New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
passlib
(required for Ansible) is unmaintained
#81949
Comments
Files identified in the description: None If these files are incorrect, please update the |
@ansibot component =lib/ansible/utils/encrypt.py |
Files identified in the description: If these files are incorrect, please update the |
passlib
(required on Mac for Ansible) is unmaintainedpasslib
(required for Ansible) is unmaintained
We are aware that passlib isn't exactly actively maintained. However, we are also removing support for the python If you have further questions please stop by IRC or the mailing list:
|
@sivel thanks for the feedback!
I am surprised that the issue gets closed as a result - the problem I'm describing is going to affect all Ansible users, instead of just the Mac OS ones. It makes
I do understand your position (as an OSS maintainer myself :-)), but I believe we should collectively try to ensure the dependencies of the project are not causing harm. A couple of possibilities are:
I hope you will reconsider opening this issue for visibility! I will try to help on the |
Forgot to add: I will voice my concerns over there, thanks! |
Relevant discussion: https://groups.google.com/g/ansible-project/c/5J9gw9kunBY |
Just passing by to give my voice on this one too! I started reading "Ansible: up and running" yesterday and this excerpt made me think of this issue so much that I had to comment.
Coming from the JavaScript ecosystem, I have seen countless times supply chain attacks leading to disasters. I hope we can avoid a future headache with Ansible by mitigating this potential attack somehow |
@adriantombu we understand the issue and do not take it lightly, but we do not have the resources to take ownership of yet another dependency nor do we have good alternatives to use as substitutes. As for hijacking the library, aside from pypi already have taken steps to secure this type of project, most users use distribution packages which add another layer of vetting and security, this one reason why distributions exist and most contexts that require security rely on those packages and not the 'language' package managers. Yes, this is also a reason why developers and system admins/operators have clashed since the dawn of computing ... Another thing to consider is that this is also limited to the We closed this ticket because there is no foreseeable code solution. It does not mean we are not looking for one, it is just that none of the work towards that is something we would log here as it is going to be mostly 'we tried/looked into X, nothing happened' x100 times. |
@bcoca thanks for the detailed input, appreciated! |
Summary
Filing this as a bug report but I do not know if this is the most appropriate way to publish that concern.
passlib
is used in place ofcrypt.crypt
when using Ansible on Mac (EDIT: and soon for all users, not only Mac ones, see comment below):https://github.com/ansible/ansible/blob/46623b0a965b2f87c426b7998e8a167f8b012668/lib/ansible/utils/encrypt.py#L94C44-L94C44
But
passlib
has not seen any releases nor commits in 3 years, as I've reported here:https://foss.heptapod.net/python-libs/passlib/-/issues/187#note_331857
I am concerned that Ansible users on Mac (including me) would end up with some troubles:
So I'm opening this issue to discuss that concern.
Let me know if there is a better place if needed, happy to move it where relevant.
Thanks!
Issue Type
Bug Report
Component Name
lib/ansible/utils/encrypt.py
Ansible Version
Configuration
OS / Environment
Mac OS X Ventura (13).
Steps to Reproduce
passlib
must be installedExpected Results
I would expect encryption in Ansible on Mac to use a well-maintained library.
(maybe a community fork is needed given the widespread use)
Actual Results
N/A
Code of Conduct
The text was updated successfully, but these errors were encountered: