[jira] [Created] (MRELEASE-931) m2 release plugin shows SCM git password if fatal occured during git push
Vasilii Ruzov created MRELEASE-931:
--
Summary: m2 release plugin shows SCM git password if fatal occured
during git push
Key: MRELEASE-931
URL: https://issues.apache.org/jira/browse/MRELEASE-931
Project: Maven Release Plugin
Issue Type: Bug
Affects Versions: 2.5.3
Environment: RHEL6, Windows
Reporter: Vasilii Ruzov
I'm running
mvn release:prepare -Dusername=myuser -Dpassword=mypassword
and see lines in output:
{quote}[INFO] Executing: cmd.exe /X /C "git push
https://myuser:@myserver.com:8081/scm/project/project.git
refs/heads/master:refs/heads/master"
{quote}
but if for some reason git push failed(e.g. I made a mistake typing password)
then I see in log
{quote}
[ERROR] fatal: unable to access
'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
certificate problem: self signed certificate in certificate chain
{quote}
So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
security problems when someone else can see my password if build failed. I
tried both on Linux and Windows machines.
I use maven-release-plugin version 2.5.3.
http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MRELEASE-931) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/MRELEASE-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15023206#comment-15023206
]
Vasilii Ruzov commented on MRELEASE-931:
[~michael-o], thank you for your reply. I own the server on which the teamcity
buildagent is installed. So I don't have troubles with ps/top/htop and other
unauthorized access. The only problem is exposed log file from teamcity which
contains plaintext passwords.
I have a lot of users, some of them has write access to git, some of them -
not. All of them can run the build so I don't want to show passwords of people
without write access to everybody.
I hope I described my case clearly.
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: MRELEASE-931
> URL: https://issues.apache.org/jira/browse/MRELEASE-931
> Project: Maven Release Plugin
> Issue Type: Bug
>Affects Versions: 2.5.3
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MRELEASE-931) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/MRELEASE-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15023220#comment-15023220
]
Vasilii Ruzov commented on MRELEASE-931:
[~michael-o] I did. I don't want to put passwords for all of my "writers" to
settings.xml. Because I don't want to manage permissions in 2 places. I have
authorization service of git for this.
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: MRELEASE-931
> URL: https://issues.apache.org/jira/browse/MRELEASE-931
> Project: Maven Release Plugin
> Issue Type: Bug
>Affects Versions: 2.5.3
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MRELEASE-931) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/MRELEASE-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15024012#comment-15024012
]
Vasilii Ruzov commented on MRELEASE-931:
what do you mean by "incorrect"?
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: MRELEASE-931
> URL: https://issues.apache.org/jira/browse/MRELEASE-931
> Project: Maven Release Plugin
> Issue Type: Bug
>Affects Versions: 2.5.3
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MRELEASE-931) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/MRELEASE-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15024014#comment-15024014
]
Vasilii Ruzov commented on MRELEASE-931:
I don't want to see password in any input.
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: MRELEASE-931
> URL: https://issues.apache.org/jira/browse/MRELEASE-931
> Project: Maven Release Plugin
> Issue Type: Bug
>Affects Versions: 2.5.3
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MRELEASE-931) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/MRELEASE-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15026308#comment-15026308
]
Vasilii Ruzov commented on MRELEASE-931:
output, yes.
