clojars / clojars-web Goto Github PK

Currently you just get a blank white screen and have to look at the response code to see it's an "Internal Server Error". We should show something better than that.

Ever since changing the ssh public key associated with my clojars account, I've been unable to push to clojars. In order to completely isolate anything particular about my setup that could be causing this, I created a new user account on my ubuntu VM, and generated a fresh 2048-bit RSA identity. Then, I created a new clojars account using the new public key. I then attempted to ssh [email protected] -v2, and got an error that my public key was rejected.

The public key, permissions on my .ssh folder and contents, and the very verbose output of the ssh command are all in this gist: https://gist.github.com/2020441.

It's pretty annoying. ;-)

technomancy/leiningen#519 would like to push signature files to the repo. Currently they are blocked by the extension whitelist.

Add a download counter for each library

https://clojars.org/search?q=compojure

That should list compojure over the rest. I think this used to work.

There's no indication on the website that the old salted SHA1 password hashes have been wiped. So users who don't rigorously read the Clojure mailing list, disclojure, twitter etc aren't aware of it. This is causing confusion: someone emailed me asking if logins to the site were broken globally.

When displaying "invalid password" we should link to an explanation like Phil's mailing list announcement and suggest using the "forgot password" feature.

https://groups.google.com/group/clojure/browse_thread/thread/5e0d48d2b82df39b

"The individual jar page should have a link to the git repository, or maybe even to the commit that the jar was built off." suggested by vdm on Hacker News. http://news.ycombinator.com/item?id=950693

Interesting idea, would need Leiningen to fill in the SCM details.

Could either shell out to git or just read from .git manually.

% git remote -v | grep github.com
origin [email protected]:ato/clojars-web.git
% git rev-list HEAD^..HEAD

Relevant bits for reading manually:

% cat .git/HEAD
ref: refs/heads/master
% cat .git/refs/heads/master
048734f
% cat .git/config
...
[remote "origin"]
url = [email protected]:ato/clojars-web.git
fetch = +refs/heads/:refs/remotes/origin/

Just spotted this page isn't working: https://clojars.org/reply

Here's the stack trace:

java.net.URISyntaxException: Illegal character in path at index 21: /lein-midje/versions/[1.0.0,)
        at java.net.URI$Parser.fail(URI.java:2825)
        at java.net.URI$Parser.checkChars(URI.java:2998)
        at java.net.URI$Parser.parseHierarchical(URI.java:3082)
        at java.net.URI$Parser.parse(URI.java:3040)
        at java.net.URI.<init>(URI.java:595)
        at hiccup.core$resolve_uri.invoke(core.clj:314)
        at hiccup.page_helpers$link_to.doInvoke(page_helpers.clj:93)
        at clojure.lang.RestFn.applyTo(RestFn.java:139)
        at clojure.core$apply.invoke(core.clj:601)
        at hiccup.core$add_optional_attrs$fn__2021.doInvoke(core.clj:293)
        at clojure.lang.RestFn.invoke(RestFn.java:421)
        at clojars.web.jar$show_jar$fn__2485$iter__2486__2490$fn__2491$fn__2492.invoke(jar.clj:53)
        at clojars.web.jar$show_jar$fn__2485$iter__2486__2490$fn__2491.invoke(jar.clj:50)

We could just link to the the base page like https://clojars.org/lein-midje when there's a version range.

Suggested by cldwalker in #71. See http://guides.rubygems.org/ for ideas.

The client tooling side is already covered well by the Leiningen guides (which maybe we should link to). But we could cover some more general topics:

• All a Clojure dev needs to know about jar files and how they aren't magic.
• Repository layout: so what's with maven-metadata.xml and friends?
• General principals about how to run/release a project (versioning, documentation practices, announcing your project, tools and services that might help)

Examples:

https://clojars.org/org.clojars.technomancy/heroku-http-apache/versions/0.1-SNAPSHOT
https://clojars.org/aleph/versions/0.2.1-alpha2-SNAPSHOT

http://clojars.org/amalloy/ works fine (renders "page not found"), but http://clojars.org/amalloy (note no trailing slash) causes the server to send an HTTP 500. I looked briefly through the source but didn't locate the cause of the problem, so I'm passively filing an issue.

