bmarwell commented on code in PR #77:
URL: https://github.com/apache/maven-gpg-plugin/pull/77#discussion_r1512747503
##########
src/site/apt/index.apt.vm:
##########
@@ -40,6 +40,13 @@ ${project.name}
General instructions on how to use the GPG Plugin can be found on the
{{{./usage.html}usage page}}. Some more
specific use cases are described in the examples given below.
+ By default, plugin will enforce "best practices", and will fail the build if
any violation are detected.
+ In short, this was done to stop users putting secrets (plaintext or
quasi-encrypted) in their Maven configuration
+ files (settings.xml, POMs) or use secrets in a way they leave trace (like in
terminal history). In this default mode,
+ plugin leaves two options to obtain passphrase: use of gpg-agent in
interactive sessions, and use of environment
+ variables in batch/non-interactive sessions. To disable "best practices" and
regain full backward compatibility,
+ configure the plugin accordingly (see goals, look for <<<bestPractices>>>
configuration).
Review Comment:
What about CI on non-docker environments? Other users on the system will be
able to read the process' environment variables, which is worse than having the
password in a configuration file.
"best practices" really depends on your environment.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
