[jira] [Commented] (SCM-811) m2 release plugin shows SCM git password if fatal occured during git push

Thu, 12 Jun 2025 01:55:08 -0700 


    [ 
https://issues.apache.org/jira/browse/SCM-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17963248#comment-17963248
 ] 

ASF GitHub Bot commented on SCM-811:
------------------------------------

jira-importer commented on issue #1043:
URL: https://github.com/apache/maven-scm/issues/1043#issuecomment-2964640854

   **[Robert 
Scholte](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=rfscholte)**
 commented
   
   IIUC this line is just the output generated by the git client. You could 
parse the output as well, but they are all too specific per SCM client, so you 
should do it per type. If you've seen the code, you'll see there's no 
abstraction layer to handle this.
   




> m2 release plugin shows SCM git password if fatal occured during git push
> -------------------------------------------------------------------------
>
>                 Key: SCM-811
>                 URL: https://issues.apache.org/jira/browse/SCM-811
>             Project: Maven SCM (Moved to GitHub Issues)
>          Issue Type: Improvement
>          Components: maven-scm-provider-gitexe
>    Affects Versions: 1.9.4
>         Environment: RHEL6, Windows
>            Reporter: Vasilii Ruzov
>            Assignee: Olivier Lamy
>            Priority: Major
>             Fix For: 1.9.5
>
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push 
> https://myuser:********@myserver.com:8081/scm/project/project.git 
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password) 
> then I see in log
> {quote}
> [ERROR] fatal: unable to access 
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL 
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes 
> security problems when someone else can see my password if build failed. I 
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to