[jira] (MRELEASE-766) release:prepare stores settings.xml in a public directory

["Joseph Walton (JIRA)" <ji...@codehaus.org>]

    [ https://jira.codehaus.org/browse/MRELEASE-766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=300153#comment-300153 ] 

Joseph Walton commented on MRELEASE-766:
----------------------------------------

I've seen it happening. It's possible that the build was hung, rather than failed, so it hadn't cleaned up. It's also possible that the JVM was killed. But while this finally block will reduce the window the file is public for it won't eliminate it, so I think there's room for an improvement here.
                
> release:prepare stores settings.xml in a public directory
> ---------------------------------------------------------
>
>                 Key: MRELEASE-766
>                 URL: https://jira.codehaus.org/browse/MRELEASE-766
>             Project: Maven 2.x Release Plugin
>          Issue Type: Bug
>          Components: prepare
>    Affects Versions: 2.2.2
>            Reporter: Joseph Walton
>
> The fix for MRELEASE-577 involves copying {{settings.xml}} into a temporary directory. On a shared machine, it's possible that users have passwords configured in this file. Although they should probably have used {{settings-security.xml}} some will have set file permissions to prevent other users from reading their settings.
> If a build fails the file can be behind in /tmp.
> The copy should either be set to world-unreadable before any contents are written or created in a non-public location.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira