Open martinbonnin opened 4 years ago
Seconded. Another issue is that the api key and secret for that specific user cannot be refreshed/deleted/invalidated from the dashboard.
Making it possible for someone with malicious intent to alter a plugin even if you would have changed the account password.
Making this, in my opinion, a high priority issue. (Unless I am missing something)
Depending on out security officer’s decision we might remove our plugin from the Gradle repo until this is resolved. We are still looking into this since our AVG/GDPR certification does not specifically specify a scenario like this, but is definitely something we are considering.
As an example: NPM has a organization dashboard where you allow users to be added and removed. Allowing you to also revoke a users complete access.
They also use the users own username and password as verification during the publishing of a package and updates. An organizational unit can also define the required security rules, like two-factor auth to be used. I realize gradle works a bit different of course
I've asked a similar question on the forums before knowing this repo/issue existed: https://discuss.gradle.org/t/plugins-clarification-how-do-we-handle-lost-stolen-publish-key-and-secret/34532
Can we have "organization" accounts, similar to github organizations that could maintain a list of developers with:
This would allow to manage several contributors in a more flexible way than sharing an email + password.