Password encryption at plugin. (Rqeuest for comment)

[Kazuhide Takahashi]

Hi, everyone.

I maintain the Jenkins Xcode Integration Plugin, and in this plugin I found a bug where passwords were stored in plain text in various configuration files.

So I reviewed the handling of the information related to the authentication of this plug-in, and modified these to be handled using "Credential Plugin" instead of the plug-in's own setting.

And I proposed the adoption of the correction, but if the information related to authentication is handled using "Credential Plugin", that information be accessible by other plugins and scripts (by withCredentials), and above.

That's why, other people have that opposite opinion.

In this case, how do you think it would be better to fix it? (or How can I maintain compatibility?)

And how should we resolve the concern that integrating with "Credentials Plugin" would make the information for authentication easily accessible from other plugins and scripts?

For the time being, I have submitted a proposal for storing passwords encrypted in the plugin's own settings as before, but Jenkins' official documents seem to recommend using the "Credentials Plugin".

[Gavin Mogan]

I wouldn't worry too much about other plugins. If a rogue plugin gets installed, they have access to every api and everything else, so its hard to hide data from them.

Having all the credentials in one place (credentials plugin) goes a long way to making it easy to monitor whats in use, deprecate and rotate credentials as needed, instead of having to go through every config screen and every job to change things. My vote is still a centralized system and not put credentials everywhere.

Gavin

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7a87d25b-a0ae-4028-936b-deeeabe031f3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.