[MGPG-137] Un-deprecate passphraseServerId

[jira-importer]

Lenny Primak opened MGPG-137 and commented

IMHO this parameter has been deprecated in error.

It is used to referenced the "server" field in settings.xml, where passphrases are stored in an encrypted fashion. This is actually safer than setting clear-text passwords in environment variables in practice.

---

Affects: 3.2.5

Issue Links:

• MGPG-105 Stop propagating bad practices; but allow for "compat mode"

[jira-importer]

Michael Osipov commented

What exactly do you consider as safer? Tamas Cservenak

[jira-importer]

Tamas Cservenak commented

Is not safer at all, "encryption" is really just obfuscation by obscurity, moreover, that "encryption" is even broken (as can be seen from plexus-cipher changes).

[jira-importer]

Lenny Primak commented

So why not fix encryption? Nowhere in the public documentation does it say that it doesn't work or broken.

[jira-importer]

Tamas Cservenak commented

Coz it is fundamentally broken.
See https://cwiki.apache.org/confluence/display/MAVEN/Handling+sensitive+data+in+Maven

[jira-importer]

Michael Osipov commented

Tamas Cservenak, we should deprecate Plexus Cipher or reduce the amount of feature in the midrun.

[jira-importer]

Lenny Primak commented

Ok, I can't seem to close this by myself.

Feel free to close it.

[jira-importer]

Tamas Cservenak commented

Just to clear up: in case of CI runs, the environment variable is recommended as source of sensitive "passphrase". While in case of dev workstation runs use of gpg-agent is best practice and recommended.

In any case, no sensitive data like passphrase should (or is even needed) to be stored in settings.xml or POM properties, never ever.

[jira-importer]

Tamas Cservenak commented

BC signer was basically added for CI use case, to solve the misery of signing (skip things like installation of gpg, then you need to add key to it, make passphrase in settings/properties, yada yada). BC does super simple "headless" signing (supply the signing key and passphrase as env variables! So both may be "secrets" in case of GH).

On the other hand, on dev workstations (like when we release ASF projects), signing should use existing GPG environment of user, that includes working GPG Agent as well, and Agent will be used to ask user for passphrase, in a secure manner. Again, no need to save to disk anything in this use case.

[jira-importer]

Tamas Cservenak commented

Moreover, I think we should stop supporting ancient GPG versions (2.0 or older), and just move to latest stable like 2.2+ is? Unsure what platforms like "super stable" debian or BSD offers today.