Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement a suppressServer setting for high-security builds #3922

Merged
merged 3 commits into from Feb 8, 2018

Conversation

Projects
None yet
6 participants
@swaldman
Copy link
Contributor

commented Feb 6, 2018

Improvements

This pull request implements a Boolean setting called suppressServer, whose default value is `false'.

If a build or plugin explicitly sets it to true, the sbt-1.x server will not start up
(exactly as if sbt.server.autostart were set to start).

Users may manually override this setting by running the startServer command at the interactive prompt.

Motivation

Projects often encounter private information, such as deployment credentials, private keys, etc.
For such projects, it may be preferable to reduce the potential attack surface than to enjoy the
interoperability offered by sbt's server. Projects that wish to make this tradeoff can set suppressServer
to true in their build. Security-sensitive plugins can define this setting as well, modifying the
default behavior in favor of security.

(My own motivation is that I am working on a plugin for developing Ethereum applications
with scala and sbt. It must work with extremely sensitive private keys.)


See also a recent conversation on Stack Exchange.

swaldman added some commits Feb 6, 2018

@lightbend-cla-validator

This comment has been minimized.

Copy link

commented Feb 6, 2018

Hi @swaldman,

Thank you for your contribution! We really value the time you've taken to put this together.

Before we proceed with reviewing this pull request, please sign the Lightbend Contributors License Agreement:

http://www.lightbend.com/contribute/cla

@eed3si9n eed3si9n added the ready label Feb 6, 2018

@eed3si9n
Copy link
Member

left a comment

Thanks for the contribution!
Posted my comment.

@@ -39,6 +39,12 @@ object BasicKeys {
"The wire protocol for the server command.",
10000)

val suppressServer =

This comment has been minimized.

Copy link
@eed3si9n

eed3si9n Feb 6, 2018

Member

To avoid double negatives, I would say we should keep the same name autoStartServer.

This comment has been minimized.

Copy link
@swaldman

swaldman Feb 6, 2018

Author Contributor

Sounds good! I've reworked it from false-defaulting suppressServer to true-defaulting autoStartServer.

@dwijnand
Copy link
Member

left a comment

LGTM

@eed3si9n
Copy link
Member

left a comment

Thanks!

@eed3si9n eed3si9n merged commit bd1532e into sbt:1.1.x Feb 8, 2018

3 checks passed

Codacy/PR Quality Review Good work! A positive pull request.
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@eed3si9n eed3si9n removed the ready label Feb 8, 2018

@swaldman

This comment has been minimized.

Copy link
Contributor Author

commented Feb 9, 2018

@eed3si9n Thanks, really a lot, for merging and releasing this so quickly. I was going to put in warning banners and stuff, which was going to be ugly and a pain. Now I just require sbt 1.1.1 and set autoStartServer to false by default. So much nicer.

@eed3si9n

This comment has been minimized.

Copy link
Member

commented Feb 9, 2018

This PR just happened to land on the tail end of 1.1.1. Normally it's a bit more of waiting :)

@fommil

This comment has been minimized.

Copy link

commented Feb 9, 2018

I'd just like to say, thankyou @swaldman . This was driving me crazy.

@swaldman

This comment has been minimized.

Copy link
Contributor Author

commented Feb 11, 2018

@fommil thanks! i'm delighted it wasn't just me who will find this useful.

@hrj

This comment has been minimized.

Copy link

commented Mar 9, 2018

This is a little over my head, so please bear with me.

How do I set autoStartServer to false globally? If I create a file at ~/.sbt/1.0/global.sbt will it affect 1.0.x sbt versions too and fail? Do I need to add the setting in an if sbt version >= 1.1 condition? Or can I add a file at ~/.sbt/1.1/global.sbt?

Thanks!

@eed3si9n

This comment has been minimized.

Copy link
Member

commented Mar 9, 2018

@hrj You can write:

SettingKey[Boolean]("autoStartServer", "") := false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.