Clojars Worklog - 2021

This worklog covers work performed on Clojars under a contract from the Clojurists Together Foundation. The contract covers security improvements and general maintenance.

Changelogs: clojars-server-config

This work this month was general maintenance, along with debugging issues with maven index creation.

Changelogs: clojars-web

The bulk of work this month was developing a plan to improve security by requiring groups to be verified and starting work on that plan.

Changelogs: clojars-web, clojars-server-config

The work this month moved us closer to verified groups, which included:

• auto-verifying GitHub-based groups
• login with GitLab
• auto-verifying GitLab-based groups

I verified 19 groups this month.

Changelogs: clojars-web, clojars-server-config

In April we released the verified groups feature. The work included:

• deploy audit logging
• disabling deploys of new projects to non-verified groups
• disabling creation of new groups outside of verification
• documentation updates
• updates to pomegranate and leiningen to fix display of status messages from Clojars deploys

I verified 25 groups this month.

Changelogs: clojars-web, clojars-server-config

Just a minor fix and some maintenance this month.

• fix to ensure domain names created based on vcs service username is lowercase

I verified 32 groups this month.

Changelogs: clojars-web, clojars-server-config

• Migrated to larger AWS RDS Postgres instance size to address connection timeouts
• Wrote a tool to ease group verification at the repl
• Rewrote the SYSADMIN guide to match current architecture

I verified 21 groups this month.

Vacation!

Changelogs: clojars-web, clojars-server-config

• Allowed creation of a deploy token scoped to a group before the group has any artifacts
• Limited password length to prevent potential denial of service
• Updated rate-limiting to be more aggressive on the forgot-password endpoint

I verified 14 groups this month.

Changelogs: clojars-web, clojars-server-config

• Updated git provider linking to support GitLab, and to link to the tree instead of the commit
• Removed verified badge when viewing groups not owned by you
• Relaxed over-aggressive forgot-password rate-limiting

I verified 14 groups this month.

Changelogs: clojars-web, clojars-server-config

• Added audit logging when group members are added or removed
• Removed 30-day limit on audit information (we will keep it all now)
• Added display of lib dependents to jar page

I verified 13 groups this month.

Changelogs: clojars-server-config

I verified 11 groups this month.

Changelogs: clojars-web, clojars-server-config

• Upgraded to Java 17
• Updated old dependencies to address several outstanding CVEs

I verified 12 groups this month.