Hello, While doing Ansible maintenance work, I discovered that the passlib library used by Ansible (currently only for Mac users) has not seen any release in 3 years.
I am a bit concerned about how interesting it would be as an attack target (especially since it encrypts passwords), e.g. Pypi account take-over. I have opened various issues: - https://foss.heptapod.net/python-libs/passlib/-/issues/187 to try to get an update on the passlib maintenance status - https://github.com/ansible/ansible/issues/81949 to raise awareness about that While doing so, I have learned that passlib is actually likely to be used for all Ansible users soon, not just Mac ones, which makes an account take-over an even more interesting goal. The issue has been closed, but I feel this should be taken care of (I have suggested ideas), so I'm voicing my concerns here. An account take-over of passlib (I don't know if it has 2FA enabled, for instance) would have potentially massive impact on Ansible users. If anyone has interesting ideas, let me know! Thibaut -- https://thibautbarrere.com/ https://twitter.com/thibaut_barrere -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d05bfd9f-4d17-4a91-975c-7c212c1c7727n%40googlegroups.com.
