You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Greg Wilkins (JIRA)" <ji...@codehaus.org> on 2010/12/08 12:40:57 UTC
[jira] Created: (MNG-4928) mvn --encrypt-master-password is
insecure
mvn --encrypt-master-password is insecure
-----------------------------------------
Key: MNG-4928
URL: http://jira.codehaus.org/browse/MNG-4928
Project: Maven 2 & 3
Issue Type: Bug
Components: Command Line
Affects Versions: 3.0.1, 3.0, 2.2.1
Reporter: Greg Wilkins
gregw@Brick: ~
[506] mvn --encrypt-master-password something-very-very-secret
{zfC2klZItekHCPGwE+R0JZ2+RjyDlqxP343ThV0R3B5taWEHbI5t+QGfXOZ0mq9j}
gregw@Brick: ~
[507] history 2
506 mvn --encrypt-master-password something-very-very-secret
507 history 2
commands that take passwords should not accept them from the command line, as they are then visible in history and even in some PS output. They should prompt for passwords with echo turned off.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MNG-4928) mvn --encrypt-master-password is
insecure
Posted by "Greg Wilkins (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=246852#action_246852 ]
Greg Wilkins commented on MNG-4928:
-----------------------------------
Also a note should be made to anybody that is editing passwords in their setting.xml files, that many editors keep histories of edits.
for example, I found several instances of my ssh passphrase in .viminfo because I had removed it from my settings with a search and replace.
> mvn --encrypt-master-password is insecure
> -----------------------------------------
>
> Key: MNG-4928
> URL: http://jira.codehaus.org/browse/MNG-4928
> Project: Maven 2 & 3
> Issue Type: Bug
> Components: Command Line
> Affects Versions: 2.2.1, 3.0, 3.0.1
> Reporter: Greg Wilkins
>
> gregw@Brick: ~
> [506] mvn --encrypt-master-password something-very-very-secret
> {zfC2klZItekHCPGwE+R0JZ2+RjyDlqxP343ThV0R3B5taWEHbI5t+QGfXOZ0mq9j}
> gregw@Brick: ~
> [507] history 2
> 506 mvn --encrypt-master-password something-very-very-secret
> 507 history 2
> commands that take passwords should not accept them from the command line, as they are then visible in history and even in some PS output. They should prompt for passwords with echo turned off.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (MNG-4928) mvn --encrypt-master-password is insecure
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter closed MNG-4928.
-----------------------------
Resolution: Duplicate
Assignee: Brett Porter
> mvn --encrypt-master-password is insecure
> -----------------------------------------
>
> Key: MNG-4928
> URL: http://jira.codehaus.org/browse/MNG-4928
> Project: Maven 2 & 3
> Issue Type: Bug
> Components: Command Line
> Affects Versions: 2.2.1, 3.0, 3.0.1
> Reporter: Greg Wilkins
> Assignee: Brett Porter
>
> gregw@Brick: ~
> [506] mvn --encrypt-master-password something-very-very-secret
> {zfC2klZItekHCPGwE+R0JZ2+RjyDlqxP343ThV0R3B5taWEHbI5t+QGfXOZ0mq9j}
> gregw@Brick: ~
> [507] history 2
> 506 mvn --encrypt-master-password something-very-very-secret
> 507 history 2
> commands that take passwords should not accept them from the command line, as they are then visible in history and even in some PS output. They should prompt for passwords with echo turned off.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira