[ http://jira.codehaus.org/browse/MNG-553?page=all ]
Jason van Zyl updated MNG-553:
------------------------------
Description:
This was a question pose to the Maven User's Group and it was suggested I add
it here.
It would be benefitial to provide a more secure means of storing password's to
the servers listed in the .m2/settings.xml. They are currently being stored as
plain text and could definately be considered a security breach. Numerous
organizations would undoubtedly considered this an unacceptable security risk,
and this could prevent widespread adoption of Maven2.
I would suggest leaving an option to encrypt the password into the settings
file (more secure, but not foolproof) or even requiring the password to be
manually provided per build (would prevent automation of builds). I am sure
that there is a secure solution to this problem and it should be part of the
2.0 release.
was:
This was a question pose to the Maven User's Group and it was suggested I add
it here.
It would be benefitial to provide a more secure means of storing password's to
the servers listed in the .m2/settings.xml. They are currently being stored as
plain text and could definately be considered a security breach. Numerous
organizations would undoubtedly considered this an unacceptable security risk,
and this could prevent widespread adoption of Maven2.
I would suggest leaving an option to encrypt the password into the settings
file (more secure, but not foolproof) or even requiring the password to be
manually provided per build (would prevent automation of builds). I am sure
that there is a secure solution to this problem and it should be part of the
2.0 release.
Fix Version: 2.0-beta-1
I'm just putting this in the queue to be dealt with. I'm not sure if we'll be
able to get to this for beta-1but security is a real concern even though we are
pushing just to flesh out core features at the moment.
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general
> improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Fix For: 2.0-beta-1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add
> it here.
> It would be benefitial to provide a more secure means of storing password's
> to the servers listed in the .m2/settings.xml. They are currently being
> stored as plain text and could definately be considered a security breach.
> Numerous organizations would undoubtedly considered this an unacceptable
> security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings
> file (more secure, but not foolproof) or even requiring the password to be
> manually provided per build (would prevent automation of builds). I am sure
> that there is a secure solution to this problem and it should be part of the
> 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
