Hi, I was reading about the recent enhancements to the management of server passwords in settings.xml at http://maven.apache.org/guides/mini/guide-encryption.html
A few questions arose around the actual security provided by these enhancements in the context of a build/CI server. Agreed, this is an enhancement over passwords in clear text in settings.xml, where any developer can run the help:effective-settings goal in a custom build definition to gain access to the passwords configured there on the server. But can it be considered a safe protection in the context of a build server? For instance, what prevents a developer from running a build definition that runs a command through the exec or antrun plugin that outputs the content of the settings-security.xml, thereby compromising the encryption? Unless I miss the obvious (or the less obvious) I am under the impression that this enhancement makes it harder to get to the passwords, but does not make it impossible (and maybe this was never the goal). Thank you in advance for your insights/pointers. -Olivier --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
