Maven 2.x Release Plugin

Don't store the scm password in plaintext in release.properties

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Duplicate
  • Affects Version/s: None
  • Fix Version/s: None
  • Component/s: scm
  • Labels:
    None
  • Number of attachments :
    0

Description

The scm password is stored in plaintext in release.properties file. I think it would be safe not to save it there, then always prompt the user for the password every time.

Issue Links

is depended upon by

Improvement - An improvement or enhancement to an existing feature or task. CONTINUUM-2202 Do not show subversion password in plain text

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.
is related to

New Feature - A new feature of the product, which has yet to be developed. MRELEASE-648 Putting SVN password in settings.xml doesn't support password encryption

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Improvement - An improvement or enhancement to an existing feature or task. CONTINUUM-1741 release.properties file containing scm credentials in plain text is visible through the Web UI

  • Minor - Minor loss of function, or other problem where easy workaround is present.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.
is superceded by

Improvement - An improvement or enhancement to an existing feature or task. MRELEASE-420 Prepare and Perform should use profile server settings

  • Critical - Crashes, loss of data, severe memory leak.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.
relates to

Improvement - An improvement or enhancement to an existing feature or task. MRELEASE-341 support release process that use a staging repository

  • Major - Major loss of function.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Wendy Smoak added a comment -

This can be a major issue in corporate environments with strict security rules.

In a single sign-on environment, exposing a password in plain text may compromise not only the source code repository, but all other systems the user has access to.

Show
Wendy Smoak added a comment - This can be a major issue in corporate environments with strict security rules. In a single sign-on environment, exposing a password in plain text may compromise not only the source code repository, but all other systems the user has access to.
Hide
Permalink
Benjamin Bentmann added a comment -

Not sure since when but recent versions of the plugin support to read the credentials from the settings.xml, using the host name part of the SCM URL as the id to locate a <server> entry. AFAICT, this approach doesn't leak the passwords into the release.properties.

Show
Benjamin Bentmann added a comment - Not sure since when but recent versions of the plugin support to read the credentials from the settings.xml , using the host name part of the SCM URL as the id to locate a <server> entry. AFAICT, this approach doesn't leak the passwords into the release.properties .
Hide
Permalink
Brett Porter added a comment -

closed due to superceding issue

Show
Brett Porter added a comment - closed due to superceding issue

People

  • Assignee:
    Brett Porter
    Reporter:
    Nap Ramirez
Vote (1)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: