Continuum and plain text passwords

[Wendy Smoak <ws...@gmail.com>]

I'm still on a quest to get Continuum to stop storing passwords in
plain text.  Olivier fixed CONTINUUM-1605 [1] so that the initial pom
retrieval will discard the provided credentials if the 'use cached
credentials' checkbox is checked.

The latest problem is the release.properties file.  This file (which
contains the scm password in plain text) gets written out to the
working copy... which is then visible through the Web UI.  If all goes
well, I think it's only there briefly, but if the release fails it may
be left around.

Any ideas on how to fix this one?

[1] http://jira.codehaus.org/browse/CONTINUUM-1605

-- 
Wendy

Re: Continuum and plain text passwords

["Napoleon Esmundo C. Ramirez" <na...@gmail.com>]

I attached a patch for the quickfix in CONTINUUM-1741.  Then I just filed
MRELEASE-340, to not store the plaintext password in the release.properties
file.  Any takers?  Comments?

Cheers,
Nap

On Sun, Apr 27, 2008 at 4:26 PM, Wendy Smoak <ws...@gmail.com> wrote:

> On Sun, Apr 27, 2008 at 4:25 PM, Wendy Smoak <ws...@gmail.com> wrote:
> > On Fri, Apr 25, 2008 at 11:46 AM, Napoleon Esmundo C. Ramirez
> >  <na...@gmail.com> wrote:
> >  > That's a good start. I created an issue for it,
> >  >  http://jira.codehaus.org/browse/CONTINUUM-1741
> >  >
> >  >  I'll attach a patch soon.
> >
> >  Sounds good.  Are you also planning to open something in Maven SCM?
>
> oops, I think that should be 'Maven Release' not SCM.
>
> --
> Wendy
>

Re: Continuum and plain text passwords

[Wendy Smoak <ws...@gmail.com>]

On Sun, Apr 27, 2008 at 4:25 PM, Wendy Smoak <ws...@gmail.com> wrote:
> On Fri, Apr 25, 2008 at 11:46 AM, Napoleon Esmundo C. Ramirez
>  <na...@gmail.com> wrote:
>  > That's a good start. I created an issue for it,
>  >  http://jira.codehaus.org/browse/CONTINUUM-1741
>  >
>  >  I'll attach a patch soon.
>
>  Sounds good.  Are you also planning to open something in Maven SCM?

oops, I think that should be 'Maven Release' not SCM.

-- 
Wendy

Re: Continuum and plain text passwords

[Wendy Smoak <ws...@gmail.com>]

On Fri, Apr 25, 2008 at 11:46 AM, Napoleon Esmundo C. Ramirez
<na...@gmail.com> wrote:
> That's a good start. I created an issue for it,
>  http://jira.codehaus.org/browse/CONTINUUM-1741
>
>  I'll attach a patch soon.

Sounds good.  Are you also planning to open something in Maven SCM?

-- 
Wendy

Re: Continuum and plain text passwords

["Napoleon Esmundo C. Ramirez" <na...@gmail.com>]

That's a good start. I created an issue for it,
http://jira.codehaus.org/browse/CONTINUUM-1741

I'll attach a patch soon.

Cheers!
Nap

On Fri, Apr 25, 2008 at 9:13 AM, Wendy Smoak <ws...@gmail.com> wrote:

> On Thu, Apr 24, 2008 at 4:24 PM, Napoleon Esmundo C. Ramirez
> <na...@gmail.com> wrote:
> > I think the idea of having the plain-text password in the
> release.properties
> >  file is dangerous enough.  Do you think it will be ok to just remove it,
> >  then always ask for a password during the release?
>
> Continuum already asks for a password during the release.  Yes, I'd
> prefer that the password never gets stored in plain text, however I
> think that change would have to be made in Maven Release, not in
> Continuum.
>
> Let's first make sure the release.properties file is not displayed in
> the working copy for Maven projects, and then work on the underlying
> issue.
>
> --
> Wendy
>

Re: Continuum and plain text passwords

[Wendy Smoak <ws...@gmail.com>]

On Thu, Apr 24, 2008 at 4:24 PM, Napoleon Esmundo C. Ramirez
<na...@gmail.com> wrote:
> I think the idea of having the plain-text password in the release.properties
>  file is dangerous enough.  Do you think it will be ok to just remove it,
>  then always ask for a password during the release?

