James Nord created MNG-8422:
-------------------------------
Summary: mvnenc missing "simple file" option
Key: MNG-8422
URL: https://issues.apache.org/jira/browse/MNG-8422
Project: Maven
Issue Type: Improvement
Reporter: James Nord
the new maven4 mvnenc is a huge step forward in security for password
management in settings.xml.
However if you are only concerned about accidental leaks of passwords then the
setup is overkill and combersome.
the majority of issues I see internally at the $company are where users have
some issues with maven and when attempting to diagnose I ask them to
screenshare or share a part of their settings file.
with Maven3 they can do this simply so long as their passwords are encrypted.
It is simple to setup and whilst it is not secure (if you can access one file
you can access both to get the password) it protects against the vast majority
of leaks.
in order to use encrytped passwords now users need to interact with their OS to
persist a password in an environment variable, pass a password on a CLI
(properties) or worse interact with GPG!
Users migrating from maven3 already have this facility, however users that are
new do not.
This request is to bring back an option to store the master password on a file
(along with any warning about it being generally insecure) to protect passwords
against **accidental** leakage.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
