Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit dependencies for unsigned artifacts #1608

Closed
3 of 6 tasks
technomancy opened this issue Jul 21, 2014 · 5 comments
Closed
3 of 6 tasks

Audit dependencies for unsigned artifacts #1608

technomancy opened this issue Jul 21, 2014 · 5 comments
Assignees
@technomancy

Comments

@technomancy
Copy link
Owner

technomancy commented Jul 21, 2014
edited by danielcompton
Loading

It's kind of crappy that we have dependencies for which we can't verify the provenance.

We should open bug reports with each unsigned library encouraging them to publish signed versions.

  • scgilardi/slingshot
  • cgrand/regex
  • cgrand/parsley
  • cemerick/drawbridge
  • amalloy/useful
  • ninjudd/classloajure
@technomancy technomancy self-assigned this Jul 21, 2014
@technomancy technomancy mentioned this issue Jul 21, 2014
Closed
@technomancy
Copy link
Owner Author

There's one unsigned dependency from Central, presumably from the bad old days when they let all kinds of crap in: [jakarta-regexp "1.4"]. However, the good news is this appears to be an optional dependency for the Maven indexer-core lib; adding it to :exclusions has no effect on the search task.

The rest of the deps are from Clojars; mostly from Leiningen contributors:

dsantiago: [stencil "0.3.3"] [quoin "0.1.0"] [scout "0.1.0"]
ninjudd: [classlojure "0.6.6"] [useful "0.8.3-alpha8"]
cemerick: [com.cemerick/drawbridge "0.0.6"]
scgilardi: [slingshot "0.10.3"]
cgrand: [net.cgrand/regex "1.1.0"] [net.cgrand/parsley "0.9.1"]

The first three libs there are simply there to support templates. I'm considering swapping out stencil for another moustache lib since this would also solve #1563 which I have no idea how else to solve.

@technomancy
Copy link
Owner Author

technomancy added a commit that referenced this issue Jul 21, 2014
@technomancy
Don't depend on unsigned jakarta-regexp lib.
503495b 
Refs #1608.
@technomancy
Copy link
Owner Author

Wow, total crickets on all seven issues. Disappointing.

@glts glts mentioned this issue May 18, 2019
Closed
@glts
Copy link
Collaborator

glts commented Jan 12, 2020

The dependency landscape has naturally shifted over the years, and I’m sad to report the situation has not improved. (I kind of expected that the passing of time would have taken care of this, but no.)

It may be legitimate to question whether this issue is still actionable given the culture. No further action from me.

:no-key [net.cgrand/parsley "0.9.3" :exclusions [[org.clojure/clojure]]]
:no-key [stencil "0.5.0" :exclusions [[org.clojure/core.cache]]]
:signed [clojure-complete "0.2.5" :exclusions [[org.clojure/clojure]]]
:signed [com.hypirion/io "0.3.1"]
:signed [commons-codec "1.11"]
:signed [commons-io "2.6"]
:signed [commons-lang "2.6"]
:signed [commons-logging "1.2"]
:signed [org.apache.commons/commons-lang3 "3.8.1"]
:signed [org.apache.httpcomponents/httpclient "4.5.8"]
:signed [org.apache.httpcomponents/httpcore "4.4.11"]
:signed [org.apache.maven.resolver/maven-resolver-api "1.3.3"]
:signed [org.apache.maven.resolver/maven-resolver-connector-basic "1.3.3"]
:signed [org.apache.maven.resolver/maven-resolver-impl "1.3.3"]
:signed [org.apache.maven.resolver/maven-resolver-spi "1.3.3"]
:signed [org.apache.maven.resolver/maven-resolver-transport-file "1.3.3"]
:signed [org.apache.maven.resolver/maven-resolver-transport-http "1.3.3"]
:signed [org.apache.maven.resolver/maven-resolver-transport-wagon "1.3.3"]
:signed [org.apache.maven.resolver/maven-resolver-util "1.3.3"]
:signed [org.apache.maven.wagon/wagon-http "3.3.2"]
:signed [org.apache.maven.wagon/wagon-http-shared "3.3.2"]
:signed [org.apache.maven.wagon/wagon-provider-api "3.3.2"]
:signed [org.apache.maven/maven-artifact "3.6.1"]
:signed [org.apache.maven/maven-builder-support "3.6.1"]
:signed [org.apache.maven/maven-model "3.6.1"]
:signed [org.apache.maven/maven-model-builder "3.6.1"]
:signed [org.apache.maven/maven-repository-metadata "3.6.1"]
:signed [org.apache.maven/maven-resolver-provider "3.6.1"]
:signed [org.clojure/clojure "1.10.0"]
:signed [org.clojure/core.specs.alpha "0.2.44"]
:signed [org.clojure/data.codec "0.1.0"]
:signed [org.clojure/data.xml "0.2.0-alpha5"]
:signed [org.clojure/spec.alpha "0.2.176"]
:signed [org.clojure/tools.macro "0.1.5"]
:signed [org.codehaus.plexus/plexus-component-annotations "1.7.1" :exclusions [[junit]]]
:signed [org.codehaus.plexus/plexus-interpolation "1.25"]
:signed [org.codehaus.plexus/plexus-utils "3.2.0"]
:signed [org.flatland/classlojure "0.7.1"]
:signed [org.jsoup/jsoup "1.11.3"]
:signed [org.slf4j/slf4j-api "1.7.25"]
:signed [org.slf4j/slf4j-nop "1.7.25"]
:signed [org.tcrawley/dynapath "1.0.0"]
:signed [robert/hooke "1.3.0"]
:signed [timofreiberg/bultitude "0.3.0" :exclusions [[org.clojure/clojure]]]
:unsigned [clj-commons/pomegranate "1.2.0" :exclusions [[org.slf4j/jcl-over-slf4j]]]
:unsigned [javax.inject "1"]
:unsigned [net.cgrand/regex "1.1.0"]
:unsigned [net.cgrand/sjacket "0.1.1" :exclusions [[org.clojure/clojure]]]
:unsigned [nrepl "0.6.0"]
:unsigned [quoin "0.1.2"]
:unsigned [scout "0.1.1"]

@technomancy
Copy link
Owner Author

Yeah, I don't think there's much we can do about this if authors are unresponsive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@technomancy technomancy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@technomancy @glts