hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: svn commit: r1558509
Date Thu, 16 Jan 2014 16:11:29 GMT
On Thu, 2014-01-16 at 00:23 +0000, sebb wrote:
> On 15 January 2014 18:55,  <ggregory@apache.org> wrote:
> > Author: ggregory
> > Date: Wed Jan 15 18:55:09 2014
> > New Revision: 1558509
> >
> > URL: http://svn.apache.org/r1558509
> > Log:
> > Feed the password to Maven through the CLI
> >
> > Modified:
> >     httpcomponents/project-release-tools/trunk/build.gradle
> >
> > Modified: httpcomponents/project-release-tools/trunk/build.gradle
> > URL: http://svn.apache.org/viewvc/httpcomponents/project-release-tools/trunk/build.gradle?rev=1558509&r1=1558508&r2=1558509&view=diff
> > ==============================================================================
> > --- httpcomponents/project-release-tools/trunk/build.gradle (original)
> > +++ httpcomponents/project-release-tools/trunk/build.gradle Wed Jan 15 18:55:09
2014
> > @@ -247,7 +247,8 @@ if (rcTagFile.exists() && rcRevisionFile
> >                  String name = getProductName(artifactId)
> >
> >                  println "Deploying ${name} ${releaseVer} based on ${rcQualifier}"
> > -                mvn.exec(checkoutRC.localDir, 'deploy', '-Prelease', '-Dmaven.test.skip=true')
> > +                mvn.exec(checkoutRC.localDir, 'deploy', '-Prelease', '-Dmaven.test.skip=true',
> 
> Could be just -DskipTests
> 
> > +                    '-Dgpg.passphrase=' + project.ext.'signing.password')
> 
> I think it is risky to insist that the password is passed in on the
> command line, as it is easy to sniff on a shared system.
> Current RMs I'm sure are aware of the risks, but I don't think this
> should be left like this for ever - it sets a bad example.
> I'm fairly sure it is not necessary - it should be possible to use gpg-agent.
> 
> At the very least, the password should be optional (i.e. only pass it
> if it is actually provided).
> But better not to encourage risky behaviour.
> 

I do not think it is any more insecure than passing passwords at the
command line which appears to be not uncommon in pure Maven world.

Naturally I am going to improve the scripts based on Gary's experience
and feedback and remove this hack. We might have to mandate the use of
ssh-agent for Windows though. With Linux Maven deploy plugin is able to
read passphrase from console just fine. This does not seem to work with
Windows cmd.exe

The trouble is my family no longer own a single Windows PC and I cannot
test the scripts myself.

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message