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: MRELEASE-931
> URL: https://issues.apache.org/jira/browse/MRELEASE-931
> Project: Maven Release Plugin
> Issue Type: Bug
>Affects Versions: 2.5.3
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MRELEASE-931) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/MRELEASE-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15026310#comment-15026310
]
Vasilii Ruzov commented on MRELEASE-931:
try to read everything again and look at the problem I described. problem is
not in the cert but the PLAINTEXT PASSWORD in log in case of git failure
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: MRELEASE-931
> URL: https://issues.apache.org/jira/browse/MRELEASE-931
> Project: Maven Release Plugin
> Issue Type: Bug
>Affects Versions: 2.5.3
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (MRELEASE-931) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/MRELEASE-931?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15026310#comment-15026310
]
Vasilii Ruzov edited comment on MRELEASE-931 at 11/25/15 6:53 AM:
--
try to read everything again and look at the problem I described. problem is
not in the cert but the PLAINTEXT PASSWORD in log in case of git failure. ssl
cert problem is just a simulation to show the exact output when git fails
was (Author: ruzovas):
try to read everything again and look at the problem I described. problem is
not in the cert but the PLAINTEXT PASSWORD in log in case of git failure
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: MRELEASE-931
> URL: https://issues.apache.org/jira/browse/MRELEASE-931
> Project: Maven Release Plugin
> Issue Type: Bug
>Affects Versions: 2.5.3
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SCM-811) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/SCM-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15027545#comment-15027545
]
Vasilii Ruzov commented on SCM-811:
---
No sure, but now I switched to jgit scm provider and I don't see password
anymore.
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: SCM-811
> URL: https://issues.apache.org/jira/browse/SCM-811
> Project: Maven SCM
> Issue Type: Improvement
> Components: maven-scm-provider-git
>Affects Versions: 1.9.4
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SCM-811) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/SCM-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15027573#comment-15027573
]
Vasilii Ruzov commented on SCM-811:
---
Yes, you're right. I see password in line generated by git-client. I've done
some investigation and found that the message I see is the message from
ScmResult, where clean text password is in commandOutput field. So I think the
value of this field should be masked too
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: SCM-811
> URL: https://issues.apache.org/jira/browse/SCM-811
> Project: Maven SCM
> Issue Type: Improvement
> Components: maven-scm-provider-git
>Affects Versions: 1.9.4
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (MASSEMBLY-798) AbstractAssemblyMojo.getClassifier() always returns null
Vasilii Ruzov created MASSEMBLY-798: --- Summary: AbstractAssemblyMojo.getClassifier() always returns null Key: MASSEMBLY-798 URL: https://issues.apache.org/jira/browse/MASSEMBLY-798 Project: Maven Assembly Plugin Issue Type: Bug Affects Versions: 2.6 Reporter: Vasilii Ruzov AbstractAssemblyMojo.getClassifier() always returns null in spite of a fact I did set it in configuration -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SCM-811) m2 release plugin shows SCM git password if fatal occured during git push
[
https://issues.apache.org/jira/browse/SCM-811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15306389#comment-15306389
]
Vasilii Ruzov commented on SCM-811:
---
Where can I find the release plan? When 1.9.5 becomes available?
> m2 release plugin shows SCM git password if fatal occured during git push
> -
>
> Key: SCM-811
> URL: https://issues.apache.org/jira/browse/SCM-811
> Project: Maven SCM
> Issue Type: Improvement
> Components: maven-scm-provider-git
>Affects Versions: 1.9.4
> Environment: RHEL6, Windows
>Reporter: Vasilii Ruzov
>Assignee: Olivier Lamy (*$^¨%`£)
> Fix For: 1.9.5
>
>
> I'm running
> mvn release:prepare -Dusername=myuser -Dpassword=mypassword
> and see lines in output:
> {quote}[INFO] Executing: cmd.exe /X /C "git push
> https://myuser:@myserver.com:8081/scm/project/project.git
> refs/heads/master:refs/heads/master"
> {quote}
> but if for some reason git push failed(e.g. I made a mistake typing password)
> then I see in log
> {quote}
> [ERROR] fatal: unable to access
> 'https://myuser:mypassw...@myserver.com:8081/scm/project/project.git/': SSL
> certificate problem: self signed certificate in certificate chain
> {quote}
> So I see *PLAINTEXT* password. As I use this step on Teamcity it causes
> security problems when someone else can see my password if build failed. I
> tried both on Linux and Windows machines.
> I use maven-release-plugin version 2.5.3.
> http://stackoverflow.com/questions/33831383/maven-release-plugin-shows-plaintext-password-on-git-push-error
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
