Skip to content

Releases

Jump to bottom Edit New page
Phil Hagelberg edited this page Dec 28, 2012 · 7 revisions

Clojars offers two repositories, Classic (http://clojars.org/repo/) and Releases (http://releases.clojars.org/repo/). Inclusion in the Classic repository has practically no restrictions—anyone may sign up for an account and publish their project's artifacts to it on a first-come-first-serve basis. Releases is intended to be a middle ground in between the anything-goes nature of the Classic repository and the bureaucracy of the Maven Central repository.

Releases enforces a few restrictions:

  • Snapshot versions are not allowed. Adding repositories containing snapshots can have adverse affects upon dependency resolution time and can introduce unexpected results in the context of version ranges. If you need snapshots, you can add the Classic repository explicitly, but it should not be included by default.

  • Projects must declare a description, license, and URL in their pom.xml or project.clj file.

  • All files must be signed by a PGP key listed as being owned by someone who has access to the project's group.

If you publish to Clojars using Leiningen 2, it will warn you when you haven't declared the necessary metadata and will also attempt to sign files as they are being deployed.

Promotion

There is no way to deploy directly to the releases repository; artifacts are promoted from the Classic repository. Once you've deployed to Classic using lein deploy clojars or another method, you can visit the project's page in a browser; for example the Slamhound project is at https://clojars.org/slamhound.

If you are logged in, you should see a "promotion" section. If the project is qualified for promotion, a Promote button will be visible. If not, it will show a list of reasons why it's not qualified.

Signing and keys

If you have a PGP key pair already, visit the profile page and include it in your profile so that the files you sign can be checked against it.

If you don't have a key yet, you may need to install GPG first. Use your package manager, or if you are on Mac OS X you can use the installer from gpgtools.org. Eventually you may want to configure gpg-agent to cache your passphrase if your OS doesn't set it up for you, but it's optional.

Once it's installed generate a key pair with gpg --gen-key. The default settings are pretty good, though it's recommended to make it expire in a year or two. Be sure to pick a strong passphrase. Next find your key ID. It's the 8-character part after the slash on the line beginning with "pub":

$ gpg --list-keys

            ↓↓↓↓↓↓↓↓
pub   2048R/77E77DDC 2011-07-17 [expires: 2014-07-16]
uid                  Phil Hagelberg <[email protected]>
sub   2048R/39EFEE7D 2011-07-17

Then you can show it with gpg --export -a $KEY_ID. Copy that (including the -----BEGIN PGP PUBLIC KEY BLOCK----- parts) and paste it into your Clojars profile.

All clojars-web wiki content licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

Clojars help topics

Clone this wiki locally