[
https://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Benedict updated MNG-4626:
-------------------------------
Fix Version/s: (was: Issues to be reviewed for 3.x)
> Password encryption escaped mechanism doesn't work as advertised
> ----------------------------------------------------------------
>
> Key: MNG-4626
> URL: https://jira.codehaus.org/browse/MNG-4626
> Project: Maven
> Issue Type: Improvement
> Components: General
> Affects Versions: 3.0-alpha-7
> Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of
> cleartext passwords on local files by allowing them to be encrypted locally
> and decrypted just before the maven client requests from or deploys to a
> central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by
> Artifactory, where passwords are _transmitted_ encrypted, and only decrypted
> on the server side by the repository. Requests and deployments are made over
> http and transmitted in the clear. Where the passwords are system passwords
> integrated to Active Directory or similar using LDAP, this is not an option
> even within a company's LAN. I like the idea of where Nexus and the Maven
> development stack in general is going (I listened to Jason's seminar recently
> and I'm keen on much of where you are going). But passwords in the clear over
> http is a showstopper and I'm surprised you haven't already borrowed this
> idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext
> passwords has been mentioned by a colleague of mine in MNG-4611. We currently
> use Artifactory for EXACTLY this reason (the password encryption) and maven
> logs loudly about the fact that the passwords are encrypted.
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)
