Not only have the namespaces changed, but some namespaces/roles/… now seem to have been transferred to other users. For example, the elan.opencast_user is the old name. But it now seems to belong to someone else:
This is also severe security risk since people can easily take over and execute a supply chain attack using this with users unknowingly/unexpectedly installing different code.
The problem persists. Installing roles may still install foreign code.
For example, installing elan.opencast_user tries to get the code from the GitHub user elan.
That means that user could easily have malicious code deployed for everyone using that role.
❯ ansible-galaxy install elan.opencast_user
Starting galaxy role install process
- downloading role 'opencast_user', owned by elan
- downloading role from https://github.com/elan/opencast_user/archive/master.tar.gz
[ERROR]: failed to download the file: HTTP Error 404: Not Found
Thank you for the additional info and checking. I understand now this is different than the other issue we were seeing. Also agreed this is serious and something we want to fix ASAP. I’ll update once we have.
Just a heads up that we will probably move these messages to a separate thread to keep track of the separate issues.
The installs were fixed a few days ago by patches we rolled out to production and some scripted cleanup on duplicate roles …
[jtanner@p1 tmp]$ rm -rf ~/.ansible /tmp/roles ; ansible-galaxy install -p roles elan.opencast_user
Starting galaxy role install process
- downloading role 'opencast_user', owned by elan
- downloading role from https://github.com/elan-ev/opencast_user/archive/main.tar.gz
- extracting elan.opencast_user to /tmp/roles/elan.opencast_user
- elan.opencast_user (main) was installed successfully
The “elan” namespaces are not in fact pointing at elan (Elan Feingold) · GitHub nor are they owned by that github user. The problem is a bug in the galaxy backend that assembles the avatar url in a very naive way…
Having roles on galaxy with a namespace that match some other github user’s name is always going to be confusing to end users. What would be helpful is if all the elan.* roles were renamed to elan-ev to better match the real github source. Is that something you’ve considered?