[ 
https://issues.apache.org/jira/browse/MNG-8422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tamas Cservenak updated MNG-8422:
---------------------------------
    Fix Version/s: 4.0.0-rc-2

> mvnenc missing "simple file" option
> -----------------------------------
>
>                 Key: MNG-8422
>                 URL: https://issues.apache.org/jira/browse/MNG-8422
>             Project: Maven
>          Issue Type: Improvement
>            Reporter: James Nord
>            Priority: Minor
>             Fix For: 4.0.0-rc-2
>
>
> the new maven4 mvnenc is a huge step forward in security for password 
> management in settings.xml.
> However if you are only concerned about accidental leaks of passwords then 
> the setup is overkill and combersome.
> the majority of issues I see internally at the $company are where users have 
> some issues with maven and when attempting to diagnose I ask them to 
> screenshare or share a part of their settings file.
> with Maven3 they can do this simply so long as their passwords are encrypted. 
>  
> It is simple to setup and whilst it is not secure (if you can access one file 
> you can access both to get the password) it protects against the vast 
> majority of leaks.
> in order to use encrytped passwords now users need to interact with their OS 
> to persist a password in an environment variable, pass a password on a CLI 
> (properties) or worse interact with GPG! The end result of this will most 
> likely be that they just won't bother (because we are not doing it for 
> security) and leaks will become more common.
> Users migrating from maven3 already have this facility, however users that 
> are new do not.
> This request is to bring back an option to store the master password on a 
> file (along with any warning about it being generally insecure) to protect 
> passwords against *{*}accidental{*}* leakage.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to