Not only have the namespaces changed, but some namespaces/roles/… now seem to have been transferred to other users. For example, the elan.opencast_user is the old name. But it now seems to belong to someone else:
This is also severe security risk since people can easily take over and execute a supply chain attack using this with users unknowingly/unexpectedly installing different code.
@lkiesow sorry you experienced this. can you check again? We believe we resolved all cases of this yesterday.
The problem persists. Installing roles may still install foreign code.
For example, installing elan.opencast_user tries to get the code from the GitHub user elan.
That means that user could easily have malicious code deployed for everyone using that role.
❯ ansible-galaxy install elan.opencast_user
Starting galaxy role install process
- downloading role 'opencast_user', owned by elan
- downloading role from https://github.com/elan/opencast_user/archive/master.tar.gz
[ERROR]: failed to download the file: HTTP Error 404: Not Found
That’s a huge security risk.
You will also find this in the Ansible Galaxy NG user interface:
The elan in this screenshot is another GitHub user which has (maybe unknowingly) taken over the namespace.
Thank you for the additional info and checking. I understand now this is different than the other issue we were seeing. Also agreed this is serious and something we want to fix ASAP. I’ll update once we have.
Just a heads up that we will probably move these messages to a separate thread to keep track of the separate issues.
@jlmitch5, any update to this? The issue still seems to exist. The elan roles are still linked to the GitHub user elan:
It’s a serious problem which now exists for over a month.
There are some important distinctions to be made here …
Roles in the “elan” namespace are linked to the “elan” provider namespace, which is owned by two users currently ikiesow&tibroc …
elan legacy namespace
elan provider namespace
The installs were fixed a few days ago by patches we rolled out to production and some scripted cleanup on duplicate roles …
[jtanner@p1 tmp]$ rm -rf ~/.ansible /tmp/roles ; ansible-galaxy install -p roles elan.opencast_user
Starting galaxy role install process
- downloading role 'opencast_user', owned by elan
- downloading role from https://github.com/elan-ev/opencast_user/archive/main.tar.gz
- extracting elan.opencast_user to /tmp/roles/elan.opencast_user
- elan.opencast_user (main) was installed successfully
return {
'dependencies': dependencies,
'namespace': {
'id': obj.namespace.id,
'name': obj.namespace.name,
'avatar_url': f'https://github.com/{obj.namespace.name}.png'
},
'provider_namespace': provider_ns,
'repository': repository,
'tags': tags,
'versions': versions
}
That url needs to come from the provider namespace’s metadata instead …
[jtanner@p1 tmp]$ curl -s -L http://galaxy.ansible.com/api/v3/namespaces/?name=elan | jq .data[].avatar_url
"https://avatars.githubusercontent.com/u/1064602?s=200&v=4"
I’ll work on a patch to fix that.