commons-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s...@apache.org
Subject svn commit: r1653847 - /commons/cms-site/trunk/content/xdoc/releases/prepare.xml
Date Thu, 22 Jan 2015 13:18:41 GMT
Author: sebb
Date: Thu Jan 22 13:18:41 2015
New Revision: 1653847

URL: http://svn.apache.org/r1653847
Log:
More GPG stuff

Modified:
    commons/cms-site/trunk/content/xdoc/releases/prepare.xml

Modified: commons/cms-site/trunk/content/xdoc/releases/prepare.xml
URL: http://svn.apache.org/viewvc/commons/cms-site/trunk/content/xdoc/releases/prepare.xml?rev=1653847&r1=1653846&r2=1653847&view=diff
==============================================================================
--- commons/cms-site/trunk/content/xdoc/releases/prepare.xml (original)
+++ commons/cms-site/trunk/content/xdoc/releases/prepare.xml Thu Jan 22 13:18:41 2015
@@ -563,8 +563,16 @@
       <p>This will PGP-sign all artifacts and upload them to a new staging repository,
Nexus itself will create MD5
         and SHA1 checksums for all files that have been uploaded.</p>
       <p>A known problem is that gpg signing may fail if the gpg plugin tries to read
the passphrase interactively.
-        It works if you specify the passphrase when invoking mvn (<code>-Dgpg.passphrase=***</code>)
or run
-        <code>gpg-agent</code> before starting mvn.</p>
+        It works if you specify the passphrase when invoking mvn (<code>-Dgpg.passphrase=***</code>)
+        -- this is not recommended as it may expose the plain password in process lists or
shell history files --
+        or run <code>gpg-agent</code> before starting mvn.</p>
+      <p>Version 1.6 of the GPG plugin supports storage of the password using 
+      <a href="http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#passphraseServerId">Maven
password encryption</a>
+      This uses the server id of <code>gpg.passphrase</code> by default.
+      However Maven encryption is not inherently safe unless the master password is secured
in some way.
+      For example by storing the security.xml file in a password-protected OS file or on
removable storage.
+      Note that recovering from a compromised GPG key is not easy, so the password needs
to be very carefully guarded. 
+      </p>
       <p>Unfortunately this uploads more than should be part of the Maven repository,
in particular the binary and source
         distribution <code>.tar.gz</code> and <code>.zip</code> files
are there as well.  Before you
         <a href="http://www.apache.org/dev/publishing-maven-artifacts.html#close-stage">close</a>
the staging



Mime
View raw message