Discussion summary (as of July 2012): In most cases deletion should be avoided as people might be depending on your jars. If you need something hard deleted because of an accident or if it's causing problems open a issue here for it or contact the server caretakers.

If you'd like to mark something deprecated for now the way to do it is to push a new version which prefixes the description in project.clj with "DEPRECATED: ".

I'll leave this feature request open as I'd take (with review) a pull request that implemented a "yank" feature like rubygems.org has.

I have tried a number of times and every time I get a 500 error code with no further explanation in the body about what went wrong.

Right now the search functionality goes through sqlite instead of using the already-existing lucene indexes. Code could be adapted from lein-search for this: https://github.com/technomancy/lein-search/tree/lucene

Investigate whether it's feasible to collect jars from the repository and stream an uberjar on the fly. Could be a good way for distributing standalone applications.

Showing them amongst the regular dependencies is misleading.

Suggested by dakrone on #leiningen.

Right now, snapshots and releases all get dumped into a single repository. It would be good to have separate repos for each of these so users can skip the snapshots if they wish.

Of course, the combined "mosh-pit" repository would need to be kept for backwards-compatibility.

https://clojars.org/search?q=datomic

Does anyone who has access to the errors want to dump them here? I can take a look at the issue.

So the wiki is getting more important. It'd be nicer/clearer/terser to use something Clojars branded for documentation. I do like that it's not so formal to edit the wiki though.

Perhaps we could use gollum-site and a service hook to turn the wiki into a http://help.clojars.org/ similar in principle to http://guides.rubygems.org/ and http://help.github.com/. An "edit this page" link at the bottom would take you to the wiki edit form on the github project.

For example https://clojars.org/com.novemberain/monger shows this message:

Oops. We hit an error opening the metadata POM file for this jar so some details are not available.

Because it's trying to open:

java.io.FileNotFoundException: .../repo/com.novemberain/monger/1.2.0-alpha1/monger-1.2.0-alpha1.pom

It should instead be reading repo/com/novemberain/monger/1.2.0-alpha1/monger-1.2.0-alpha1.pom (/ not .).

Reported by @michaelklishin in #59.

SSH is great for unix people, but can be tricky for Windows users. It'd be nice to have some sort of web upload form they can use instead.

I saw there is suppose to be a [fnparse "3.α.4"] in clojars at https://github.com/joshua-choi/fnparse/wiki/News. Looking at the versions on https://clojars.org/fnparse shows 3.?.4, and http://clojars.org/repo/fnparse/fnparse/ has a 3.?.4 directory, but nginx shows an error for it.

I'm unsure if this is a unicode support issue somewhere in the ssh/clojars/sqlite/fs chain, or was bad ssh push.

Any page involving passwords should require SSL.

I think it would be helpful if an user could add more than one ssh-public-key to his profile, just like on Github.

Currently for the clojars.org deployment we're enforcing that the connection is secure using nginx (see #46 and #45). This could instead be done in the webapp itself which would allow for a couple of improvements.

• the ring-session cookies should be marked "secure" (SSL only). It would be good to mark them httpOnly too, there's no need to give JavaScript access.
• HTTP uploads (#46) should only be allowed over SSL. It would be good to return a 405 with custom status string explaining the problem. We can't return a custom status string in nginx so clients currently see a not so meaningful 405 Not Allowed if they attempt to deploy using HTTP.
• the secure enforcement should support the X-Forwarded-Proto header for when the app is behind a reverse proxy or load balancer and is not itself the SSL termination point.

would be useful to allow *-sources.jar artifacts to be uploaded into the repo

Querying for "compojure" on clojars.org gives the following results (currently):

org.clojars.dvgb/compojure 0.3.1
org.clojars.ato/compojure 0.3.1

However the following jar is omitted:

org.clojars.liebke/compojure 0.3.1

I suspect an outdated lucene index to be responsible for this glitch.

