[ 
https://issues.apache.org/jira/browse/MRELEASE-1063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17533319#comment-17533319
 ] 

Hans Aikema commented on MRELEASE-1063:
---------------------------------------

[~michael-o] While I agree that the directly presented scenario does not add a 
security benefit I do see cases where
* ci builder user home cannot be influenced (so a settings-security.xml with a 
master password, or redirection to build-server-admin-writable 
settings-security can not be stored)
* some other secured location can be used to store a settings-security.xml with 
the master-password

in that case still it is a massive nuisance to have to:
1) explicitly specify the location of the settings-security.xml 3 times for a 
maven release command-line
2) having to specify the explicit goals for the release prepare and release 
perform, breaking maven's convention-over-configuration paradigm, as the only 
way to provide maven with the property for the settings-security file is by 
explicitly setting the full goal as maven's release:prepare / release:perform 
invocations do not propagate the properties of the main maven invocation they 
originate from.

As the maven release plugin is responsible for the invocations of the maven 
execution for prepare and perform of the release it should in my view ensure 
that any properties given to the main command are propagated to the (forked?) 
execution for release preparation and release perform.

> Maven release plugin should retain settings.security environment variable for 
> its forked executions of release:prepare and release:perform
> ------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MRELEASE-1063
>                 URL: https://issues.apache.org/jira/browse/MRELEASE-1063
>             Project: Maven Release Plugin
>          Issue Type: Improvement
>    Affects Versions: 2.5.2
>            Reporter: Hans Aikema
>            Priority: Major
>              Labels: up-for-grabs
>             Fix For: waiting-for-feedback, wontfix-candidate
>
>
> While trying to create a build with on-demand local provisioning of the 
> secrets for the technical build-user on the build-slave (removing them 
> directly after their use) I found out the hard way that the Maven-release 
> plugin does not support a custom location for settings-security in the way 
> that is documented at MNG-4853.
> When running
> {{mvn --settings myGeneratedSettings.xml 
> -Dsettings.security=myGeneratedSettings-security.xml -B release:prepare 
> release:perform}}
> The user settings.xml flag is honored (by the fix of MRELEASE-577), but the 
> custom settings-security from the environment variable is lost causing 
> password decryption failures and therefor in the end a release failure when 
> running against a repository that requires authentication.
>  As a workaround one has to change the invocation to
>  either
> {{mvn --settings myGeneratedSettings.xml 
> -Dsettings.security=myGeneratedSettings-security.xml -B release:prepare 
> release:perform -DpreparationGoals="clean verify 
> -Dsettings.security=myGeneratedSettings-security.xml" -Dgoals="deploy 
> site-deploy -Dsettings.security=../../myGeneratedSettings-security.xml"}}
>  or
>  {{mvn --settings myGeneratedSettings.xml 
> -Dsettings.security=myGeneratedSettings-security.xml -B release:prepare 
> release:perform -DpreparationGoals="clean verify 
> -Dsettings.security=myGeneratedSettings-security.xml" -Dgoals="deploy 
> -Dsettings.security=../../myGeneratedSettings-security.xml"}}
> depending on whether there is a site distribution configuration or not.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to