I understand the issue in MNG-5265 as it relates to Maven repos but don't see
how it relates to <scm>. Foreign <scm> sections don't just pop into your POM by
accident. <scm> sections cannot be inherited from dependency resolution as is
the case with Maven repos. Have I misunderstood ?
Peter
On Thursday, June 9, 2016 12:11 AM, Robert Scholte <[email protected]>
wrote:
Hi Peter,
there are several issues related to this, just filter in JIRA on the
component Settings[1]
One of the issues I like is MNG-5265[1] which explains that id is not
secure enough, a simple typo might lead to leaking your credentials to the
wrong party.
So the solution is probably not in the pom.xml; I expect it to be in the
settings.xml
thanks,
Robert
[1]
https://issues.apache.org/jira/browse/MNG-5265?jql=project%20%3D%20MNG%20AND%20component%20%3D%20Settings%20AND%20status%20%3D%20Open%20ORDER%20BY%20priority%20DESC
[2] https://issues.apache.org/jira/browse/MNG-5265
On Thu, 09 Jun 2016 00:01:54 +0200, Peter Hansson
<[email protected]> wrote:
>
> Hello
> I've been looking at improving the way certain plugins (scm, release,
> etc) lookup credentials from a <server> in settings.xml in order to find
> the credentials to use for a given endpoint.
> The current method - largely undocumented - is that the hostname from
> endpoint's URL must match the server id from settings.xml. There's
> optional support for port number as well in the case where e.g. multiple
> SCMs are running the on same endpoint. The actual code to do the
> matching between the server-id and the URL is scattered - and worse -
> replicated in several projects. For example it exists in the scm plugin
> but also in the release plugin.
> There are a number of use case that are currently unsupported:
> 1. Running several *different* flavours of SCMs on the same host. Say
> you have a host called "repohost" which is both an SVN and a Git host.
> Ok, not very likely, but alas not something possible today.
> 2. Using different credentials *within* the same SCM endpoint. Now this
> is much worse. Just think of sites like GitHub and Bitbucket. It is
> certainly not uncommon for the same developer to have several identities
> on those sites.
>
> There are probably more cases out there that won't work today.
> I was about to contribute some code that could fix the problem by
> allowing to match to a server-id on many more elements of the URL than
> just hostname and port but would require changes to all SCM providers as
> they would have to implement at least one new method.
>
> However, it now dawns on me that by far the best solution would be to
> allow a new optional element in the <scm> section of the POM, namely
> <serverId>. If present this will then be used to match a server-id from
> settings.xml. If not present the existing matching method (based on
> hostname and optionally the port) would prevail. This would be a much
> cleaner approach than allowing to match on elements of the URL ... and
> also a lot easier to explain to the Maven user. I can see from source
> code comments that certainly this thought has existed in the mind of
> some developer years ago but for some reason never carried out.
> Any comments on this? Would you support the idea of a new optional
> element, <serverId>, within the <scm> section ?
>
> Cheers
> Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