Oddly enough if i scp up, scp returns [INFO] style messages to my console

And if I watch the console of the running clojars server, I get the user Success! messages.

This seems backwards.

Hi,

When I try to update my public key (generated using putty-gen on windows) on clojars website. I get "Blistering barnacles! Something's not shipshape:
Invalid SSH public key" error.

The public key I copied to the text box looks like this. Any idea what I may be missing? Any help is much appreciated.
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "clojars-rsa-key-20120730"
AAAAB3NzaC1yc2EAAAABJQAAAIBsu82khxh/JuN/kkX1ETUfdM/hsMN2xLIyqFV/
ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKL
/BKlbJdBokdxRtUlfPw9WG8x06OTZv9o8OZcYlIgGgfpYpzeQ5qJTxc+++fSf8S1
5kxmeQ==
---- END SSH2 PUBLIC KEY ----

cheers

In the tutorial wiki, lines like these:

are not inserting the specified file as expected.

There's a few different approaches that have been taken:

• Clojure Toolbox by @weavejester
• ClojureSphere by @jkk
• Clojure Dining Car by @uvtc

Clojars really punted on the issue of discovery as it wasn't the itch I was trying to scratch early on but I think there's a general expectation that it should at least act as a gateway to some of these resources.

Anyone have any ideas about how we should go about doing this? We could start just by linking to all of them (and probably ClojureDocs.org as well) from a header or footer or something.

visit http://clojars.org/search?q=reddit

click on the "reddit.clj" link .. and it 404es.

https://clojars.org/congomongo/versions/0.1.11-SNAPSHOT

This page is missing the dependency listing, but the pom is in the repo. I believe this is from the #"\d\.\d\.\d" in clojars.maven/snapshot-pom-file. I think those need to be \d+.

Example, a project.clj could look something like this:

(defproject org.clojars.thnetos/cbench "1.0.0"
:description "Run benchmarks of code, kinda like Ruby's benchmark function. See http://github.com/dakrone/cbench for full info."
:dependencies [[org.clojure/clojure "1.1.0-alpha-SNAPSHOT"]
             [org.clojure/clojure-contrib "1.0-SNAPSHOT"]]
:dev-dependencies [[lein-clojars "0.5.0-SNAPSHOT"]]
:doc-file README.txt)

So clojars.org would display the README.txt file (which leinigen should include in the .jar) on the page.

I've found i need to add
[org.apache.maven.wagon/wagon-provider-api "1.0-beta-6"]

to project.clj

otherwise I get

Error: Unable to lookup component 'org.apache.maven.artifact.deployer.ArtifactDeployer', it could not be started

Hi--I've read the documentation at http://github.com/ato/clojars-web/wiki/Pushing quite carefully, and I'm pretty sure that I followed the directions correctly. Still I get the following error:

[C:\tech\cljprojects\piccolo2dcore-to-clojars]pscp pom.xml piccolo2dcore-1.3.jar
[email protected]:
Fatal: Disconnected: No supported authentication methods available (server sent:

publickey)

BTW, pscp is a scp command that is part of PuTTY on Windows.

Here is what's in the pom.xml file:

Any ideas on where the error is? I've spent about two hours on this.

Thanks for your help.

--Gregg Williams, gregg AT innerpaths DOT net

For example: https://clojars.org/repo/trello/trello/0.1.1-SNAPSHOT/trello-0.1.1-20120424.083814-1.pom

<url>boxuk.com owainlewis.com</url>

Causes this exception at https://clojars.org/trello

java.net.URISyntaxException: Illegal character in path at index 9: boxuk.com owainlewis.com

Reported by Owain Lewis.

Maybe change the colour / reduce the font size in search results. Perhaps link to the canonical project (if it exists) on the jar page. The idea is to try to make it clear they're not the official project that the user should be preferencing. See @technomancy's comment on #71.

