Hi everyone!
I've been agonising about this for quite some time now. However, I have
yet to find a solution for this.
Is there a way to prevent malicious users from obtaining server
passwords from your Maven settings?
If you use the Config File Provider plug in with the Credentials plug
in, you can add "help:effective-settings -DshowPasswords=true" and you
will see the passwords in clear text.
Even if you use Maven's security mechanism to encrypt passwords via the
settings-security.xml, you could e.g. add a build step that executes
"cat ~/.m2/settings-security.xml" (or hide something similar in your
build process). This way you'll have the crypted password and the
settings-security.xml and could still deploy unauthorized software to
your artifact repository.
Is there any way to prevent this?
Regards
Steffen
--
You received this message because you are subscribed to the Google Groups "Jenkins
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/567A72F4.9060303%401und1.de.
For more options, visit https://groups.google.com/d/optout.
