Hi Peter,
there are several issues related to this, just filter in JIRA on the
component Settings[1]
One of the issues I like is MNG-5265[1] which explains that id is not
secure enough, a simple typo might lead to leaking your credentials to the
wrong party.
So the solution is probably not in the pom.xml; I expect it to be in the
settings.xml
thanks,
Robert
[1]
https://issues.apache.org/jira/browse/MNG-5265?jql=project%20%3D%20MNG%20AND%20component%20%3D%20Settings%20AND%20status%20%3D%20Open%20ORDER%20BY%20priority%20DESC
[2] https://issues.apache.org/jira/browse/MNG-5265
On Thu, 09 Jun 2016 00:01:54 +0200, Peter Hansson
<[email protected]> wrote:
Hello
I've been looking at improving the way certain plugins (scm, release,
etc) lookup credentials from a <server> in settings.xml in order to find
the credentials to use for a given endpoint.
The current method - largely undocumented - is that the hostname from
endpoint's URL must match the server id from settings.xml. There's
optional support for port number as well in the case where e.g. multiple
SCMs are running the on same endpoint. The actual code to do the
matching between the server-id and the URL is scattered - and worse -
replicated in several projects. For example it exists in the scm plugin
but also in the release plugin.
There are a number of use case that are currently unsupported:
1. Running several *different* flavours of SCMs on the same host. Say
you have a host called "repohost" which is both an SVN and a Git host.
Ok, not very likely, but alas not something possible today.
2. Using different credentials *within* the same SCM endpoint. Now this
is much worse. Just think of sites like GitHub and Bitbucket. It is
certainly not uncommon for the same developer to have several identities
on those sites.
There are probably more cases out there that won't work today.
I was about to contribute some code that could fix the problem by
allowing to match to a server-id on many more elements of the URL than
just hostname and port but would require changes to all SCM providers as
they would have to implement at least one new method.
However, it now dawns on me that by far the best solution would be to
allow a new optional element in the <scm> section of the POM, namely
<serverId>. If present this will then be used to match a server-id from
settings.xml. If not present the existing matching method (based on
hostname and optionally the port) would prevail. This would be a much
cleaner approach than allowing to match on elements of the URL ... and
also a lot easier to explain to the Maven user. I can see from source
code comments that certainly this thought has existed in the mind of
some developer years ago but for some reason never carried out.
Any comments on this? Would you support the idea of a new optional
element, <serverId>, within the <scm> section ?
Cheers
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
