On Thu, Aug 16, 2012 at 6:52 AM, Wayne Fay <wayne...@gmail.com> wrote: >> Storing your password in plain text in your settings.xml file is sometimes >> (always?) bad practice. In that case you should look into encrypting the >> passwords that are contained therein. (See > > I personally disagree with this if you are using a reasonable > filesystem with reasonable security norms. This would mean your home > dir is not world-readable etc if you are on a multi-user system so no > one should be able to find their way to your ~/.m2/ directory and be > able to look at your settings.xml file in the first place. > > I don't believe the extra work of encrypting those strings is worth a > whole lot. It is simply security theatre.
The reason it is "security theatre" (http://en.wikipedia.org/wiki/Security_theater) is because it "provides the feeling of improved security while doing little or nothing to actually improve security" Someone has to be able to use your unencrypted password. In this case it is Maven, so that means Maven must be capable of unencrypting the value. By encrypting the passwords in settings.xml you stop casual users from looking at the file and seeing the value. (Which is exactly what a decent operating system with file level permissions provides, and not letting someone else use your computer). But a more sophisticated user could grab you file, write a maven plugin, (or maybe just attach the debugger) and pull out the unencrypted password. This is why SSH is a better option because it does not use a single "key to the kingdom" in the form a password that can probably be used everywhere on your corporate network to access other resources. And access to those other resources is where all the risk is. The risk that someone checks something into your scm as a different user isn't a risk worth worrying about (for all but the most paranoid of companies) Security is about risk trade-offs and http://en.wikipedia.org/wiki/Bruce_Schneier is a good start to point people to increase their understanding. In reality, its more like http://xkcd.com/538/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
