[
http://jira.codehaus.org/browse/MNG-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=246852#action_246852
]
Greg Wilkins commented on MNG-4928:
-----------------------------------
Also a note should be made to anybody that is editing passwords in their
setting.xml files, that many editors keep histories of edits.
for example, I found several instances of my ssh passphrase in .viminfo because
I had removed it from my settings with a search and replace.
> mvn --encrypt-master-password is insecure
> -----------------------------------------
>
> Key: MNG-4928
> URL: http://jira.codehaus.org/browse/MNG-4928
> Project: Maven 2 & 3
> Issue Type: Bug
> Components: Command Line
> Affects Versions: 2.2.1, 3.0, 3.0.1
> Reporter: Greg Wilkins
>
> gr...@brick: ~
> [506] mvn --encrypt-master-password something-very-very-secret
> {zfC2klZItekHCPGwE+R0JZ2+RjyDlqxP343ThV0R3B5taWEHbI5t+QGfXOZ0mq9j}
> gr...@brick: ~
> [507] history 2
> 506 mvn --encrypt-master-password something-very-very-secret
> 507 history 2
> commands that take passwords should not accept them from the command line, as
> they are then visible in history and even in some PS output. They should
> prompt for passwords with echo turned off.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