Where an artifact is a particular version of a project.

See #2 for motivation and discussion about terminology.

I'm trying to change my ssh key, however every time I click on "Update" in the profile page, I get
* Password can't be blank
* Email can't be blank
Both of these field are filled when I click on "Update"

So that you can simply upload with:

scp foo.jar [email protected]:

Look into whether it'd be useful to automatically generate JWS urls for desktop apps.

I started releasing something and in the middle of it I realized I forgot to make a change. I C-c'd the process, killing it, but clojars took the files anyway and just complained they were corrupted. Shouldn't it throw them away? This is annoying, because now I have to release a fake version increment because of it.

I'm not sure if this is a clojars or lein deploy issue, but I assume clojars, so making this issue here.

for some reason the sqlite trigger does not insert the content value of concatenated elements.

ID was also -1 until i changed the line to read (adding the after keyword):
create trigger update_search after insert on jars

but a select * from search; always returns a null value for content.

sqlite3 -version
3.6.22

on ubuntu

wanted to confirm this sqlite version is known to work before attempting a manual build

Add a simple browse interface.

I get a timeout when attempting to deploy to clojars using Maven in Eclipse Juno, using the https: deploy feature.

Here is the Maven output:

[INFO]
[INFO] --- maven-jar-plugin:2.3.2:jar (default-jar) @ clisk ---
[INFO]
[INFO] --- maven-install-plugin:2.3.1:install (default-install) @ clisk ---
[INFO] Installing C:\Users\Mike\git\clisk\target\clisk-0.4.0-SNAPSHOT.jar to C:\Users\Mike.m2\repository\net\mikera\clisk\0.4.0-SNAPSHOT\clisk-0.4.0-SNAPSHOT.jar
[INFO] Installing C:\Users\Mike\git\clisk\pom.xml to C:\Users\Mike.m2\repository\net\mikera\clisk\0.4.0-SNAPSHOT\clisk-0.4.0-SNAPSHOT.pom
[INFO]
[INFO] --- maven-deploy-plugin:2.7:deploy (default-deploy) @ clisk ---
Downloading: https://clojars.org/repo/net/mikera/clisk/0.4.0-SNAPSHOT/maven-metadata.xml
Uploading: https://clojars.org/repo/net/mikera/clisk/0.4.0-SNAPSHOT/clisk-0.4.0-20120809.043801-1.jar
Uploading: https://clojars.org/repo/net/mikera/clisk/0.4.0-SNAPSHOT/clisk-0.4.0-20120809.043801-1.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2:13.222s
[INFO] Finished at: Thu Aug 09 12:40:03 SGT 2012
[INFO] Final Memory: 21M/160M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on project clisk: Failed to deploy artifacts: Could not transfer artifact net.mikera:clisk:jar:0.4.0-20120809.043801-1 from/to clojars (https://clojars.org/repo): No response received after 60000 -> [Help 1]

Impact:

• The jar and pom appear to get uploaded successfully
• The checksums don't get generated by clojars (unlike how they do if scp is used)

Extra info:

• Here is the project in question (complete with pom.xml): https://github.com/mikera/clisk
• Here is an SO question on the same issue (with workaround answer): http://stackoverflow.com/questions/11837961/maven-deployment-timeout-failure-to-generate-checksums

Several times, I've wanted to post new JAR versions for commonly used libraries (Stanford NLP, Lucene, etc.), but because I'm not the original uploader, I can't. I've tried to get in touch with the original uploaders of these libraries so that I can be added to the groups and update the JARs, but get no response.

IMO, group permissions should only be restricted for org.clojars.* groups. Users shouldn't be allowed to overrwrite JARs already uploaded by other users, but should be allowed to post new versions within the same group/artifact id. I think this would go a very long way to keeping Clojars as updated as possible.

Thoughts? If this seems like a good idea, I'd be willing to write a patch.