hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: svn commit: r1558509
Date Thu, 16 Jan 2014 16:43:41 GMT
On 16 January 2014 16:11, Oleg Kalnichevski <olegk@apache.org> wrote:
> On Thu, 2014-01-16 at 00:23 +0000, sebb wrote:
>> On 15 January 2014 18:55,  <ggregory@apache.org> wrote:
>> > Author: ggregory
>> > Date: Wed Jan 15 18:55:09 2014
>> > New Revision: 1558509
>> >
>> > URL: http://svn.apache.org/r1558509
>> > Log:
>> > Feed the password to Maven through the CLI
>> >
>> > Modified:
>> >     httpcomponents/project-release-tools/trunk/build.gradle
>> >
>> > Modified: httpcomponents/project-release-tools/trunk/build.gradle
>> > URL: http://svn.apache.org/viewvc/httpcomponents/project-release-tools/trunk/build.gradle?rev=1558509&r1=1558508&r2=1558509&view=diff
>> > ==============================================================================
>> > --- httpcomponents/project-release-tools/trunk/build.gradle (original)
>> > +++ httpcomponents/project-release-tools/trunk/build.gradle Wed Jan 15 18:55:09
2014
>> > @@ -247,7 +247,8 @@ if (rcTagFile.exists() && rcRevisionFile
>> >                  String name = getProductName(artifactId)
>> >
>> >                  println "Deploying ${name} ${releaseVer} based on ${rcQualifier}"
>> > -                mvn.exec(checkoutRC.localDir, 'deploy', '-Prelease', '-Dmaven.test.skip=true')
>> > +                mvn.exec(checkoutRC.localDir, 'deploy', '-Prelease', '-Dmaven.test.skip=true',
>>
>> Could be just -DskipTests
>>
>> > +                    '-Dgpg.passphrase=' + project.ext.'signing.password')
>>
>> I think it is risky to insist that the password is passed in on the
>> command line, as it is easy to sniff on a shared system.
>> Current RMs I'm sure are aware of the risks, but I don't think this
>> should be left like this for ever - it sets a bad example.
>> I'm fairly sure it is not necessary - it should be possible to use gpg-agent.
>>
>> At the very least, the password should be optional (i.e. only pass it
>> if it is actually provided).
>> But better not to encourage risky behaviour.
>>
>
> I do not think it is any more insecure than passing passwords at the
> command line which appears to be not uncommon in pure Maven world.

Unfortunately this is not the only example of bad practise in the Maven world.

> Naturally I am going to improve the scripts based on Gary's experience
> and feedback and remove this hack. We might have to mandate the use of
> ssh-agent for Windows though. With Linux Maven deploy plugin is able to
> read passphrase from console just fine. This does not seem to work with
> Windows cmd.exe

GPG includes GPG agent which Maven gpg:sign can easily use; it pops up
a Pinentry dialog.

> The trouble is my family no longer own a single Windows PC and I cannot
> test the scripts myself.

However Gary and I have Windows systems.
I'm happy to test changes.

However, looking at the gradle wrapper I cannot work out how to easily
test signing without going through most of the release process.

With Maven, it's trivial; just change to a valid project workspace and run:

mvn package -DskipTests gpg:sign -Dgpg.keyname=xxx
or
mvn package -DskipTests gpg:sign -Pkeyprofile

where the keyprofile includes the keyname (and potentially the
gpg.secretKeyring location) and is stored in settings.xml


> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
> For additional commands, e-mail: dev-help@hc.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message