[
https://issues.apache.org/jira/browse/MGPG-105?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tamas Cservenak updated MGPG-105:
---------------------------------
Description:
Storing any kind of "password-like" things on disk in files is bad (and no,
SecDispatcher IS a joke).
Passphrase should be acquired only by two means:
* using gpg-agent (when on workstation locally) either to show pop up to ask
for pw and just ask it non-interactively fow cached password
* using env variables (when on CI where they are set up as "secrets") to go
fully off gpg-agent,
-Plugin should in fact FAIL to warn user about presence of any secrets in
settings/properties/projects. That is wrong way.-
This last stance has been softened (to provide full backward compatibility): by
default, plugin goes into "compat mode", will not fail if those above violated.
Still, introduced {{bestPractice}} configuration that IF set to {{true}} makes
plugin safe, and will fail if these principles are violated.
was:
Storing any kind of "password-like" things on disk in files is bad (and no,
SecDispatcher IS a joke).
Passphrase should be acquired only by two means:
* using gpg-agent (when on workstation locally) either to show pop up to ask
for pw and just ask it non-interactively fow cached password
* using env variables (when on CI where they are set up as "secrets") to go
fully off gpg-agent,
-Plugin should in fact FAIL to warn user about presence of any secrets in
settings/properties/projects. That is wrong way.-
This last stance has been softened (to provide full backward compatibility): by
default, plugin will fail if those above violated. Still, introduced
{{bestPractice}} configuration that IF set to {{false}} makes plugin regain all
the "old way" of passphrase configuration (but will still warn).
> Stop propagating bad practices; but allow for "compat mode"
> -----------------------------------------------------------
>
> Key: MGPG-105
> URL: https://issues.apache.org/jira/browse/MGPG-105
> Project: Maven GPG Plugin
> Issue Type: Improvement
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.2.0
>
>
> Storing any kind of "password-like" things on disk in files is bad (and no,
> SecDispatcher IS a joke).
> Passphrase should be acquired only by two means:
> * using gpg-agent (when on workstation locally) either to show pop up to ask
> for pw and just ask it non-interactively fow cached password
> * using env variables (when on CI where they are set up as "secrets") to go
> fully off gpg-agent,
> -Plugin should in fact FAIL to warn user about presence of any secrets in
> settings/properties/projects. That is wrong way.-
> This last stance has been softened (to provide full backward compatibility):
> by default, plugin goes into "compat mode", will not fail if those above
> violated. Still, introduced {{bestPractice}} configuration that IF set to
> {{true}} makes plugin safe, and will fail if these principles are violated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
