Export Settings should *not* save passwords: it is non-obvious that this is happening and can lead to serious security breaches as users share preferences
with each other. e.g. Subversion connection details.
If passwords are to be stored, the export dialog should have a button, separate to the current list, to emphasise the special nature of this content.
Until API for securely persisting of passwords is implemented (issue 173413) I added a warning about potential security
Integrated into 'main-golden', will be available in build *200910070250* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
User: Jiri Skrivanek <firstname.lastname@example.org>
Log: #171900 - Inform users about security risks while exporting settings.
The Keyring API will continue to store encrypted passwords in the userdir on Windows (which has no standard keyring - only a login encryption feature), or if none of the supported platform-specific impls can be loaded (e.g. you use KDE). So you should exclude "config/Preferences/org/netbeans/modules/keyring.*" to be on the safe side; otherwise someone getting access to these files might be able to run a password cracker to find the master password. Would this just be an exclude param in core.ui's layer?
Who on earth closed this??!
The bug report is "Export Settings should *not* save passwords" - not "Export Settings should warn before saving passwords"
This is FIXED in main-golden, but not 6.8, right?
6.8 contains the warning. The actual improved handling of passwords will be in 6.9.
If we exclude keyring.*, users might complain they don't have imported passwords while moving to newer IDE release. But it is probably safer than let users to check/uncheck whether they want to include/exclude passwords in zipped settings.
It seems reasonable to offer config/Preferences/org/netbeans/modules/keyring.* as a separate item "Passwords", but only if we can be sure it is never checked by default. Better to force users to reenter passwords once per a new release than risk having even encrypted passwords be included in a published ZIP.
Fanis, put this one in your plan for 7.2. Thanks.
config/Preferences/org/netbeans/modules/keyring.* is included in keyring module and it is offered as "Passwords" under "Keyring & Passwords" category. The "Passwords" item is only selected if the user specifically clicks it's checkbox. The warning is still presented to the user only when this happens.
Remember that there will normally be nothing in this category; files under this path are only saved when using the "master password" provider, normally due to some error loading the native keyring provider. In such a case the passwords are encrypted and so vulnerable only insofar as the master password is weak (or there is some undiscovered flaw in the encryption regime), unless of course the suggestion in bug #193978 were implemented.
From an API perspective, the fix is poor since it hardcodes OptionsExportModel.PASSWORDS_PATTERN, and relies on the undocumented and fragile assumption that org.netbeans.modules.options.export.Bundle#OptionsChooserPanel.export.passwords.displayName=Passwords and org.netbeans.modules.keyring.Bundle#Passwords.Options.Export.displayName=Passwords will be translated to the same string! Better would be to introduce a new booleanvalue file attribute for an OptionsExport category or item, say 'enabled' (default true), to be documented in options.api (preferably Javadoc but at least arch.xml) and used by keyring; and/or a stringvalue attribute with the text of a warning to be displayed before enabling the category.
BTW the definition of the export belongs in keyring.impl, not keyring; keyring is pure API/SPI whereas the code that uses this NbPreferences path (FallbackProvider) is in keyring.impl.