.jcraft.jsch.JSchException: Auth fail Carlos -- You received this message because you are subscribed to the Google Groups Clojure group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups Clojure group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [PSA] Clojars scp disabled until further notice
Carlos Fontes ccfon...@gmail.com writes: Some immemorial time ago I tried `lein deploy clojars` which lead me to read complex security stuff. I really tried to make it work, I did.. but it didn't just work, it didn't work with some work and even with more work, so now I just use `lein push`. I see. Perhaps if you could use more detail than it didn't work we might be able to help get this working. Btw, is Clojars still down for SCP uploads? Still having trouble here: com.jcraft.jsch.JSchException: Auth fail Yes, the vulnerability has not been patched. -Phil pgpYG_dKv9Kfx.pgp Description: PGP signature
[PSA] Clojars scp disabled until further notice
Greetings, Clojure hackers. Due to the recent vulnerability in Bash[1], the scp-based deploy services on clojars.org has been disabled for the time being. If you have been using this (as opposed to the HTTPS deploy used by `lein deploy clojars` and `maven deploy`), we'd be interested in hearing From you. In particular we would like to know reasons why you haven't upgraded, assuming it's not just I started on scp and it worked well, so I never saw the need to change anything. If you haven't tried HTTPS-based deploys, now would be a great time to do so and see if they work for you. If not, let us know why, either here or on the Leiningen issue tracker[2]. The HTTPS-based deploys are definitely a superior implementation that we encourage. We would like to bring scp deploys back online in the near future, but as you know Clojars is a volunteer-run service without many resources, and we have no immediate timeline for this. -Phil [1] - http://seclists.org/oss-sec/2014/q3/650 [2] - https://github.com/technomancy/leiningen/issues/new pgpptBQYBaGvv.pgp Description: PGP signature
Re: [PSA] Clojars scp disabled until further notice
Phil Hagelberg p...@hagelb.org writes: Due to the recent vulnerability in Bash[1], the scp-based deploy services on clojars.org has been disabled for the time being. I neglected to mention here that the Clojars's susceptibility to this vulnerability was both discovered and fixed by Nelson Morris (aka xeqi) who has been taking point on Clojars issues recently; my only role here has been to raise awareness of the problem. So hats off to Nelson for his continued vigilance on this matter and others. -Phil pgprNmm_uur6o.pgp Description: PGP signature
