Am 2021-05-04 um 09:26 schrieb Tamás Cservenák:
Howdy,
plexus-sec-dispatcher is a really widely used dependency, is used in maven
itself, but also in many shared components and plugins (nb: there are even
some org.sonatype.plexus:plexus-sec-dispatcher among shared deps!).
Given this module is really maven specific, I see no reason to keep it
"outside" (in codehaus-plexus org), as I am really unaware of anything else
using it. Moreover, the module has a single dependency on plexus-cipher.
Both projects are just a handful of classes.
So, my proposal:
* create maven-sec-dispatcher project (among maven-shared-components)
* collapse the two projects (both has handful of classes,
plexus-sec-dispatcher and plexus-cipher) in there
* org.apache.maven.shared:maven-sec-dispatcher becomes a "drop in"
replacement for org.plexus/org.sonatype.plexus:plexus-sec-dispatcher.
* bonus, this cuts (transitive) dependencies by one as well
A provocative question from my side: Why do we need this at all? It
gives people a false sense of security (common misconception). You
cannot securely encrypt a password w/o having a key in plaintext
somewhere. This is what we do.
See: https://cwiki.apache.org/confluence/display/TOMCAT/Password
One can apply obfuscation like Jetty supports, but that's pretty much
it. A proper solution is to support external credential stores like
Subversion or Git do.
I would rather prefer this in Maven 4.0.0 and remove in 5.0.0.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
