[jira] Updated: (MNG-4626) Password encryption escaped mechanism doesn't work as advertised

Thu, 08 Apr 2010 00:50:54 -0700 

     [ 
http://jira.codehaus.org/browse/MNG-4626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brett Porter updated MNG-4626:
------------------------------

    Summary: Password encryption escaped mechanism doesn't work as advertised  
(was: Avoid cleartext passwords over http)

changed the summary accordingly. I haven't had the chance to test it yet.

> Password encryption escaped mechanism doesn't work as advertised
> ----------------------------------------------------------------
>
>                 Key: MNG-4626
>                 URL: http://jira.codehaus.org/browse/MNG-4626
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 3.0-alpha-7
>            Reporter: Brendan Lawlor
>
> The current encryption scheme implemented by Maven avoids the use of 
> cleartext passwords on local files by allowing them to be encrypted locally 
> and decrypted just before the maven client requests from or deploys to a 
> central artifact repository.
> I would like to suggest that the Maven team replicate the idea adopted by 
> Artifactory, where passwords are _transmitted_ encrypted, and only decrypted 
> on the server side by the repository. Requests and deployments are made over 
> http and transmitted in the clear. Where the passwords are system passwords 
> integrated to Active Directory or similar using LDAP, this is not an option 
> even within a company's LAN. I like the idea of where Nexus and the Maven 
> development stack in general is going (I listened to Jason's seminar recently 
> and I'm keen on much of where you are going). But passwords in the clear over 
> http is a showstopper and I'm surprised you haven't already borrowed this 
> idea from the competition.
> Another irritating side effect of maven's insistence in using cleartext 
> passwords has been mentioned by a colleague of mine in MNG-4611. We currently 
> use Artifactory for EXACTLY this reason (the password encryption) and maven 
> logs loudly about the fact that the passwords are encrypted.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to