maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Dehon <odn...@gmail.com>
Subject Maven password encryption and usage in a CI server
Date Tue, 05 May 2009 12:15:08 GMT
Hi,

I was reading about the recent enhancements to the management of server
passwords in settings.xml at
http://maven.apache.org/guides/mini/guide-encryption.html

A few questions arose around the actual security provided by these
enhancements in the context of a build/CI server.

Agreed, this is an enhancement over passwords in clear text in
settings.xml, where any developer can run the help:effective-settings
goal in a custom build definition to gain access to the passwords
configured there on the server.

But can it be considered a safe protection in the context of a build
server? For instance, what prevents a developer from running a build
definition that runs a command through the exec or antrun plugin that
outputs the content of the settings-security.xml, thereby compromising
the encryption?

Unless I miss the obvious (or the less obvious) I am under the
impression that this enhancement makes it harder to get to the
passwords, but does not make it impossible (and maybe this was never the
goal).

Thank you in advance for your insights/pointers.

-Olivier


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org


Mime
View raw message