password encryption in 2.1.x trunk

[Oleg Gusakov <ol...@gmail.com>]

After a long and interesting discussion last August 
(http://docs.codehaus.org/display/MAVEN/Secured+Passwords) and several 
meetings with users, I felt it's overdue to do the actual implementation.

I massaged my old, vintage 2007 code and put it into 2.1.x trunk.

How it all works - more detailed explanation is in [MNG-553], here is 
the digest of it:

Process is now manual, I will automate it later on: plugin exists - need 
to test it first.

* user encrypts a master password with CLI and stores it in ~/.m2/sec.xml
** there is an option to store it on a removable drive and reference 
that from ~/.m2/sec.xml
* user encrypts server password with CLI ans stores it in settings.xml
* Maven decrypts the password in memory and everything works like it was 
before
** help:effective-settings (tested) and other tools (did not test 
though) still show encrypted passwords

Thanks,
Oleg




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: password encryption in 2.1.x trunk

[Oleg Gusakov <ol...@gmail.com>]

Looks like the name sec.xml is too short and may be confusing. Changing 
for encryption-settings.xml

Oleg Gusakov wrote:
> After a long and interesting discussion last August 
> (http://docs.codehaus.org/display/MAVEN/Secured+Passwords) and several 
> meetings with users, I felt it's overdue to do the actual implementation.
>
> I massaged my old, vintage 2007 code and put it into 2.1.x trunk.
>
> How it all works - more detailed explanation is in [MNG-553], here is 
> the digest of it:
>
> Process is now manual, I will automate it later on: plugin exists - 
> need to test it first.
>
> * user encrypts a master password with CLI and stores it in ~/.m2/sec.xml
> ** there is an option to store it on a removable drive and reference 
> that from ~/.m2/sec.xml
> * user encrypts server password with CLI ans stores it in settings.xml
> * Maven decrypts the password in memory and everything works like it 
> was before
> ** help:effective-settings (tested) and other tools (did not test 
> though) still show encrypted passwords
>
> Thanks,
> Oleg
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: password encryption in 2.1.x trunk

[Brett Porter <br...@apache.org>]

On 03/02/2009, at 12:03 PM, Brett Porter wrote:

>>
>>> What's left before this is releasable as part of 2.1.x?
>> Just some manual testing and docs updates for the site when it's  
>> ready.
>
> In the mean time, can someone please release the dependency so that  
> we can move forward with the next milestone release? I think it's  
> ready to go.

Oleg? This is all I'm really waiting on for 2.1.0-M2.

Thanks,
Brett

--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: password encryption in 2.1.x trunk

[Brett Porter <br...@apache.org>]

On 03/02/2009, at 1:24 AM, Brian E. Fox wrote:

>
>> Any reason not to use a new field in settings.xml? I think 2.1.x can
>> be capable of updating the model version.
>
> Why introduce a bunch of new work for this?

I'm just concerned that we make this exception here and suddenly we  
have multiple files springing up in ~/.m2, and then having to  
duplicate work like supporting $M2_HOME/conf/settings.xml.

It's not a showstopper.

> Also, we wanted to make it
> work in 2.0.x if possible. Since it's completely optional to use,  
> there
> should be little downside risk to porting it back.

I'd really prefer we focused on getting 2.1 out, as you said, rather  
than allow another excuse not to.
>
>> What's left before this is releasable as part of 2.1.x?
> Just some manual testing and docs updates for the site when it's  
> ready.

In the mean time, can someone please release the dependency so that we  
can move forward with the next milestone release? I think it's ready  
to go.

- Brett

--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

RE: password encryption in 2.1.x trunk

["Brian E. Fox" <br...@reply.infinity.nu>]

>Any reason not to use a new field in settings.xml? I think 2.1.x can  
>be capable of updating the model version.

Why introduce a bunch of new work for this? Also, we wanted to make it
work in 2.0.x if possible. Since it's completely optional to use, there
should be little downside risk to porting it back.


>What's left before this is releasable as part of 2.1.x?
Just some manual testing and docs updates for the site when it's ready.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org

Re: password encryption in 2.1.x trunk

[Brett Porter <br...@apache.org>]

On 28/01/2009, at 5:48 AM, Oleg Gusakov wrote:

> After a long and interesting discussion last August (http://docs.codehaus.org/display/MAVEN/Secured+Passwords 
> ) and several meetings with users, I felt it's overdue to do the  
> actual implementation.
>
> I massaged my old, vintage 2007 code and put it into 2.1.x trunk.

Great! Been much anticipated :)

> * user encrypts a master password with CLI and stores it in ~/.m2/ 
> sec.xml
> ** there is an option to store it on a removable drive and reference  
> that from ~/.m2/sec.xml

Any reason not to use a new field in settings.xml? I think 2.1.x can  
be capable of updating the model version.

>
> * user encrypts server password with CLI ans stores it in settings.xml
> * Maven decrypts the password in memory and everything works like it  
> was before
> ** help:effective-settings (tested) and other tools (did not test  
> though) still show encrypted passwords

Sounds good. BTW, how is the encryption key configured?

What's left before this is releasable as part of 2.1.x?

Cheers,
Brett

--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/