Thanks for the comments. Part of my goal in developing builds is that they must be fully automatable. I'm opposed to pop-up dialogs or even interactive command-line for that reason. (The Microsoft signcode tool *really* bugs me for this reason - it pops up a dialog for passwords.) The environment variable solution you suggest is slightly better - but in an automated environment just moves the problem to a script file.
Perhaps we need a password storage utility similar to way cvs login handles things - encoding the passwords in a private file. These could be read by Ant using a standard mechanism - perhaps a new task to read a password and store it in a property, or maybe a method in Task to read a password, so tasks that need them can access them internally. Then the tag for a task would only need to include some sort of key for the password, rather than the password itself. I think I might just take a whack at this latter method after all. The property-based suggestion still suffers a flaw in that the property list might get dumped with passwords in it. Roger Vaughn Peter Donald wrote: > At 09:35 1/8/00 -0400, you wrote: > >I put together an ftpput task some weeks ago using NetComponents from > OROInc. I > >have attached it for your use. > > > >Use it like this: > > > > <ftpput localname="filename" remotename="filename" server="ftp.server" > >userid="me" password="mypass" binary="yes|no"/> > > > >"binary" is the only optional parameter and defaults to yes. I know the > >clear-text password is a huge security hole, but this was a quick job - and I > >only use restricted accounts in the context anyway. If anyone can suggest a > >simple, secure way to do this, I'm all ears. > > well there is already one in the project that has same properties (SignJar) > but another was knocked back for inclusion because it did just that > (GenerateKey). FWIW I have been keeping passwords in an environment > variable and then accessing that from build.xml. I forced people to set > variable through a script I generated and they have to do it every shell > they want toi use to do building. This means that the password doesn't > appear on commandline (and thus cmd line history and all other things this > entails) or in build.xml. Not perfect but a little better. I contemplated > popping up a GUI to grab it but thought the idea would annoy me too much > and the other option of using stdin to read it was unavailable as ant pumps > output/input of tasks that I was using. It also presents it in plain text > on terminal (feature of java stdin). > > Cheers, > > Pete > > *------------------------------------------------------* > | "Nearly all men can stand adversity, but if you want | > | to test a man's character, give him power." | > | -Abraham Lincoln | > *------------------------------------------------------*
