[
https://issues.apache.org/jira/browse/MNG-8422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17904909#comment-17904909
]
Tamas Cservenak commented on MNG-8422:
--------------------------------------
Is already done on master, where sec dispatcher is updated to latest 4.0.3:
https://github.com/codehaus-plexus/plexus-sec-dispatcher/releases/tag/plexus-sec-dispatcher-4.0.3
> mvnenc missing "simple file" option
> -----------------------------------
>
> Key: MNG-8422
> URL: https://issues.apache.org/jira/browse/MNG-8422
> Project: Maven
> Issue Type: Improvement
> Reporter: James Nord
> Priority: Minor
>
> the new maven4 mvnenc is a huge step forward in security for password
> management in settings.xml.
> However if you are only concerned about accidental leaks of passwords then
> the setup is overkill and combersome.
> the majority of issues I see internally at the $company are where users have
> some issues with maven and when attempting to diagnose I ask them to
> screenshare or share a part of their settings file.
> with Maven3 they can do this simply so long as their passwords are encrypted.
>
> It is simple to setup and whilst it is not secure (if you can access one file
> you can access both to get the password) it protects against the vast
> majority of leaks.
> in order to use encrytped passwords now users need to interact with their OS
> to persist a password in an environment variable, pass a password on a CLI
> (properties) or worse interact with GPG! The end result of this will most
> likely be that they just won't bother (because we are not doing it for
> security) and leaks will become more common.
> Users migrating from maven3 already have this facility, however users that
> are new do not.
> This request is to bring back an option to store the master password on a
> file (along with any warning about it being generally insecure) to protect
> passwords against *{*}accidental{*}* leakage.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
