On Wed, 2008-05-21 at 14:14 -0700, Jason van Zyl wrote: > On 21-May-08, at 1:07 PM, Wendy Smoak wrote: > > > On Tue, May 20, 2008 at 11:15 PM, Jason van Zyl <[EMAIL PROTECTED]> > > wrote: > > > >> [X] Our team uses HTTP to retrieve our artifacts > > > > ... and should be using HTTPS because some repos require > > authentication. While we're on the subject, the plain text passwords > > in settings.xml are a problem (violation of corporate policy that > > passwords always be encrypted.) > > > > Oleg implemented a solution in plexus-cipher and I haven't pushed him > to give me patches for the rest but I will eventually or someone else > can harass him :-) But he's got an encrypted store for passwords.
??? If the passwords are encrypted, then don't you need a password to unencrypt them before use? Do you maybe mean "obfuscated passwords", eg ROT13 encoded, to make them unreadable to a very casual glance? I hardly think that is worth doing. The *proper* solution for people or corporations who care about security is to use a KEY for authentication, not a password. Set up the <privateKey> entry to point to the key, then use "ssh-agent"/"ssh-add" to enter the passphrase. No passwords are then needed in plain text anywhere. Any corporate policy that claims to be "secure" but still relies on passwords for authentication instead of keys is just plain stupid, and time spent supporting that setup is time wasted. Regards, Simon --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
