[ http://jira.codehaus.org/browse/MNG-553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=162735#action_162735 ]
Oleg Gusakov edited comment on MNG-553 at 1/27/09 11:40 AM: ------------------------------------------------------------ Joerg wrote: {quote} I did not have a real problem using a plain password in .m2/settings.xml {quote} This has the same security strength as the added solution, but many people misused settings.xml and kept <servers> section in the public place. This can now be addressed with having a private ~/.m2/sec.xml which contains the encryption key - now the server section can be public, but only people with appropriate key can use it. This is also enhanced with the "relocate" feature, which allows to put encryption key to a removable drive, so that multiple people can use the same OS account, but only those with the USB disk can update repositories. {quote} However, the main problem IMHO was that with effective:pom you were able to display the password and the password was also written into the URLs of a released POM. Does the change address those two problems also? {quote} *help:effective-settings* shows encrypted password, I did not check the released POM, but good chances are it also gets stuffed with encrypted password. Please let me know if it's not the case was (Author: olle): Joerg wrote: {quote} I did not have a real problem using a plain password in .m2/settings.xml {quote} This has the same security strength as the added solution, but many people misused settings.xml and kept <servers> section in the public place. This can now be addressed with having a private ~/.m2/sec.xml which contains the encryption key - now the server section can be public, but only people with appropriate key can use it. This is also enhanced with the "relocate" feature, which allows to put encryption key to a removable drive. {quote} However, the main problem IMHO was that with effective:pom you were able to display the password and the password was also written into the URLs of a released POM. Does the change address those two problems also? {quote} *help:effective-settings* shows encrypted password, I did not check the released POM, but good chances are it also gets stuffed with encrypted password. Please let me know if it's not the case > Secure Storage of Server Passwords > ---------------------------------- > > Key: MNG-553 > URL: http://jira.codehaus.org/browse/MNG-553 > Project: Maven 2 > Issue Type: Improvement > Components: Settings > Affects Versions: 2.0-alpha-3 > Environment: Although it may not be relevant since this is a general > improvement issue, Windows XP, JDK 1.4.1. > Reporter: J. Michael McGarr > Assignee: Brett Porter > Priority: Critical > Fix For: 2.1.0-M2 > > Attachments: MNG-553.patch > > > This was a question pose to the Maven User's Group and it was suggested I add > it here. > It would be benefitial to provide a more secure means of storing password's > to the servers listed in the .m2/settings.xml. They are currently being > stored as plain text and could definately be considered a security breach. > Numerous organizations would undoubtedly considered this an unacceptable > security risk, and this could prevent widespread adoption of Maven2. > I would suggest leaving an option to encrypt the password into the settings > file (more secure, but not foolproof) or even requiring the password to be > manually provided per build (would prevent automation of builds). I am sure > that there is a secure solution to this problem and it should be part of the > 2.0 release. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira