[ https://issues.apache.org/jira/browse/MGPG-105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tamas Cservenak updated MGPG-105: --------------------------------- Description: Storing any kind of "password-like" things on disk in files is bad (and no, SecDispatcher IS a joke). Passphrase should be acquired only by two means: * using gpg-agent (when on workstation locally) * using env variables (when on CI where they are set up as "secrets") ~Plugin should in fact FAIL to warn user about presence of any secrets in settings/properties/projects. That is wrong way.~ This last stance has been softened (to provide full backward compatibility): by default, plugin will fail. Still, introduced {{bestPractice}} configuration that IF set to {{false}} makes plugin regain all the "old way" of passphrase configuration (but will still warn). was: Storing any kind of "password-like" things on disk in files is bad (and no, SecDispatcher IS a joke). Passphrase should be acquired only by two means: * using gpg-agent (when on workstation locally) * using env variables (when on CI where they are set up as "secrets") ~~Plugin should in fact FAIL to warn user about presence of any secrets in settings/properties/projects. That is wrong way.~~ This last stance has been softened (to provide full backward compatibility): by default, plugin will fail. Still, introduced {{bestPractice}} configuration that IF set to {{false}} makes plugin regain all the "old way" of passphrase configuration (but will still warn). > Stop propagating bad practices > ------------------------------ > > Key: MGPG-105 > URL: https://issues.apache.org/jira/browse/MGPG-105 > Project: Maven GPG Plugin > Issue Type: Task > Reporter: Tamas Cservenak > Assignee: Tamas Cservenak > Priority: Major > Fix For: 3.2.0 > > > Storing any kind of "password-like" things on disk in files is bad (and no, > SecDispatcher IS a joke). > Passphrase should be acquired only by two means: > * using gpg-agent (when on workstation locally) > * using env variables (when on CI where they are set up as "secrets") > ~Plugin should in fact FAIL to warn user about presence of any secrets in > settings/properties/projects. That is wrong way.~ > This last stance has been softened (to provide full backward compatibility): > by default, plugin will fail. Still, introduced {{bestPractice}} > configuration that IF set to {{false}} makes plugin regain all the "old way" > of passphrase configuration (but will still warn). -- This message was sent by Atlassian Jira (v8.20.10#820010)