You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Ed Randall (Jira)" <ji...@apache.org> on 2020/01/22 11:46:00 UTC

[jira] [Commented] (MNG-5438) cli parameter to use a custom path settings-security.xml

    [ https://issues.apache.org/jira/browse/MNG-5438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17020981#comment-17020981 ] 

Ed Randall commented on MNG-5438:
---------------------------------

MNG-4853 already gave us -Dsettings.security=path/to/security-settings.xml, so any security breach is already present.
The system actually become less secure if we are forced to keep settings.xml and security-settings.xml in the same directory.  We would like the ability to keep them separate in different locations so the permissions on security-settings.xml can be locked down rather more tightly (accessible by CI user only).
This would allow developers to be allowed to view settings.xml whilst storing security-settings.xml safely out of the way.
Even then, anyone wanting to see the passwords in the clear can always run this job on the CI system:

    {{mvn help:effective-settings -DshowPasswords=true}}


> cli parameter to use a custom path settings-security.xml
> --------------------------------------------------------
>
>                 Key: MNG-5438
>                 URL: https://issues.apache.org/jira/browse/MNG-5438
>             Project: Maven
>          Issue Type: New Feature
>          Components: Command Line
>    Affects Versions: 3.0.4, 3.0.5
>            Reporter: Sarah Haselbauer
>            Priority: Major
>             Fix For: 3.7.0-candidate, 3.x / Backlog
>
>         Attachments: MNG-5438-maven-embedder.patch, apache-maven-3.0.4-ssec-bin.tar.gz, apache-maven-3.0.4-ssec-bin.zip, maven-3.0.4-0001-added-ssec-as-cli-param-so-that-you-have-the-same-fl.patch, maven-latest-0001-added-ssec-as-cli-param-so-that-you-have-the-same-fl.patch
>
>
> added -ssec as cli param, so that you have the same flexibility to place your settings-security.xml as you have to point to a custom settings.xml file
> mvn -s /path/to/my/custom/settings.xml -ssec /path/to/my/custom/settings-security.xml
> I attached to patches: one that can be run on the maven-3.0.4 tag and one that can be run on trunk (latest code state of today).
> I also attached a maven-3.0.4-bin.zip (linux) so you can quickly try out the feature and test it yourself.
> if you like the idea, I would welcome to have this feature merged into one of the next releases. I need it to write a puppet-maven module that allows to download artifacts from maven repositories with encrypted passwords in the puppet recipe.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)