[
https://issues.apache.org/jira/browse/MGPG-108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823614#comment-17823614
]
ASF GitHub Bot commented on MGPG-108:
-------------------------------------
cstamas commented on code in PR #77:
URL: https://github.com/apache/maven-gpg-plugin/pull/77#discussion_r1512820505
##########
src/site/apt/index.apt.vm:
##########
@@ -40,6 +40,13 @@ ${project.name}
General instructions on how to use the GPG Plugin can be found on the
{{{./usage.html}usage page}}. Some more
specific use cases are described in the examples given below.
+ By default, plugin will enforce "best practices", and will fail the build if
any violation are detected.
+ In short, this was done to stop users putting secrets (plaintext or
quasi-encrypted) in their Maven configuration
+ files (settings.xml, POMs) or use secrets in a way they leave trace (like in
terminal history). In this default mode,
+ plugin leaves two options to obtain passphrase: use of gpg-agent in
interactive sessions, and use of environment
+ variables in batch/non-interactive sessions. To disable "best practices" and
regain full backward compatibility,
+ configure the plugin accordingly (see goals, look for <<<bestPractices>>>
configuration).
Review Comment:
And no, you would never ever export any env variable (or set on root
process) that contains sensitive info, you usually set it on process that needs
it (and is per def inherited by childs, if forking). But this way, once the
process finishes, the env variable is gone with it.
> Update plugin site doco
> -----------------------
>
> Key: MGPG-108
> URL: https://issues.apache.org/jira/browse/MGPG-108
> Project: Maven GPG Plugin
> Issue Type: Task
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.2.0
>
>
> Document the latest changes, update examples.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
