[ANN] Clojars now requires a license in the POM for new projects or projects that already specify a license

Hi all!

Clojars (https://clojars.org - the community repository for open source Clojure
libraries) will now require a license to be specified in the POM file for:

• newly uploaded versions for new projects
• newly uploaded versions for existing projects where the prior version had a license

We will then start requiring a license for all newly uploaded versions on or
after 2024-01-01. Note that this will not impact any existing versions;
existing versions that don’t have a license in the POM file will remain
unchanged.

For more details, see this issue for discussion of the change, and the
Deploying wiki entry for how to add a license to your POM.

Why is Clojars making this change?

We are making this change:

• to better support auditing from java ecosystem tools that use the POM as the
  source of truth for the license
• enforce better hygiene; all open source projects should have a license

How does this change impact me?

If you only consume projects from Clojars and do not release libraries, you
don’t need to do anything.

If you publish projects to Clojars, you will need to:

• include a license with any new projects
• continue to include a license with new versions of projects where you already
  provide a license
• update any projects that don’t provide a license to provide one before the end
  of the year if you plan to release a new version

If Clojars rejects your deploy, you will see a message like:

Could not transfer metadata org.clojars.tcrawley:deploytest/maven-metadata.xml from/to clojars (https://repo.clojars.org/): authorization failed for https://repo.clojars.org/org/clojars/tcrawley/deploytest/maven-metadata.xml, status: 403 Forbidden - the POM file does not include a license. See https://bit.ly/3PQunZU

Most versions already have licenses in their POM files since Leiningen
includes one by default, and prints a warning when you try to deploy without
one. But newer tooling built on the Clojure CLI tools doesn’t have this
warning (however, deps-new will generate a pom.xml that does include a license
if you use it to template your project).

Thank you

Thanks to Peter Monks for suggesting this change, and Daniel Compton for
discussing a solution.

Supporting this work

This work was done as part of an ongoing maintenance contract from Clojurists
Together. You can also sponsor me directly on GitHub Sponsors if you would
like to directly fund my maintenance of Clojars.

Please reply here or on the issue if you have any concerns or questions.

• Toby

Ah! I didn’t know about deps-new , so it may give a nice entrypoint to deps.edn if I ever get off my WIP projects…

And if you want to see how to handle license and other important parts of the POM, check out the build.clj file for next.jdbc: next-jdbc/build.clj at develop · seancorfield/next-jdbc (github.com)

I just deployed a change that requires licenses for all releases (as promised above, though I did release it a few days early).

I also updated the wiki to cover this change, and linked to @seancorfield’s next-jdbc build.clj example to show tools.build usage.

Let me know if you see any issues when deploying!

The clojure-doc cookbook for tools.build covers this as well: Clojure Guides: Building Projects: tools.build and the Clojure CLI (clojure-doc.org) (under **The Generated pom.xml File).