ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roger Vaughn <>
Subject Re: FTP & JSPC
Date Tue, 01 Aug 2000 14:25:33 GMT
Thanks for the comments.  Part of my goal in developing builds is that they must
be fully automatable.  I'm opposed to pop-up dialogs or even interactive
command-line for that reason.  (The Microsoft signcode tool *really* bugs me for
this reason - it pops up a dialog for passwords.)  The environment variable
solution you suggest is slightly better - but in an automated environment just
moves the problem to a script file.

Perhaps we need a password storage utility similar to way cvs login handles things
- encoding the passwords in a private file.  These could be read by Ant using a
standard mechanism - perhaps a new task to read a password and store it in a
property, or maybe a method in Task to read a password, so tasks that need them
can access them internally.  Then the tag for a task would only need to include
some sort of key for the password, rather than the password itself.

I think I might just take a whack at this latter method after all.  The
property-based suggestion still suffers a flaw in that the property list might get
dumped with passwords in it.

Roger Vaughn

Peter Donald wrote:

> At 09:35  1/8/00 -0400, you wrote:
> >I put together an ftpput task some weeks ago using NetComponents from
> OROInc.  I
> >have attached it for your use.
> >
> >Use it like this:
> >
> >  <ftpput localname="filename" remotename="filename" server="ftp.server"
> >userid="me" password="mypass" binary="yes|no"/>
> >
> >"binary" is the only optional parameter and defaults to yes.  I know the
> >clear-text password is a huge security hole, but this was a quick job - and I
> >only use restricted accounts in the context anyway.  If anyone can suggest a
> >simple, secure way to do this, I'm all ears.
> well there is already one in the project that has same properties (SignJar)
> but another was knocked back for inclusion because it did just that
> (GenerateKey). FWIW I have been keeping passwords in an environment
> variable and then accessing that from build.xml. I forced people to set
> variable through a script I generated and they have to do it every shell
> they want toi use to do building. This means that the password doesn't
> appear on commandline (and thus cmd line history and all other things this
> entails) or in build.xml. Not perfect but a little better. I contemplated
> popping up a GUI to grab it but thought the idea would annoy me too much
> and the other option of using stdin to read it was unavailable as ant pumps
> output/input of tasks that I was using. It also presents it in plain text
> on terminal (feature of java stdin).
> Cheers,
> Pete
> *------------------------------------------------------*
> | "Nearly all men can stand adversity, but if you want |
> | to test a man's character, give him power."          |
> |       -Abraham Lincoln                               |
> *------------------------------------------------------*

View raw message