Hello, While doing Ansible maintenance work, I discovered that the passlib library used by Ansible (currently only for Mac users) has not seen any release in 3 years.
I am a bit concerned about how interesting it would be as an attack target (especially since it encrypts passwords), e.g. Pypi account take-over. I have opened various issues: - https://foss.heptapod.net/python-libs/passlib/-/issues/187 to try to get an update on the passlib maintenance status - https://github.com/ansible/ansible/issues/81949 to raise awareness about that While doing so, I have learned that passlib is actually likely to be used for all Ansible users soon, not just Mac ones, which makes an account take-over an even more interesting goal. The issue has been closed, but I feel this should be taken care of (I have suggested ideas), so I'm voicing my concerns here. An account take-over of passlib (I don't know if it has 2FA enabled, for instance) would have potentially massive impact on Ansible users. If anyone has interesting ideas, let me know! Thibaut -- https://thibautbarrere.com/ https://twitter.com/thibaut_barrere -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d05bfd9f-4d17-4a91-975c-7c212c1c7727n%40googlegroups.com.
