Consider deprecating or at least avoiding credentials as command line arguments

com-lihaoyi / mill

Mill is a fast JVM build tool that supports Java and Scala. 2-3x faster than Gradle and 5-10x faster than Maven for common workflows, Mill aims to make your project’s build process performant, maintainable, and flexible

https://mill-build.org/

MIT License

2.04k stars 331 forks source link

Consider deprecating or at least avoiding credentials as command line arguments #2015

Closed Flowdalic closed 1 year ago

Flowdalic commented 2 years ago

Mill current has at least some Sonatype related command line options that take credentials as arguments. For example from the publish task

  --sonatypeCreds   String (format: "username:password")

Users even potentially provide their gpg passphrase via command line

--gpgArgs --passphrase=<gpgPassword>

Command line arguments are not considerd private in some (most?) operating systems security model. So other users on the same system could easily learn those credentials. Instead, secrets should be obtained via environment variables or (protected) files.

lefou commented 2 years ago

Yeah, that makes sense. I immediately see two actionable tasks:

Add support for reading these credentials from environment variable via T.env.
Add some note to the documentation (Pages, ScalaDoc) mentioning the security risks and the alternatives via env variables

Flowdalic commented 2 years ago

Yes, that would be a good start. +1

Ideally the sonatype credentials are read from a file under ~/.config/. At least that is how most of my gradle-based projects are setup: IIRC gradle "sources" a file under ~/.config that potentially contains sonatypeUsername and sonatypePassword. Then the project's build script can check if those properties are set, and consume them if so. And instead of providing the gpg passphrase, the gpg-agent is used. It may be worth to look how gradle did it.

lefou commented 2 years ago

Using gpg-agent should work out of the box. It does for me.