[ https://issues.apache.org/jira/browse/MGPG-105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tamas Cservenak updated MGPG-105: --------------------------------- Summary: Stop propagating bad practices; but allow for "compat mode" (was: Stop propagating bad practices) > Stop propagating bad practices; but allow for "compat mode" > ----------------------------------------------------------- > > Key: MGPG-105 > URL: https://issues.apache.org/jira/browse/MGPG-105 > Project: Maven GPG Plugin > Issue Type: Task > Reporter: Tamas Cservenak > Assignee: Tamas Cservenak > Priority: Major > Fix For: 3.2.0 > > > Storing any kind of "password-like" things on disk in files is bad (and no, > SecDispatcher IS a joke). > Passphrase should be acquired only by two means: > * using gpg-agent (when on workstation locally) > * using env variables (when on CI where they are set up as "secrets") > -Plugin should in fact FAIL to warn user about presence of any secrets in > settings/properties/projects. That is wrong way.- > This last stance has been softened (to provide full backward compatibility): > by default, plugin will fail if those above violated. Still, introduced > {{bestPractice}} configuration that IF set to {{false}} makes plugin regain > all the "old way" of passphrase configuration (but will still warn). -- This message was sent by Atlassian Jira (v8.20.10#820010)