You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@maven.apache.org by "J. Michael McGarr (JIRA)" <ji...@codehaus.org> on 2005/07/06 15:36:14 UTC
[jira] Created: (MNG-553) Secure Storage of Server Passwords
Secure Storage of Server Passwords
----------------------------------
Key: MNG-553
URL: http://jira.codehaus.org/browse/MNG-553
Project: Maven 2
Type: Improvement
Versions: 2.0-alpha-3
Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
Reporter: J. Michael McGarr
This was a question pose to the Maven User's Group and it was suggested I add it here.
It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-553) Secure Storage of Server Passwords
Posted by "Jason van Zyl (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=all ]
Jason van Zyl updated MNG-553:
------------------------------
Description:
This was a question pose to the Maven User's Group and it was suggested I add it here.
It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
was:
This was a question pose to the Maven User's Group and it was suggested I add it here.
It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
Fix Version: 2.0-beta-1
I'm just putting this in the queue to be dealt with. I'm not sure if we'll be able to get to this for beta-1but security is a real concern even though we are pushing just to flesh out core features at the moment.
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Fix For: 2.0-beta-1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-553) Secure Storage of Server Passwords
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=all ]
Brett Porter updated MNG-553:
-----------------------------
Fix Version: (was: 2.0-beta-1)
2.0-beta-2
there's a good chance this might miss 2.0 but is a certainty for 2.1. Still holding onto it for the next beta (it won't change existing behaviour), so we'll see how we go.
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Critical
> Fix For: 2.0-beta-2
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "Thomas Van de Velde (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_59243 ]
Thomas Van de Velde commented on MNG-553:
-----------------------------------------
Same here. This a major security issue and blocks wide adoption of Maven in our organization. A minor priority seems completely inappropriate here, at least if you want to use Maven at a enterprise level.
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Minor
> Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "Fabrice BELLINGARD (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_55698 ]
Fabrice BELLINGARD commented on MNG-553:
----------------------------------------
I just want to mention that this issue looks more than just minor (at least to me! :)).
Indeed, I want to spread Maven 2 all over my company (thousands of developers), but the fact that it is not possible to encrypt passwords in Maven (at least in the settings.xml file for the proxy parameters) does not encourage security managers to allow me to do so...
I've already talked a lot about Maven 2, and lots of developers are willing to use it. But I won't be able to distribute Maven in my company unless this issue is resolved. That's why I find that this issue is at least Major, and I will hardly be able to wait till 2.1 (looking at the bug list to fix before releasing it)...
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Minor
> Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_59258 ]
Brett Porter commented on MNG-553:
----------------------------------
Thanks. Specifically I was addressing Thomas' comment "blocks wide adoption of Maven". Presumably the solution they already have in place handles this otherwise it wouldn't block adoption - I'm wondering what that is. Unless everything is shipped around by hand / via the SCM?
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Minor
> Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "Steve Loughran (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_45269 ]
Steve Loughran commented on MNG-553:
------------------------------------
It is effectively impossible to secure passwords *and* have a fully automated build, because, even if encrypted, the key to decrypt will still be needed.
prompted input suffers from (a) the need to have a human in the build and (b) the fact there is no way to turn off echoed chars from the command line.
If you do want to keep keys and stuff safe
-put them in a directory with locked down permissions
-consider an encrypted filesystem
-consider an external storage (USB filesys)
-use the TPM of the laptop to secure a bit of your hdd
I use the latter and have to deal with the relevant device drivers asking for a password whenever I first try and access the data after a boot/resume.
Trying to secure passwords in java is a very hard and unreliable process (think: where is your app swapped out to; what if the system hibernated during a run...). At least having blatantly insecure passwords stops people getting overconfident...
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Critical
> Fix For: 2.0-beta-2
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_59253 ]
Brett Porter commented on MNG-553:
----------------------------------
how do you work around this in the build systems of those areas that have not adopted Maven?
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Minor
> Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-553) Secure Storage of Server Passwords
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=all ]
Brett Porter updated MNG-553:
-----------------------------
Priority: Critical (was: Minor)
Complexity: Expert
upgrading priority for 2.1 release.
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Critical
> Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-553) Secure Storage of Server Passwords
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=all ]
Brett Porter updated MNG-553:
-----------------------------
Fix Version: (was: 2.0-beta-3)
2.1
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Minor
> Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_43556 ]
Brett Porter commented on MNG-553:
----------------------------------
here is the first cut I took a few months back. I was still deliberating on the API.
http://cvs.plexus.codehaus.org/trunk/plexus-sandbox/plexus-components/plexus-password-store/src/main/java/org/codehaus/plexus/components/password/JksPasswordStore.java?rev=1487&view=markup
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Critical
> Fix For: 2.0-beta-1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_60054 ]
Brett Porter commented on MNG-553:
----------------------------------
Something to investigate for implementation of this:
- how exactly do apps like svn cache and store it. I assume that while its not perfect, the addition of home directory security + some mild encryption helps.
- utilise the plexus-interaction jline lib for password entry, to have first time entry on the command line
We should probably recommend that deployment only be done from well secured servers by restricted users, and have this mostly as a download option.
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Critical
> Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_45319 ]
Brett Porter commented on MNG-553:
----------------------------------
Thanks Steve. You're absolutely correct and that will make a great start to a doc explaining it :)
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Critical
> Fix For: 2.0-beta-2
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "J. Michael McGarr (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_59255 ]
J. Michael McGarr commented on MNG-553:
---------------------------------------
Currently, our oganization's work around involves the use of public/private key authentication. This requires, however, that the maven repository reside on a machine that is accessible via SSH and SCP protocols (specifically we are using SCPEXE and forcing developers to download and install putty/pagent).
Ideally, we would have liked to make the Maven Repository HTTP accessible to our developers, but clear text passwords in a configuration file would not pass any of our security audits.
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Minor
> Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Updated: (MNG-553) Secure Storage of Server Passwords
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=all ]
Brett Porter updated MNG-553:
-----------------------------
Priority: Critical (was: Major)
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Critical
> Fix For: 2.0-beta-1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org
[jira] Commented: (MNG-553) Secure Storage of Server Passwords
Posted by "Emmanuel Venisse (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MNG-553?page=comments#action_59256 ]
Emmanuel Venisse commented on MNG-553:
--------------------------------------
If it's an internal repository, why do you need login/password?
> Secure Storage of Server Passwords
> ----------------------------------
>
> Key: MNG-553
> URL: http://jira.codehaus.org/browse/MNG-553
> Project: Maven 2
> Type: Improvement
> Versions: 2.0-alpha-3
> Environment: Although it may not be relevant since this is a general improvement issue, Windows XP, JDK 1.4.1.
> Reporter: J. Michael McGarr
> Priority: Minor
> Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add it here.
> It would be benefitial to provide a more secure means of storing password's to the servers listed in the .m2/settings.xml. They are currently being stored as plain text and could definately be considered a security breach. Numerous organizations would undoubtedly considered this an unacceptable security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings file (more secure, but not foolproof) or even requiring the password to be manually provided per build (would prevent automation of builds). I am sure that there is a secure solution to this problem and it should be part of the 2.0 release.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org