[
http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=217143#action_217143
]
Brendan Lawlor commented on MNG-4626:
-------------------------------------
Brian: Point taken on using https. It just seems like a lot of encryption for a
little password, but as Paul points out, just a statically encrypted password
can still be reused (though only in the context of the Artifactory/Nexus
server).
Brett: that sums up things pretty well. I'll look into switching over to https
and see if there is a big performance penalty (potentially nasty for our very
busy continuous integration engine). In the meantime, it would be very nice if
the escaping mechanism did what it says on the box (perhaps a separate JIRA for
that one?)
Many thanks for the replies.
> Avoid cleartext passwords over http
> -----------------------------------
>
> Key: MNG-4626
> URL: http://jira.codehaus.org/browse/MNG-4626
> Project: Maven 2 & 3
> Issue Type: Improvement
> Components: General
> Affects Versions: 3.0-alpha-7
> Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of
> cleartext passwords on local files by allowing them to be encrypted locally
> and decrypted just before the maven client requests from or deploys to a
> central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by
> Artifactory, where passwords are _transmitted_ encrypted, and only decrypted
> on the server side by the repository. Requests and deployments are made over
> http and transmitted in the clear. Where the passwords are system passwords
> integrated to Active Directory or similar using LDAP, this is not an option
> even within a company's LAN. I like the idea of where Nexus and the Maven
> development stack in general is going (I listened to Jason's seminar recently
> and I'm keen on much of where you are going). But passwords in the clear over
> http is a showstopper and I'm surprised you haven't already borrowed this
> idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext
> passwords has been mentioned by a colleague of mine in MNG-4611. We currently
> use Artifactory for EXACTLY this reason (the password encryption) and maven
> logs loudly about the fact that the passwords are encrypted.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
