Return-Path: Delivered-To: apmail-maven-users-archive@www.apache.org Received: (qmail 37691 invoked from network); 5 May 2009 13:37:06 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 5 May 2009 13:37:06 -0000 Received: (qmail 78859 invoked by uid 500); 5 May 2009 13:37:03 -0000 Delivered-To: apmail-maven-users-archive@maven.apache.org Received: (qmail 78750 invoked by uid 500); 5 May 2009 13:37:02 -0000 Mailing-List: contact users-help@maven.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Maven Users List" Reply-To: "Maven Users List" Delivered-To: mailing list users@maven.apache.org Received: (qmail 78740 invoked by uid 99); 5 May 2009 13:37:02 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 May 2009 13:37:02 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 74.125.44.153 is neither permitted nor denied by domain of brianf@infinity.nu) Received: from [74.125.44.153] (HELO yx-out-1718.google.com) (74.125.44.153) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 May 2009 13:36:53 +0000 Received: by yx-out-1718.google.com with SMTP id 36so2794052yxh.6 for ; Tue, 05 May 2009 06:26:31 -0700 (PDT) Received: by 10.90.25.11 with SMTP id 11mr54329agy.18.1241529386181; Tue, 05 May 2009 06:16:26 -0700 (PDT) Received: from ?192.168.101.11? (c-98-229-140-52.hsd1.nh.comcast.net [98.229.140.52]) by mx.google.com with ESMTPS id 39sm1547899aga.61.2009.05.05.06.16.24 (version=SSLv3 cipher=RC4-MD5); Tue, 05 May 2009 06:16:25 -0700 (PDT) Message-ID: <4A003C27.6020506@infinity.nu> Date: Tue, 05 May 2009 09:16:23 -0400 From: Brian Fox User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: users@maven.apache.org Subject: Re: Maven password encryption and usage in a CI server References: <1241525708.5123.9.camel@droopy.dehon.com> In-Reply-To: <1241525708.5123.9.camel@droopy.dehon.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org You are correct. If someone is able to read the maven code and find the default password, decrypt the master password, then they could decrypt the user password. It's also decrypted "on the wire" if you aren't using https with your repos. The trick with a build server is to make a special account for that system, the real danger comes when you use a corporate password and someone gets that. If you have real concerns about the build server, don't give people permissions to change the jobs and then it will be harder for them to get at these files. Olivier Dehon wrote: > Hi, > > I was reading about the recent enhancements to the management of server > passwords in settings.xml at > http://maven.apache.org/guides/mini/guide-encryption.html > > A few questions arose around the actual security provided by these > enhancements in the context of a build/CI server. > > Agreed, this is an enhancement over passwords in clear text in > settings.xml, where any developer can run the help:effective-settings > goal in a custom build definition to gain access to the passwords > configured there on the server. > > But can it be considered a safe protection in the context of a build > server? For instance, what prevents a developer from running a build > definition that runs a command through the exec or antrun plugin that > outputs the content of the settings-security.xml, thereby compromising > the encryption? > > Unless I miss the obvious (or the less obvious) I am under the > impression that this enhancement makes it harder to get to the > passwords, but does not make it impossible (and maybe this was never the > goal). > > Thank you in advance for your insights/pointers. > > -Olivier > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@maven.apache.org > For additional commands, e-mail: users-help@maven.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@maven.apache.org For additional commands, e-mail: users-help@maven.apache.org