[
https://issues.apache.org/jira/browse/MNG-8417?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904138#comment-17904138
]
Tamas Cservenak edited comment on MNG-8417 at 12/9/24 12:51 PM:
----------------------------------------------------------------
Use alternate settings? Use project level settings? And make user level provide
auth when needed? So many options with Maven4, while I feel you are forcing
Maven3 patterns onto Maven4.
Also, what does "The "deploy to production" script is the only one that's
authorized to decrypt the passwords." even mean? It has own settings with
secrets? If so, what is the problem? If secrets are shared, that I have no idea
what this sentence means.
was (Author: cstamas):
Use alternate settings? Use project level settings? And make user level provide
auth when needed? So many options with Maven4, while I feel you are forcing
Maven3 patterns onto Maven4.
> New encrypted passwords prevent maven from building projects
> ------------------------------------------------------------
>
> Key: MNG-8417
> URL: https://issues.apache.org/jira/browse/MNG-8417
> Project: Maven
> Issue Type: Bug
> Components: Settings
> Affects Versions: 4.0.0-beta-5, 4.0.0-rc-1
> Reporter: Lenny Primak
> Priority: Blocker
>
> When settings.xml contains new-style encrypted passwords, maven will not
> build unless it can decrypt the password.
> The use case is that the passwords are used only for deployment, while 99% of
> the use cases don't require the passwords.
> This forces the users to have to have secure environment variables or other
> ways to get the master password at all times, enhancing security risks
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
