ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 20208] New: - plaintext passwords only partially moot
Date Sat, 24 May 2003 13:51:28 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20208>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=20208

plaintext passwords only partially moot

           Summary: plaintext passwords only partially moot
           Product: Ant
           Version: 1.5.3
          Platform: Other
               URL: http://ant.apache.org/manual/CoreTasks/get.html
        OS/Version: Other
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Documentation
        AssignedTo: dev@ant.apache.org
        ReportedBy: hauser@acm.org


While it is true that https protects plaintext passwords from eavesdroppers when
in transit, there is a secondary risk:
build files typically should be under version control in repositories too. And
by means of such a repository and its backups, this password may well spread
further than otherwise.

Therefore my suggestion 1:
- add a warning
- or even better add a suggested code snipped how to avoid this situation (a
draft of a sample follows at the end of this description - using antcontrib)

2) Also, does the the attribute "password" enforce the usage of https or at
least provide a warning? If not, please add this.

------------- draft sample to avoid plaintext passwords in repositories -------
    <if>
    <!-- usage:
        * if the password is "abc" you can give it on the command line:
          ant -Dpw=abc
        * if the password is in the file pw.property that is not shared (CVS),
	  add the line <<password=abc>> to that file and call it
          ant -Dpw=propFile
	* else you will be prompted for a password
    -->
           <isset property="pw"/>
        <then>
	    <if>
	        <equals arg1="${pw}" arg2="propFile"/>
	      <then>
		    <loadproperties srcFile="pw.properties"/>
	      </then>
	      <else>
	            <property name="password" value="${pw}" />
	      </else>
	    </if>
        </then>
        <else>
	      <input message="Please enter the password"
	          addproperty="password"  />
		  <!-- http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6687
		       or
            http://developer.java.sun.com/developer/bugParade/bugs/4050435.html
                       re hiding the typed passwd -->
	</else>
    </if>

Mime
View raw message