Hello everyone. In the aftermath of the recent Linode intrusion[1][2], we determined that Clojars' policy of allowing artifacts to be overwritten[3] makes it much more difficult to detect an attack than it would be if artifacts were immutable like they are in most other repositories.
While overwriting with redeploys has been known to cause all kinds of issues around local cached repositories, there have typically been three reasons for doing so anyway: 0) Replacing accidental deploys containing errors (missing file, typo, etc). This is essentially analogous to the argument for force-pushing in git; it saves you a bit of embarrassment but really isn't worth sacrificing the predictability of the repository in any case. Just cringe, push out your fixed version, and hope no one laughs at you when they're looking through the history. 1) Removing sensitive data which was deployed by accident. We've implemented a system of removal based on GitHub issues and a cont...@clojars.org address that should be used for this instead. Sometimes removal takes a while, but if you make it clear in your request that sensitive data is involved we can ensure it's deleted quickly. 2) Signing an already-deployed older version. This was the one thing that kept us from enforcing this earlier, but upon reviewing the situation there are various reasons this isn't desirable. We'd rather just force a minor version bump for freshly-signed artifacts. Some discussion of the rationale there can be found on the clojars-maintainers mailing list if you're interested in the background[4]. I've just deployed this change out. Happy to discuss either here or in the #leiningen channel on Freenode. Hopefully this will have minimal impact on users, but I felt it was important to mention. -Phil [0] - https://groups.google.com/group/clojure/msg/3bec929634bfbe12 [1] - http://straylig.ht/zines/HTP5/0x02_Linode.txt [2] - Technically this has never been an explicitly documented policy, just an undocumented feature. [3] - https://groups.google.com/group/clojars-maintainers/browse_thread/thread/cb9cfc9a366470d7
pgpr7Gx52Fhaz.pgp
Description: PGP signature