[
https://issues.apache.org/jira/browse/MGPG-108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823592#comment-17823592
]
ASF GitHub Bot commented on MGPG-108:
-------------------------------------
bmarwell commented on code in PR #77:
URL: https://github.com/apache/maven-gpg-plugin/pull/77#discussion_r1512747503
##########
src/site/apt/index.apt.vm:
##########
@@ -40,6 +40,13 @@ ${project.name}
General instructions on how to use the GPG Plugin can be found on the
{{{./usage.html}usage page}}. Some more
specific use cases are described in the examples given below.
+ By default, plugin will enforce "best practices", and will fail the build if
any violation are detected.
+ In short, this was done to stop users putting secrets (plaintext or
quasi-encrypted) in their Maven configuration
+ files (settings.xml, POMs) or use secrets in a way they leave trace (like in
terminal history). In this default mode,
+ plugin leaves two options to obtain passphrase: use of gpg-agent in
interactive sessions, and use of environment
+ variables in batch/non-interactive sessions. To disable "best practices" and
regain full backward compatibility,
+ configure the plugin accordingly (see goals, look for <<<bestPractices>>>
configuration).
Review Comment:
What about CI on non-docker environments? Other users on the system will be
able to read the process' environment variables, which is worse than having the
password in a configuration file.
"best practices" really depends on your environment.
> Update plugin site doco
> -----------------------
>
> Key: MGPG-108
> URL: https://issues.apache.org/jira/browse/MGPG-108
> Project: Maven GPG Plugin
> Issue Type: Task
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.2.0
>
>
> Document the latest changes, update examples.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
