[
https://issues.apache.org/jira/browse/MNG-8422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Nord updated MNG-8422:
----------------------------
Description:
the new maven4 mvnenc is a huge step forward in security for password
management in settings.xml.
However if you are only concerned about accidental leaks of passwords then the
setup is overkill and combersome.
the majority of issues I see internally at the $company are where users have
some issues with maven and when attempting to diagnose I ask them to
screenshare or share a part of their settings file.
with Maven3 they can do this simply so long as their passwords are encrypted.
It is simple to setup and whilst it is not secure (if you can access one file
you can access both to get the password) it protects against the vast majority
of leaks.
in order to use encrytped passwords now users need to interact with their OS to
persist a password in an environment variable, pass a password on a CLI
(properties) or worse interact with GPG! The end result of this will most
likely be that they just won't bother (because we are not doing it for
security) and leaks will become more common.
Users migrating from maven3 already have this facility, however users that are
new do not.
This request is to bring back an option to store the master password on a file
(along with any warning about it being generally insecure) to protect passwords
against *{*}accidental{*}* leakage.
was:
the new maven4 mvnenc is a huge step forward in security for password
management in settings.xml.
However if you are only concerned about accidental leaks of passwords then the
setup is overkill and combersome.
the majority of issues I see internally at the $company are where users have
some issues with maven and when attempting to diagnose I ask them to
screenshare or share a part of their settings file.
with Maven3 they can do this simply so long as their passwords are encrypted.
It is simple to setup and whilst it is not secure (if you can access one file
you can access both to get the password) it protects against the vast majority
of leaks.
in order to use encrytped passwords now users need to interact with their OS to
persist a password in an environment variable, pass a password on a CLI
(properties) or worse interact with GPG!
Users migrating from maven3 already have this facility, however users that are
new do not.
This request is to bring back an option to store the master password on a file
(along with any warning about it being generally insecure) to protect passwords
against **accidental** leakage.
> mvnenc missing "simple file" option
> -----------------------------------
>
> Key: MNG-8422
> URL: https://issues.apache.org/jira/browse/MNG-8422
> Project: Maven
> Issue Type: Improvement
> Reporter: James Nord
> Priority: Minor
>
> the new maven4 mvnenc is a huge step forward in security for password
> management in settings.xml.
> However if you are only concerned about accidental leaks of passwords then
> the setup is overkill and combersome.
> the majority of issues I see internally at the $company are where users have
> some issues with maven and when attempting to diagnose I ask them to
> screenshare or share a part of their settings file.
> with Maven3 they can do this simply so long as their passwords are encrypted.
>
> It is simple to setup and whilst it is not secure (if you can access one file
> you can access both to get the password) it protects against the vast
> majority of leaks.
> in order to use encrytped passwords now users need to interact with their OS
> to persist a password in an environment variable, pass a password on a CLI
> (properties) or worse interact with GPG! The end result of this will most
> likely be that they just won't bother (because we are not doing it for
> security) and leaks will become more common.
> Users migrating from maven3 already have this facility, however users that
> are new do not.
> This request is to bring back an option to store the master password on a
> file (along with any warning about it being generally insecure) to protect
> passwords against *{*}accidental{*}* leakage.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
