7

Some of my builds and plugins make use of private deployment credentials (sometimes read from the file system, sometimes entered and retained in memory via the InteractionService).

Though perhaps it is overparanoid, I try to be careful to minimize the attack surface of software that uses private information, and it feels like bad hygiene to run a server, even on localhost or a UNIX socket, unnecessarily in these builds.

I've looked for a setting I could set in a plugin that would disable server startup unless overridden by the build. So far have not found anything like this. Is there such a setting?

Many thanks!

Update: With the help of Eugene Yokota, as of sbt 1.1.1 there is now a boolean autoStartServer setting. Builds and plugins can prevent the server from starting up automatically by setting autoStartServer := false. (Users can still manually start-up the server by running startServer if they wish.)

Steve Waldman
  • 13,689
  • 1
  • 35
  • 45

1 Answers1

7

As of sbt 1.1.0 at least, the server won't start unless you start the sbt shell, which means that if you're running sbt in batch mode (for example sbt test) in CI environment, it won't have server.

To stop server even in the shell automatically, I've added a JVM flag sbt.server.autostart. So running sbt as sbt -Dsbt.server.autostart=false would do it. You can globally set that by putting that into your SBT_OPTS.

To manually opt-in for server, you can then run:

> startServer

Update: Now that autoStartServer is a setting, you can write the following in ~/.sbt/1.0/global.sbt:

// This is so it works on sbt 1.x prior to 1.1.1
SettingKey[Boolean]("autoStartServer", "") := false
Eugene Yokota
  • 94,654
  • 45
  • 215
  • 319
  • Thanks! I can do that for now. But I'm working on a security sensitive plugin, intended for interactive use, that I mean to distribute. It'd really be helpful if there were a setting by which plugin could prevent autostart of the server (overridable of course by the ultimate build). Those in the know can use the system property, I can document and recommend it, but most users will likely never bother. I'd really like to be as secure as possible by default. Of course, rather than bug you, I could look into trying to contribute such a thing. Thank you for all your work! – Steve Waldman Feb 03 '18 at 06:29
  • For what it's worth, I've offered a pull request to perhaps implement this feature for sbt-1.1.1. – Steve Waldman Feb 06 '18 at 07:42