Continuum already asks for a password during the release.  Yes, I'd
prefer that the password never gets stored in plain text, however I
think that change would have to be made in Maven Release, not in
Continuum.

Let's first make sure the release.properties file is not displayed in
the working copy for Maven projects, and then work on the underlying
issue.

-- 
Wendy

Re: Continuum and plain text passwords

["Napoleon Esmundo C. Ramirez" <na...@gmail.com>]

I think the idea of having the plain-text password in the release.properties
file is dangerous enough.  Do you think it will be ok to just remove it,
then always ask for a password during the release?

On Thu, Apr 24, 2008 at 11:54 AM, Wendy Smoak <ws...@gmail.com> wrote:

> On Thu, Apr 24, 2008 at 11:43 AM, Rahul Thakur
> <ra...@gmail.com> wrote:
> > Same thought.
> >
> >  release.properties is a temporary file used by Maven; if for some
> reason it
> > persists, we can choose not to display its contents.
>
> Can we apply the filter only to Maven 2 projects?  (A shell or ant
> project might use that filename for something unrelated...)
>
> This only solves part of the problem, since if the file exists, anyone
> with a project developer role could get to it and display it by adding
> a shell project with a simple script.)
>
> What can we do to clean up better after a failed release?  (It would
> be manual, but does the rollback feature even work?  IIRC it hung last
> time I tried it.)
>
> --
> Wendy
>

Re: Continuum and plain text passwords

[Wendy Smoak <ws...@gmail.com>]

On Thu, Apr 24, 2008 at 11:43 AM, Rahul Thakur
<ra...@gmail.com> wrote:
> Same thought.
>
>  release.properties is a temporary file used by Maven; if for some reason it
> persists, we can choose not to display its contents.

Can we apply the filter only to Maven 2 projects?  (A shell or ant
project might use that filename for something unrelated...)

This only solves part of the problem, since if the file exists, anyone
with a project developer role could get to it and display it by adding
a shell project with a simple script.)

What can we do to clean up better after a failed release?  (It would
be manual, but does the rollback feature even work?  IIRC it hung last
time I tried it.)

-- 
Wendy

Re: Continuum and plain text passwords

[Rahul Thakur <ra...@gmail.com>]

Same thought.

release.properties is a temporary file used by Maven; if for some reason 
it persists, we can choose not to display its contents.

Rahul


Henry Isidro wrote:
> Would it be a good idea not to have it appear in the webapp UI while
> this password plaintext problem is not yet resolved?
>
> On Thu, Apr 24, 2008 at 10:28 AM, Wendy Smoak<ws...@gmail.com>  wrote:
>> I'm still on a quest to get Continuum to stop storing passwords in
>>   plain text.  Olivier fixed CONTINUUM-1605 [1] so that the initial pom
>>   retrieval will discard the provided credentials if the 'use cached
>>   credentials' checkbox is checked.
>>
>>   The latest problem is the release.properties file.  This file (which
>>   contains the scm password in plain text) gets written out to the
>>   working copy... which is then visible through the Web UI.  If all goes
>>   well, I think it's only there briefly, but if the release fails it may
>>   be left around.
>>
>>   Any ideas on how to fix this one?
>>
>>   [1] http://jira.codehaus.org/browse/CONTINUUM-1605
>>
>>   --
>>   Wendy
>>
>

Re: Continuum and plain text passwords

[Henry Isidro <hi...@exist.com>]

Would it be a good idea not to have it appear in the webapp UI while
this password plaintext problem is not yet resolved?

On Thu, Apr 24, 2008 at 10:28 AM, Wendy Smoak <ws...@gmail.com> wrote:
> I'm still on a quest to get Continuum to stop storing passwords in
>  plain text.  Olivier fixed CONTINUUM-1605 [1] so that the initial pom
>  retrieval will discard the provided credentials if the 'use cached
>  credentials' checkbox is checked.
>
>  The latest problem is the release.properties file.  This file (which
>  contains the scm password in plain text) gets written out to the
>  working copy... which is then visible through the Web UI.  If all goes
>  well, I think it's only there briefly, but if the release fails it may
>  be left around.
>
>  Any ideas on how to fix this one?
>
>  [1] http://jira.codehaus.org/browse/CONTINUUM-1605
>
>  --
>  Wendy
>