[
https://issues.apache.org/jira/browse/MGPG-105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17822989#comment-17822989
]
ASF GitHub Bot commented on MGPG-105:
-------------------------------------
cstamas opened a new pull request, #71:
URL: https://github.com/apache/maven-gpg-plugin/pull/71
Storing any kind of "secret" on disk is bad.
This change makes passphrase possible to come in two ways:
* if interactive, via gpg-agent (as before)
* if non-interactive, via Env variable
Plugin from now on FAILS, if there is any kinf of "secret" attempted to be
configured in any other way that those two above.
---
https://issues.apache.org/jira/browse/MGPG-105
> Stop propagating bad practices
> ------------------------------
>
> Key: MGPG-105
> URL: https://issues.apache.org/jira/browse/MGPG-105
> Project: Maven GPG Plugin
> Issue Type: Task
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.2.0
>
>
> Storing any kind of "password-like" things on disk in files is bad (and no,
> SecDispatcher IS a joke).
> Passphrase should be acquired only by two means:
> * using gpg-agent (when on workstation locally)
> * using env variables (when on CI where they are set up as "secrets")
> Plugin should in fact FAIL to warn user about presence of any secrets in
> settings/properties/projects. That is wrong way.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
