I'm running the maven release plugin (org.apache.maven.plugins:maven-release-plugin:2.3.2) and noticed that the password to the scm is saved in clear text in the release.properties file when passed in via the command line. I want to know if there is a way to turn this off.
I'm using Hudson to automate the release process, and the svn username and password are passed in to the command line via Hudson. The reason for this is that the person doing the release preparation can change and I have multiple hudson jobs sharing a settings.xml to release different projects.
I'm passing in parameters such as: -Dtag=${svn.label} -DreleaseVersion=${maven.releaseVersion} -DdevelopmentVersion=${maven.developmentVersion} -Dusername=${svn.username} -Dpassword=${svn.password} -DscmCommentPrefix='[maven-release-plugin] ${env.BUILD_URL} '
The release.properties file gets created during the release:prepare, but I don't think it should be necessary as I'm passing in all the information along the command line. When this release.properties file is created it includes the password in plain text. This is problematic because it's possible to use hudson to browse the workspace, so anyone with access to hudson can see the password by opening the file via the browser.
Is there a way to not create the release.properties file, or to not save the password in the file? I realize that an encrypted password could be saved in a settings.xml file but this file is shared among multiple jobs and is not editable by the people running the jobs.
