Welcome! Please see the About page for a little more info on how this works.

+2 votes
in tools.deps by

Given a deps.edn file with a :mvn/repos entry for a private Maven repository and a dependency on a Maven coordinate that lives in that repository, how can I mitigate the risk of that coordinate getting shadowed / hijacked in one of the default public repositories?

Possible solutions:

  • Allow pinning a Maven dependency to a particular repository
  • Allow declaring priority order of Maven repositories (in the example scenario, the private repository would then get the highest priority and always be checked before the other ones)
  • Allow pinning a Maven dependency to a particular signing key and require it be signed (but looks like tools.deps currently doesn't support verifying signed artifacts?)

1 Answer

0 votes
ago by

The main current answer is that the public repos are trying to prevent this.

There are two public repos included in the root deps.edn - Maven Central and Clojars. All other repos must be explicitly included in the top-level deps.edn in use (transitive deps.edn repos are ignored - this differs from pom.xml).

Maven Central has policies to encourage using reverse domain names and/or trademarked names that you control, with requirements for verification. Clojars is now doing similar things, but their naming policies are somewhat laxer and I don't know the current state of everything they are doing.

The signing key stuff is problematic for lots of reasons (clojars doesn't require, keys must be registered - how do you know if the key you find is one you should trust, etc). This requires a lot of manual intervention. I have been following SLSA which I think is taking a smarter approach to provenance and verification. Would love to spend some time really working on how to integrate something like this into both our Clojure build systems and our dependency management tools to work together. Especially for open source libraries distributed as source, we should be able to hash+compare the actual source and relate it to a commit - Clojure's options are WAY BETTER than compile-to-class langs that make new artifacts different than the original source.

Hoping to spend some time on this kind of stuff next year.

...