DO NOT REPLY [Bug 20208] New: - plaintext passwords only partially moot

24 May 2003 13:49:18 -0000 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20208>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20208

plaintext passwords only partially moot

           Summary: plaintext passwords only partially moot
           Product: Ant
           Version: 1.5.3
          Platform: Other
               URL: http://ant.apache.org/manual/CoreTasks/get.html
        OS/Version: Other
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Documentation
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


While it is true that https protects plaintext passwords from eavesdroppers when
in transit, there is a secondary risk:
build files typically should be under version control in repositories too. And
by means of such a repository and its backups, this password may well spread
further than otherwise.

Therefore my suggestion 1:
- add a warning
- or even better add a suggested code snipped how to avoid this situation (a
draft of a sample follows at the end of this description - using antcontrib)

2) Also, does the the attribute "password" enforce the usage of https or at
least provide a warning? If not, please add this.

------------- draft sample to avoid plaintext passwords in repositories -------
    <if>
    <!-- usage:
        * if the password is "abc" you can give it on the command line:
          ant -Dpw=abc
        * if the password is in the file pw.property that is not shared (CVS),
          add the line <<password=abc>> to that file and call it
          ant -Dpw=propFile
        * else you will be prompted for a password
    -->
           <isset property="pw"/>
        <then>
            <if>
                <equals arg1="${pw}" arg2="propFile"/>
              <then>
                    <loadproperties srcFile="pw.properties"/>
              </then>
              <else>
                    <property name="password" value="${pw}" />
              </else>
            </if>
        </then>
        <else>
              <input message="Please enter the password"
                  addproperty="password"  />
                  <!-- http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6687
                       or
            http://developer.java.sun.com/developer/bugParade/bugs/4050435.html
                       re hiding the typed passwd -->
        </else>
    </if>

Reply via email to