[jira] Commented: (MNG-553) Secure Storage of Server Passwords

Tue, 27 Jan 2009 09:35:50 -0800 

    [ 
http://jira.codehaus.org/browse/MNG-553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=162735#action_162735
 ] 

Oleg Gusakov commented on MNG-553:
----------------------------------

Joerg wrote:
{quote}
However, the main problem IMHO was that with effective:pom you were able to 
display the password and the password was also written into the URLs of a 
released POM. Does the change address those two problems also?
{quote}

 *help:effective-settings* shows encrypted password, I did not check the 
released POM, but good chances are it also gets stuffed with encrypted password.

Please let me know if it's not the case

> Secure Storage of Server Passwords
> ----------------------------------
>
>                 Key: MNG-553
>                 URL: http://jira.codehaus.org/browse/MNG-553
>             Project: Maven 2
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 2.0-alpha-3
>         Environment: Although it may not be relevant since this is a general 
> improvement issue, Windows XP, JDK 1.4.1.
>            Reporter: J. Michael McGarr
>            Assignee: Brett Porter
>            Priority: Critical
>             Fix For: 2.1.0-M2
>
>         Attachments: MNG-553.patch
>
>
> This was a question pose to the Maven User's Group and it was suggested I add 
> it here.  
> It would be benefitial to provide a more secure means of storing password's 
> to the servers listed in the .m2/settings.xml.  They are currently being 
> stored as plain text and could definately be considered a security breach.  
> Numerous organizations would undoubtedly considered this an unacceptable 
> security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings 
> file (more secure, but not foolproof) or even requiring the password to be 
> manually provided per build (would prevent automation of builds).  I am sure 
> that there is a secure solution to this problem and it should be part of the 
> 2.0 release.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to