[
https://issues.apache.org/jira/browse/MNG-5438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17020981#comment-17020981
]
Ed Randall edited comment on MNG-5438 at 1/22/20 11:56 AM:
-----------------------------------------------------------
MNG-4853 already gave us -Dsettings.security=path/to/settings-security.xml, so
any security breach is already present.
The system actually become _less_ secure if we are forced to keep settings.xml
and settings-security.xml in the same directory (even if permissions are
tightened).
We would like the ability to keep them separate in different locations so the
permissions on settings-security.xml can be locked down rather more tightly
(accessible by CI user only).
This would allow developers to be allowed to view settings.xml whilst storing
security-settings.xml safely out of the way.
Even then, anyone wanting to see the passwords in the clear can always run this
job on the CI system:
{{mvn help:effective-settings -DshowPasswords=true}}
was (Author: edrandall):
MNG-4853 already gave us -Dsettings.security=path/to/settings-security.xml, so
any security breach is already present.
The system actually become less secure if we are forced to keep settings.xml
and settings-security.xml in the same directory. We would like the ability to
keep them separate in different locations so the permissions on
settings-security.xml can be locked down rather more tightly (accessible by CI
user only).
This would allow developers to be allowed to view settings.xml whilst storing
security-settings.xml safely out of the way.
Even then, anyone wanting to see the passwords in the clear can always run this
job on the CI system:
{{mvn help:effective-settings -DshowPasswords=true}}
> cli parameter to use a custom path settings-security.xml
> --------------------------------------------------------
>
> Key: MNG-5438
> URL: https://issues.apache.org/jira/browse/MNG-5438
> Project: Maven
> Issue Type: New Feature
> Components: Command Line
> Affects Versions: 3.0.4, 3.0.5
> Reporter: Sarah Haselbauer
> Priority: Major
> Fix For: 3.7.0-candidate, 3.x / Backlog
>
> Attachments: MNG-5438-maven-embedder.patch,
> apache-maven-3.0.4-ssec-bin.tar.gz, apache-maven-3.0.4-ssec-bin.zip,
> maven-3.0.4-0001-added-ssec-as-cli-param-so-that-you-have-the-same-fl.patch,
> maven-latest-0001-added-ssec-as-cli-param-so-that-you-have-the-same-fl.patch
>
>
> added -ssec as cli param, so that you have the same flexibility to place your
> settings-security.xml as you have to point to a custom settings.xml file
> mvn -s /path/to/my/custom/settings.xml -ssec
> /path/to/my/custom/settings-security.xml
> I attached to patches: one that can be run on the maven-3.0.4 tag and one
> that can be run on trunk (latest code state of today).
> I also attached a maven-3.0.4-bin.zip (linux) so you can quickly try out the
> feature and test it yourself.
> if you like the idea, I would welcome to have this feature merged into one of
> the next releases. I need it to write a puppet-maven module that allows to
> download artifacts from maven repositories with encrypted passwords in the
> puppet recipe.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
