Avoid cleartext passwords over http
-----------------------------------
Key: MNG-4626
URL: http://jira.codehaus.org/browse/MNG-4626
Project: Maven 2 & 3
Issue Type: Improvement
Components: General
Affects Versions: 3.0-alpha-7
Reporter: Brendan Lawlor
The current encryption scheme implemented by Maven avoids the use of cleartext
passwords on local files by allowing them to be encrypted locally and decrypted
just before the maven client requests from or deploys to a central artifact
repository.
I would like to suggest that the Maven team replicate the idea adopted by
Artifactory, where passwords are _transmitted_ encrypted, and only decrypted on
the server side by the repository. Requests and deployments are made over http
and transmitted in the clear. Where the passwords are system passwords
integrated to Active Directory or similar using LDAP, this is not an option
even within a company's LAN. I like the idea of where Nexus and the Maven
development stack in general is going (I listened to Jason's seminar recently
and I'm keen on much of where you are going). But passwords in the clear over
http is a showstopper and I'm surprised you haven't already borrowed this idea
from the competition.
Another irritating side effect of maven's insistence in using cleartext
passwords has been mentioned by a colleague of mine in MNG-4611. We currently
use Artifactory for EXACTLY this reason (the password encryption) and maven
logs loudly about the fact that the passwords are encrypted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
