You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by Oleg Gusakov <ol...@gmail.com> on 2009/01/27 19:48:29 UTC
password encryption in 2.1.x trunk
After a long and interesting discussion last August
(http://docs.codehaus.org/display/MAVEN/Secured+Passwords) and several
meetings with users, I felt it's overdue to do the actual implementation.
I massaged my old, vintage 2007 code and put it into 2.1.x trunk.
How it all works - more detailed explanation is in [MNG-553], here is
the digest of it:
Process is now manual, I will automate it later on: plugin exists - need
to test it first.
* user encrypts a master password with CLI and stores it in ~/.m2/sec.xml
** there is an option to store it on a removable drive and reference
that from ~/.m2/sec.xml
* user encrypts server password with CLI ans stores it in settings.xml
* Maven decrypts the password in memory and everything works like it was
before
** help:effective-settings (tested) and other tools (did not test
though) still show encrypted passwords
Thanks,
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: password encryption in 2.1.x trunk
Posted by Oleg Gusakov <ol...@gmail.com>.
Looks like the name sec.xml is too short and may be confusing. Changing
for encryption-settings.xml
Oleg Gusakov wrote:
> After a long and interesting discussion last August
> (http://docs.codehaus.org/display/MAVEN/Secured+Passwords) and several
> meetings with users, I felt it's overdue to do the actual implementation.
>
> I massaged my old, vintage 2007 code and put it into 2.1.x trunk.
>
> How it all works - more detailed explanation is in [MNG-553], here is
> the digest of it:
>
> Process is now manual, I will automate it later on: plugin exists -
> need to test it first.
>
> * user encrypts a master password with CLI and stores it in ~/.m2/sec.xml
> ** there is an option to store it on a removable drive and reference
> that from ~/.m2/sec.xml
> * user encrypts server password with CLI ans stores it in settings.xml
> * Maven decrypts the password in memory and everything works like it
> was before
> ** help:effective-settings (tested) and other tools (did not test
> though) still show encrypted passwords
>
> Thanks,
> Oleg
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: password encryption in 2.1.x trunk
Posted by Brett Porter <br...@apache.org>.
On 03/02/2009, at 12:03 PM, Brett Porter wrote:
>>
>>> What's left before this is releasable as part of 2.1.x?
>> Just some manual testing and docs updates for the site when it's
>> ready.
>
> In the mean time, can someone please release the dependency so that
> we can move forward with the next milestone release? I think it's
> ready to go.
Oleg? This is all I'm really waiting on for 2.1.0-M2.
Thanks,
Brett
--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: password encryption in 2.1.x trunk
Posted by Brett Porter <br...@apache.org>.
On 03/02/2009, at 1:24 AM, Brian E. Fox wrote:
>
>> Any reason not to use a new field in settings.xml? I think 2.1.x can
>> be capable of updating the model version.
>
> Why introduce a bunch of new work for this?
I'm just concerned that we make this exception here and suddenly we
have multiple files springing up in ~/.m2, and then having to
duplicate work like supporting $M2_HOME/conf/settings.xml.
It's not a showstopper.
> Also, we wanted to make it
> work in 2.0.x if possible. Since it's completely optional to use,
> there
> should be little downside risk to porting it back.
I'd really prefer we focused on getting 2.1 out, as you said, rather
than allow another excuse not to.
>
>> What's left before this is releasable as part of 2.1.x?
> Just some manual testing and docs updates for the site when it's
> ready.
In the mean time, can someone please release the dependency so that we
can move forward with the next milestone release? I think it's ready
to go.
- Brett
--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
RE: password encryption in 2.1.x trunk
Posted by "Brian E. Fox" <br...@reply.infinity.nu>.
>Any reason not to use a new field in settings.xml? I think 2.1.x can
>be capable of updating the model version.
Why introduce a bunch of new work for this? Also, we wanted to make it
work in 2.0.x if possible. Since it's completely optional to use, there
should be little downside risk to porting it back.
>What's left before this is releasable as part of 2.1.x?
Just some manual testing and docs updates for the site when it's ready.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
Re: password encryption in 2.1.x trunk
Posted by Brett Porter <br...@apache.org>.
On 28/01/2009, at 5:48 AM, Oleg Gusakov wrote:
> After a long and interesting discussion last August (http://docs.codehaus.org/display/MAVEN/Secured+Passwords
> ) and several meetings with users, I felt it's overdue to do the
> actual implementation.
>
> I massaged my old, vintage 2007 code and put it into 2.1.x trunk.
Great! Been much anticipated :)
> * user encrypts a master password with CLI and stores it in ~/.m2/
> sec.xml
> ** there is an option to store it on a removable drive and reference
> that from ~/.m2/sec.xml
Any reason not to use a new field in settings.xml? I think 2.1.x can
be capable of updating the model version.
>
> * user encrypts server password with CLI ans stores it in settings.xml
> * Maven decrypts the password in memory and everything works like it
> was before
> ** help:effective-settings (tested) and other tools (did not test
> though) still show encrypted passwords
Sounds good. BTW, how is the encryption key configured?
What's left before this is releasable as part of 2.1.x?
Cheers,
Brett
--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/