[bug#53765,12/17] gnu: Add clojure-com-cognitect-http-client.

* gnu/packages/clojure.scm (clojure-com-cognitect-http-client): New variable.
---
 gnu/packages/clojure.scm | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

Reily Siegel schreef op do 03-02-2022 om 19:25 [-0500]:
> +              ;; This JAR contains only uncompiled Clojure sources.
> +              (uri (string-append "https://repo1.maven.org/maven2/"
> +                                  "com/cognitect/http-client/"
> +                                  version "/http-client-"
> +                                  version ".jar"))

Where did you find this source code? How can I now whether it's
authentic (i.e., whether it actually came from cognitect and not some
imposter)?

Greetings,
Maxime.

Maxime Devos <maximedevos@telenet.be> writes:

> Reily Siegel schreef op do 03-02-2022 om 19:25 [-0500]:
>> +              ;; This JAR contains only uncompiled Clojure sources.
>> +              (uri (string-append "https://repo1.maven.org/maven2/"
>> +                                  "com/cognitect/http-client/"
>> +                                  version "/http-client-"
>> +                                  version ".jar"))
>
> Where did you find this source code? How can I now whether it's
> authentic (i.e., whether it actually came from cognitect and not some
> imposter)?

This code is taken directly from Maven, as are many Java packages. This
relies on whatever authentication Maven does to ensure packages are not
forgeries.

-- 
Reily Siegel

Reily Siegel schreef op ma 07-02-2022 om 13:06 [-0500]:
> This code is taken directly from Maven, as are many Java packages. This
> relies on whatever authentication Maven does to ensure packages are not
> forgeries.

I took a look at <https://maven.apache.org> and AFAICT Maven does not
have any process in place to prevent forgeries or malicious code;
there does not appear to be any vetting process, though perhaps
I haven't looked far enough.

A web page from cognitect telling ‘grab source code from Maven
(com/cognitect/http-client)’, combined with going over the source
code to sniff things like ’Send ~/.gnupg to evil.com’ should be
sufficient.

For the damage the absence of a vetting process can do,
see e.g. <https://lwn.net/Articles/694830/>.  The same issue
appears to hold for PyPI, RubyGems and npm.

Greetings,
Maxime.

Maxime Devos <maximedevos@telenet.be> writes:

> A web page from cognitect telling ‘grab source code from Maven
> (com/cognitect/http-client)’
I am fairly certain that this code is not officially documented and
released as a library, it is only used in internal cognitect projects.
However, this is where other, officially supported cognitect libraries
pull the source from. The dependency specification[1] for cognitect-aws-api
uses:

com.cognitect/http-client {:mvn/version "1.0.110"}

As the location to pull this dependency. Given that the dependency
resolution system uses https://repo1.maven.org/maven2/ by default (see
the file /lib/clojure/deps.edn in clojure-tools), this results in the
URL https://repo1.maven.org/maven2/com/cognitect/http-client/1.0.110.
This is one revision older than the version I use (I just grabbed the
most recent one), but if you would like me to submit a new version of
the patch using this older version instead, I have no problem with that,
and it should work just fine.

> Going over the source code to sniff things like ’Send ~/.gnupg to
> evil.com’ should be sufficient.
I have read the entire source code of the project, and can verify that
it doesn't obviously do anything like this. Not claiming that I can
guarantee that the code is bug-free, but there is nothing obviously evil
about it. The code is only ~300 lines long, and mostly wraps existing
Java APIs.

Reily Siegel schreef op do 03-02-2022 om 19:25 [-0500]:

> +(define-public clojure-com-cognitect-http-client
> +  (package
> +    (name "clojure-com-cognitect-aws-api")
> +    (version "1.0.111")
> +    (source (origin
> +              (method url-fetch)
> +              ;; This JAR contains only uncompiled Clojure sources.
> +              (uri (string-append "https://repo1.maven.org/maven2/"
> +                                  "com/cognitect/http-client/"
> +                                  version "/http-client-"
> +                                  version ".jar"))
> +              (sha256
> +               (base32
> +                "0n03vyr6i6n8ll8jn14b5zsba5pndb0ivdwizimz16gd8w3kf5xh"))))

I downloaded the JAR and verified the hash matches.

> +    (license license:asl2.0)))
> 

This time, the source code has a COPYING file and the headers of the
source code state that it is Apache 2.0, which is good.

There's still something weird though: even though the source files
later state it's Apache 2.0, initially they state

;; Copyright (c) Cognitect, Inc.
;; All rights reserved.

This seems rather contradictory --- do they reserve all monopology
rights for theirselves, or do they license it as Apache 2.0, giving
people some rights?  The intent seems clear here (Apache 2.0), so
not a blocker for inclusion in Guix I think, but IANAL and this should
ideally eventually be fixed upstream.

The files in the zip appear to be actual source code, not compiled
something.  There indeed doesn't appear to be anything malicious.

I'll look into the authenticity later.

Greetings,
Maxime.

Reily Siegel schreef op do 03-02-2022 om 19:25 [-0500]:
> +(define-public clojure-com-cognitect-http-client
> +  (package
> +    (name "clojure-com-cognitect-aws-api")
> +              (uri (string-append "https://repo1.maven.org/maven2/"
> +                                  "com/cognitect/http-client/"

The variable name, package name and URI are inconsistent.
They should all be http-client, not aws-api, I think?

Greetings,
Maxime

Reily Siegel schreef op do 03-02-2022 om 19:25 [-0500]:
> +    (synopsis "HTTP Client for Clojure")

Why is ‘Client’ capitalised here?

> +    (description "HTTP client for Clojure.")

This seems rather misleading, it is not its own HTTP client
but rather a tiny wrapper around jetty's HTTP client that
makes the API a bit less Java-y and more Clojure-y.

I would mention something along the lines

(description "This package is a Clojure wrapper around Jetty's HTTP
client for Java.  While Jetty is a Java package and hence its API
follows Java conventions, this Clojure wrapper follows Clojure API
conventions.")

Greetings,
Maxime.

Maxime Devos <maximedevos@telenet.be> writes:

> The variable name, package name and URI are inconsistent.
> They should all be http-client, not aws-api, I think?

Thanks for catching this, I will fix in v2 of the patch.

Reily Siegel schreef op ma 07-02-2022 om 14:50 [-0500]:
> I am fairly certain that this code is not officially documented and
> released as a library, it is only used in internal cognitect projects.
> However, this is where other, officially supported cognitect libraries
> pull the source from. [...]

Additionally, Clojure is developed at Cognitect (see
https://clojure.org/dev/dev), the Maven artifacts are named
com.cognitect.FOO and so far nothing malicious has been found.
There does not appear to be any room for typosquatting here and
everything appears to be authentic.

Greetings,
Maxime.