Welcome! Please see the About page for a little more info on how this works.

0 votes
in tools.deps by

clojure-tools artifacts are published unauthenticated, which is a security risk, especially for the linux install.

One simple approach would be to output a checksum file and sign the checksum file. I recommend not signing with openssl or pgp, and deferring to a simple tool like signify.

2 Answers

0 votes
by

Comment made by: jwhitlark

I agree. It would be especially useful to publish it on https://clojure.org/guides/getting_started

The tarball that's downloaded as the base for the script also does not authenticate its source.

0 votes
by
Reference: https://clojure.atlassian.net/browse/TDEPS-69 (reported by gshayban)
...