From issues-return-86810-apmail-maven-issues-archive=maven.apache.org@maven.apache.org Wed Sep 4 21:42:18 2013 Return-Path: X-Original-To: apmail-maven-issues-archive@minotaur.apache.org Delivered-To: apmail-maven-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1D86C10F40 for ; Wed, 4 Sep 2013 21:42:18 +0000 (UTC) Received: (qmail 25526 invoked by uid 500); 4 Sep 2013 21:42:18 -0000 Delivered-To: apmail-maven-issues-archive@maven.apache.org Received: (qmail 25407 invoked by uid 500); 4 Sep 2013 21:42:17 -0000 Mailing-List: contact issues-help@maven.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@maven.apache.org Delivered-To: mailing list issues@maven.apache.org Received: (qmail 25399 invoked by uid 99); 4 Sep 2013 21:42:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Sep 2013 21:42:17 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [199.193.192.100] (HELO codehaus01.managed.contegix.com) (199.193.192.100) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Sep 2013 21:42:13 +0000 Received: from codehaus01 (localhost.localdomain [127.0.0.1]) by codehaus01.managed.contegix.com (Postfix) with ESMTP id D3B22B10B1 for ; Wed, 4 Sep 2013 16:41:52 -0500 (CDT) Date: Wed, 4 Sep 2013 16:41:52 -0500 (CDT) From: "Robert Scholte (JIRA)" To: issues@maven.apache.org Message-ID: In-Reply-To: References: Subject: [jira] (MRELEASE-846) m2 release plugin exposes SCM password in release.properties file MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 22cf62d5d84cf5bea94eb3b65e0ebd09 X-Virus-Checked: Checked by ClamAV on apache.org [ https://jira.codehaus.org/browse/MRELEASE-846?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=332370#comment-332370 ] Robert Scholte commented on MRELEASE-846: ----------------------------------------- I would expect that this is possible if the Jenkins instance has a [master-password|http://maven.apache.org/guides/mini/guide-encryption.html#How_to_create_a_master_password]. This plugin still needs to implement the encryption/decryption methods, but that's not too hard. I even think this should always be done if there's a master-password. > m2 release plugin exposes SCM password in release.properties file > ----------------------------------------------------------------- > > Key: MRELEASE-846 > URL: https://jira.codehaus.org/browse/MRELEASE-846 > Project: Maven Release Plugin > Issue Type: Bug > Reporter: Mark Maun > > When executing a maven release build using the m2 release plugin in Jenkins a release.properties file is created in the workspace that has the SCM user/password credentials in plain text. In our jenkins instance this is a problem since we have multiple users with access to release the same job. The release.properties is removed after the release build is successful. If the release build fails the release.properties stays in the workspace until it's manually deleted. This allows other users to see SCM passwords in our organization if they view the workspace during a release build or after one fails. > 4 > If anyone has viable workarounds/solutions we can use in the meantime that would also be appreciated. > Note I have a ticket open with Jenkins dev but they deferred me here: > https://issues.jenkins-ci.org/browse/JENKINS-19416 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira