[jira] [Updated] (MGPG-105) Stop propagating bad practices

[Tamas Cservenak (Jira)]

     [ 
https://issues.apache.org/jira/browse/MGPG-105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tamas Cservenak updated MGPG-105:
---------------------------------
    Description: 
Storing any kind of "password-like" things on disk in files is bad (and no, 
SecDispatcher IS a joke).

Passphrase should be acquired only by two means:
 * using gpg-agent (when on workstation locally)
 * using env variables (when on CI where they are set up as "secrets")

~Plugin should in fact FAIL to warn user about presence of any secrets in 
settings/properties/projects. That is wrong way.~

This last stance has been softened (to provide full backward compatibility): by 
default, plugin will fail. Still, introduced {{bestPractice}} configuration 
that IF set to {{false}} makes plugin regain all the "old way" of passphrase 
configuration (but will still warn).

  was:
Storing any kind of "password-like" things on disk in files is bad (and no, 
SecDispatcher IS a joke).

Passphrase should be acquired only by two means:
 * using gpg-agent (when on workstation locally)
 * using env variables (when on CI where they are set up as "secrets")

~~Plugin should in fact FAIL to warn user about presence of any secrets in 
settings/properties/projects. That is wrong way.~~

This last stance has been softened (to provide full backward compatibility): by 
default, plugin will fail. Still, introduced {{bestPractice}} configuration 
that IF set to {{false}} makes plugin regain all the "old way" of passphrase 
configuration (but will still warn).


> Stop propagating bad practices
> ------------------------------
>
>                 Key: MGPG-105
>                 URL: https://issues.apache.org/jira/browse/MGPG-105
>             Project: Maven GPG Plugin
>          Issue Type: Task
>            Reporter: Tamas Cservenak
>            Assignee: Tamas Cservenak
>            Priority: Major
>             Fix For: 3.2.0
>
>
> Storing any kind of "password-like" things on disk in files is bad (and no, 
> SecDispatcher IS a joke).
> Passphrase should be acquired only by two means:
>  * using gpg-agent (when on workstation locally)
>  * using env variables (when on CI where they are set up as "secrets")
> ~Plugin should in fact FAIL to warn user about presence of any secrets in 
> settings/properties/projects. That is wrong way.~
> This last stance has been softened (to provide full backward compatibility): 
> by default, plugin will fail. Still, introduced {{bestPractice}} 
> configuration that IF set to {{false}} makes plugin regain all the "old way" 
> of passphrase configuration (but will still warn).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)