Discussion:
[PSA] Clojars scp disabled until further notice
Phil Hagelberg
2014-09-24 22:57:08 UTC
Permalink
Greetings, Clojure hackers.

Due to the recent vulnerability in Bash[1], the scp-based deploy
services on clojars.org has been disabled for the time being.

If you have been using this (as opposed to the HTTPS deploy used by
`lein deploy clojars` and `maven deploy`), we'd be interested in hearing
From you. In particular we would like to know reasons why you haven't
upgraded, assuming it's not just "I started on scp and it worked well,
so I never saw the need to change anything."

If you haven't tried HTTPS-based deploys, now would be a great time to
do so and see if they work for you. If not, let us know why, either here
or on the Leiningen issue tracker[2]. The HTTPS-based deploys are
definitely a superior implementation that we encourage. We would like to
bring scp deploys back online in the near future, but as you know
Clojars is a volunteer-run service without many resources, and we have
no immediate timeline for this.

-Phil

[1] - http://seclists.org/oss-sec/2014/q3/650
[2] - https://github.com/technomancy/leiningen/issues/new
Phil Hagelberg
2014-09-25 00:47:59 UTC
Permalink
Post by Phil Hagelberg
Due to the recent vulnerability in Bash[1], the scp-based deploy
services on clojars.org has been disabled for the time being.
I neglected to mention here that the Clojars's susceptibility to this
vulnerability was both discovered and fixed by Nelson Morris (aka xeqi)
who has been taking point on Clojars issues recently; my only role here
has been to raise awareness of the problem. So hats off to Nelson for
his continued vigilance on this matter and others.

-Phil
Michael Klishin
2014-09-25 06:09:23 UTC
Permalink
Post by Phil Hagelberg
In particular we would like to know reasons why you haven't
upgraded, assuming it's not just "I started on scp and it worked well,
so I never saw the need to change anything."
FWIW, that's exactly the reason I and a few other folks who maintain libraries
use scp for deployment. It just works .
--
@michaelklishin, github.com/michaelklishin
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to ***@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Carlos Fontes
2014-09-26 02:04:06 UTC
Permalink
I second Michael Klishin.
Some immemorial time ago I tried `lein deploy clojars` which lead me to
read complex security stuff. I really tried to make it work, I did.. but it
didn't "just work", it didn't "work with some work" and even with "more
work", so now I just use `lein push`.

Btw, is Clojars still down for SCP uploads? Still having trouble here:
com.jcraft.jsch.JSchException: Auth fail

Carlos
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to ***@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Phil Hagelberg
2014-09-26 03:21:18 UTC
Permalink
Post by Carlos Fontes
Some immemorial time ago I tried `lein deploy clojars` which lead me to
read complex security stuff. I really tried to make it work, I did.. but it
didn't "just work", it didn't "work with some work" and even with "more
work", so now I just use `lein push`.
I see. Perhaps if you could use more detail than "it didn't work" we
might be able to help get this working.
Post by Carlos Fontes
com.jcraft.jsch.JSchException: Auth fail
Yes, the vulnerability has not been patched.

-Phil
Jony Hudson
2014-09-26 10:19:31 UTC
Permalink
FWIW, I followed the "lein deploy clojars" instructions (around March this
year) and it did work for me. I recall being a bit confused by the GPG
stuff, but following the notes on the wiki did do the trick.


Jony
Post by Phil Hagelberg
Post by Carlos Fontes
Some immemorial time ago I tried `lein deploy clojars` which lead me to
read complex security stuff. I really tried to make it work, I did.. but
it
Post by Carlos Fontes
didn't "just work", it didn't "work with some work" and even with "more
work", so now I just use `lein push`.
I see. Perhaps if you could use more detail than "it didn't work" we
might be able to help get this working.
Post by Carlos Fontes
com.jcraft.jsch.JSchException: Auth fail
Yes, the vulnerability has not been patched.
-Phil
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to ***@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Sean Corfield
2014-09-27 05:32:07 UTC
Permalink
I grumbled about the GPG stuff when it came up but after a chat with
Phil I decided this was something I just needed to learn as a
developer. Sure, it means you have to "read complex security stuff"
but we have to read lots of complex stuff as developers - that's just
part of our job.

I switched to lein deploy clojars a long time ago and, frankly, after
that initial hour or two for a one-off setup, I never had to worry
about GPG again.

Perhaps #shellshock is a good opportunity for a lot more developers to
learn some better "security health"?

If Clojars' scp remains unavailable, will that pain be sufficient to
switch library maintainers to https deploy? Or will those maintainers
just stop making releases and abandon their libraries?

Sean
Post by Carlos Fontes
I second Michael Klishin.
Some immemorial time ago I tried `lein deploy clojars` which lead me to read
complex security stuff. I really tried to make it work, I did.. but it
didn't "just work", it didn't "work with some work" and even with "more
work", so now I just use `lein push`.
com.jcraft.jsch.JSchException: Auth fail
Carlos
--
You received this message because you are subscribed to the Google Groups "Clojure" group.
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
Sean A Corfield -- (904) 302-SEAN
An Architect's View -- http://corfield.org/
World Singles, LLC. -- http://worldsingles.com/

"Perfection is the enemy of the good."
-- Gustave Flaubert, French realist novelist (1821-1880)
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to ***@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Lee Spector
2014-09-27 14:06:53 UTC
Permalink
I just want to chime in to note that not everyone who works in Clojure, and for whom Clojars is the obvious (only?) reasonable way to share libraries, is a professional developer. Some of us are, for example, researchers or students in a range of fields for which reading "complex security stuff" is not actually part of our jobs.

