Remove/block org.clojure artifacts

[puredanger]

There are some old versions of Clojure that were uploaded to Clojars in the deep past. https://clojars.org/org.clojure/clojure

These artifacts all exist on Maven Central and those are the canonical signed artifacts someone should be downloading, not the ones from Clojars. Ideally, I think these should be removed, but it's hard for me to argue that that's urgent given they've been out there for years and I'm not really sure how many caches that would break.

But perhaps more importantly, I think that no one should be allowed to upload any new artifacts in the org.clojure group. I don't know if that means the core team needs to "claim" something or if this is a special case, so tell me what is best.

[tobias]

Hi @puredanger!

The org.clojure group is currently owned by richhickey and technomancy. IIRC, there was a discussion after those were uploaded to not do so any longer, and the group was given to Rich. So as it stands now, only Rich or Phil can upload to clojars. But, since uploads that shadow maven central (by group & artifact name), the uploads would be rejected.

Since these are all on maven central, I would be fine with deleting them, just let me know. I don't think it would cause any issues with caches.

I also noticed that there is a com.datomic group that Rich and others own. I believe ownership was transferred from the original uploaders for similar reasons.

[puredanger]

Well, there's no reason technomancy should be an owner for that group, so he should be removed. Maybe we could delete one of the jars and then wait a month to see if anyone complains, and if not go ahead with the others. :)

Thanks!

[tobias]

Hi @puredanger - I went ahead and deleted the org.clojure group completely (including all jars), and no one will be able to recreate it without DNS verification, so we should be good.