ajoberstar
Support password file
Providing clear text passwords as system property or as env variable isn't great. With SSH you can use public/private key but with HTTPS it would be nice to have password file support.
A clear text password file doesn't seem to provide much extra security, what are you looking to protect from in this case? Generally, I would just pass the property/env var in for a specific CI step that needed it. (And most CI systems can recognize secrets and mask them in output.)
It is not only for CI systems but also for workstations used by multiple users. Imagine something like a web based IDE with multiple devs working on the same server hosting the web IDE.
Passwords on command line, as system property or environment variable can easily be visible by others. Password files are a lot better because I can first set file permissions and also have the possibility to store that file in some encrypted storage only mounted when needed.
Here is some writeup which basically says the same: https://www.netmeister.org/blog/passing-passwords.html
Fair enough, I don't dispute any of that. I'm just hesitant to add more configuration options, since I would already rather have fewer.
The two options people can use right now are:
- Set the system properties in a
gradle.propertiesfile (which could be controlled with file permissions or encryption, when not in use, as you note above). See Gradle's doc for how to format the key. - Use SSH instead
Ideally (from a maintenance perspective), any deeper solution to this would work the same as how Gradle supports credentials on repositories: expose a credentials {} option and let the user programmatically configure this however they want. If there are places this should be exposed where they're not now (e.g. GrgitService should probably expose this) these would make good separate issues/PRs to open up the flexibility for people.