I've scheduled some time next week to sit down with a student and work through "lein help gpg" (thanks for the pointer, Phil!) and try to get lein deploy working (again -- we did try once but gave up when we hit errors that we didn't understand), so that we can resume use of Clojars in our work. I'm hopeful that it will go smoothly and that we'll be back up and running soon.

But in any case I wanted to warn against making too many assumptions about the user base (or potential user base).

-Lee
Post by Sean Corfield
I grumbled about the GPG stuff when it came up but after a chat with
Phil I decided this was something I just needed to learn as a
developer. Sure, it means you have to "read complex security stuff"
but we have to read lots of complex stuff as developers - that's just
part of our job.
I switched to lein deploy clojars a long time ago and, frankly, after
that initial hour or two for a one-off setup, I never had to worry
about GPG again.
Perhaps #shellshock is a good opportunity for a lot more developers to
learn some better "security health"?
If Clojars' scp remains unavailable, will that pain be sufficient to
switch library maintainers to https deploy? Or will those maintainers
just stop making releases and abandon their libraries?
Sean
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to ***@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Phil Hagelberg
2014-09-27 23:52:35 UTC
Permalink
Post by Lee Spector
I just want to chime in to note that not everyone who works in
Clojure, and for whom Clojars is the obvious (only?) reasonable way to
share libraries, is a professional developer. Some of us are, for
example, researchers or students in a range of fields for which
reading "complex security stuff" is not actually part of our jobs.
Makes sense.

For clarification; while GPG is used by default for Leiningen deploys,
it is not currently a requirement for either Leiningen or Clojars. You
can always set :sign-releases false in your :repositories entry if your
artifacts are intended for hobbyist or academic use rather than inside a
production environment.

-Phil
Lee Spector
2014-09-28 03:05:04 UTC
Permalink
Thanks Phil. We'll definitely look into ":sign-releases false" when we try to get this working next week.

-Lee
Post by Phil Hagelberg
Post by Lee Spector
I just want to chime in to note that not everyone who works in
Clojure, and for whom Clojars is the obvious (only?) reasonable way to
share libraries, is a professional developer. Some of us are, for
example, researchers or students in a range of fields for which
reading "complex security stuff" is not actually part of our jobs.
Makes sense.
For clarification; while GPG is used by default for Leiningen deploys,
it is not currently a requirement for either Leiningen or Clojars. You
can always set :sign-releases false in your :repositories entry if your
artifacts are intended for hobbyist or academic use rather than inside a
production environment.
-Phil
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to ***@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
2014-09-29 10:49:23 UTC
Permalink
Post by Sean Corfield
If Clojars' scp remains unavailable, will that pain be sufficient to
switch library maintainers to https deploy? Or will those maintainers
just stop making releases and abandon their libraries?
I've had to do a few releases last weekend and had to urgently do one today.

`lein clojars deploy` works for some projects but fails with others.
The docs cover deploying to private repos in a lot of detail but do not
mention Clojars-specific configuration (e.g. if I don't have the time to fight
GnuPG and want to just disable signing altogether with clojars).

In general, my experience as library maintainer has gone from "it's trivial to deploy a new release, I do it all the time" to "deploying libraries is a nightmare,
I'd rather do it as late as possible".

I have no choice to go through this whole GnuPG dance all the way — you can't maintain 30+ libraries otherwise — but I'm really unhappy about having to do that. 
--
@michaelklishin, github.com/michaelklishin
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to ***@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Carlos Fontes
2014-10-18 00:22:17 UTC
Permalink
I noticed 'lein deploy clojars' for SNAPSHOT is actually more convenient
than the scp upload method because, besides not needing the signing stuff,
there is no need to manually delete the .m2 cache when a new snapshot is
uploaded.

As for signing, I finally had an opportunity to do it and it went smooth. I
even got to promote the artifact!
It failed only the first time I used a passphrase. It told me to set up a
gpg agent. Maybe it is a useful addition to 'lein help gpg'.

Carlos
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to ***@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
tcrayford
2014-10-18 19:50:55 UTC
Permalink
Phil,

I've used scp uploads in the past. They're much easier when e.g. you wanna
upload a java library you've forked. Without scp uploads (or an easy
copy/paste curl alternative), you have to go through getting the project to
build with lein by itself. It's not *too* difficult to get a maven based
project uploaded to clojars
(https://github.com/ato/clojars-web/wiki/Pushing has an easy to follow
section), but getting ant or other projects up there is painful.

Other than that, I've happily converted over to `lein deploy` for my
lein-based projects.

Tom
Post by Phil Hagelberg
Greetings, Clojure hackers.
Due to the recent vulnerability in Bash[1], the scp-based deploy
services on clojars.org has been disabled for the time being.
If you have been using this (as opposed to the HTTPS deploy used by
`lein deploy clojars` and `maven deploy`), we'd be interested in hearing
From you. In particular we would like to know reasons why you haven't
upgraded, assuming it's not just "I started on scp and it worked well,
so I never saw the need to change anything."
If you haven't tried HTTPS-based deploys, now would be a great time to
do so and see if they work for you. If not, let us know why, either here
or on the Leiningen issue tracker[2]. The HTTPS-based deploys are
definitely a superior implementation that we encourage. We would like to
bring scp deploys back online in the near future, but as you know
Clojars is a volunteer-run service without many resources, and we have
no immediate timeline for this.
-Phil
[1] - http://seclists.org/oss-sec/2014/q3/650
[2] - https://github.com/technomancy/leiningen/issues/new
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to ***@googlegroups.com
Note that posts from new members are moderated - please be patient with your first post.
To unsubscribe from this group, send email to
clojure+***@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups "Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to clojure+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...