[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_45269 ]
Steve Loughran commented on MNG-553: ------------------------------------ It is effectively impossible to secure passwords *and* have a fully automated build, because, even if encrypted, the key to decrypt will still be needed. prompted input suffers from (a) the need to have a human in the build and (b) the fact there is no way to turn off echoed chars from the command line. If you do want to keep keys and stuff safe -put them in a directory with locked down permissions -consider an encrypted filesystem -consider an external storage (USB filesys) -use the TPM of the laptop to secure a bit of your hdd I use the latter and have to deal with the relevant device drivers asking for a password whenever I first try and access the data after a boot/resume. Trying to secure passwords in java is a very hard and unreliable process (think: where is your app swapped out to; what if the system hibernated during a run...). At least having blatantly insecure passwords stops people getting overconfident... > Secure Storage of Server Passwords > ---------------------------------- > > Key: MNG-553 > URL: http://jira.codehaus.org/browse/MNG-553 > Project: Maven 2 > Type: Improvement > Versions: 2.0-alpha-3 > Environment: Although it may not be relevant since this is a general > improvement issue, Windows XP, JDK 1.4.1. > Reporter: J. Michael McGarr > Priority: Critical > Fix For: 2.0-beta-2 > > > This was a question pose to the Maven User's Group and it was suggested I add > it here. > It would be benefitial to provide a more secure means of storing password's > to the servers listed in the .m2/settings.xml. They are currently being > stored as plain text and could definately be considered a security breach. > Numerous organizations would undoubtedly considered this an unacceptable > security risk, and this could prevent widespread adoption of Maven2. > I would suggest leaving an option to encrypt the password into the settings > file (more secure, but not foolproof) or even requiring the password to be > manually provided per build (would prevent automation of builds). I am sure > that there is a secure solution to this problem and it should be part of the > 2.0 release. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
