Hi everyone,
We received a bug report (https://github.com/ansible/ansible/issues/6908) which indicates that if a private apt repository reference is created with the apt_repository module, and if the URL of that repository contains password credentials, the password credentials are written into the filename.
This is an obvious oversight of the original module not being written for passworded repositories. Additionally, there was nothing to make sure the contents of the repository reference were not world readable, which is ordinarily not a problem, but the URL of that repository would be written in the file, also exposing the password.
To fix this, the system is now smart enough to NOT write the extra details of the URL into the generated filename, and there is a mode= parameter you can pass to the apt repository module.
We have discussed whether this warrants an update, and because we feel the usage of this module in this case is very very unlikely, and also we are nearing a 1.6 release at the end of the month, we are not cutting a release to include this module change at this time.
If you are using the apt_repository module with URLs with passwords in them and are concerned that other users who do not know the password to access the repository have access to these systems, the solutions should you not wish to install the updated copy of apt_repository in your library directory would be to use the development branch.
Also any existing users would want to remove any existing apt_repository definitions that contained that information in the filename.
Clearly this module wasn’t intended to be used in this way as written, but it’s good to have fixes in for those that DO want to use password protected apt repositories, and this now makes that possible.
Thanks!
–Michael