cstamas commented on code in PR #77:
URL: https://github.com/apache/maven-gpg-plugin/pull/77#discussion_r1512820505
##########
src/site/apt/index.apt.vm:
##########
@@ -40,6 +40,13 @@ ${project.name}
General instructions on how to use the GPG Plugin can be found on the
{{{./usage.html}usage page}}. Some more
specific use cases are described in the examples given below.
+ By default, plugin will enforce "best practices", and will fail the build if
any violation are detected.
+ In short, this was done to stop users putting secrets (plaintext or
quasi-encrypted) in their Maven configuration
+ files (settings.xml, POMs) or use secrets in a way they leave trace (like in
terminal history). In this default mode,
+ plugin leaves two options to obtain passphrase: use of gpg-agent in
interactive sessions, and use of environment
+ variables in batch/non-interactive sessions. To disable "best practices" and
regain full backward compatibility,
+ configure the plugin accordingly (see goals, look for <<<bestPractices>>>
configuration).
Review Comment:
And no, you would never ever export any env variable (or set on root
process) that contains sensitive info, you usually set it on process that needs
it (and is per def inherited by childs, if forking). But this way, once the
process finishes, the env variable is gone with it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
