I suggested that I could add an option that will make the password be added to sshpass command command line directly, without passing it through pipes, because that doesn’t work well with Python 2 (which is unfortunately still used in some situations). Several users reacted positively to this idea.
Will such a change be acceptable? If yes, how should I proceed - make two separate PRs, one for devel branch and one for backporting the changes to stable-2.9?
I do understand that there are security implications, but I thought that we could add an option to the module (with all the appropriate security warnings) so that users can make the choice themselves. Otherwise there is simply no way for Ubuntu LTS (and other python 2) users to use synchronize module (and there seems to be a lot of those users judging by activity in the linked issue).
It would be very nice if the issue with the existing implementation was resolved, but it seems that it is not so simple (for example see here: https://stackoverflow.com/questions/48834875/pass-fds-alternative-in-python-2-7). The changes will not be localized to “synchronize” module, but would need to touch module.run_command extensively, and I currently do not have the time to develop and test such fix.
Also, regarding the security of those passwords that will be visible in the process list if we pass them on command line - I think that battle is already lost, /etc/ansible/hosts is world-readable anyway (on several different systems that I checked at least).