What is the purpose of the repository ansible-core/ansible?

Get Help
1

Does anyone know the purpose of the following repository? (not ansible/ansible)

My colleague misunderstood it as an ansible-core repository.

The official ansible-core repository is ansible/ansible, right?

2

No idea, I havenā€™t seen this before. It seems to be an up-to-date mirror of ansible/ansible (but I havneā€™t checked in detail, it only looks that way on a first glance), but I have no idea by whomā€¦ @gundalow @Core are you aware of this? Is this an official repository by Red Hat, or some third-party fork/mirror?

1 Like
3

Hi,
Iā€™ve never heard of https://github.com/ansible-core before. It is not official. I donā€™t believe itā€™s created by anybody related to Red Hat.

Iā€™m guessing that someone created a GitHub user called ā€œansible-coreā€ and forked ansible/ansible.

From a very quick look, I donā€™t see local commits, so I canā€™t find contact info

1 Like
4

Thank you for the information.

Iā€™ll keep in mind that itā€™s not an official repository.

5

Iā€™ve asked internally (Red Hat) for some advice on this.

1 Like
6

I doubt itā€™s ours. The org doesnā€™t have public members. But the branches page (Branches Ā· ansible-core/ansible Ā· GitHub) leaked that devel was last updated by a noname account tekicat (tekicat) Ā· GitHub 13 hours ago. They seemed to have pushed the same commit as in the official repo. But obviously, I wouldnā€™t trust the impersonator. This could be either somebody inexperienced or a malicious actor preparing for a supply chain exploit long-term.

The tags and non-default branches havenā€™t been synched from the official repository for like two years but somebody keeps devel in sync. This likely means that it was forked 2 years ago.

I think we should report the org to GH for impersonation.

UPD: reported the org

4 Likes
7

Thank you for the details!

8

This is what GH responded to my impersonation report:

Hello,

Thanks for reaching out.

We understand that copyrighted, trademarked, or private content may get published on GitHub ā€“ either accidentally or on purpose ā€“ sometimes in repositories that you do not own. Because the nature of this content varies, and because of different applicable laws, each category has its own, distinct reporting requirements outlined in our policies.

If youā€™d like to request that content be removed from GitHub, please take some time to acquaint yourself with each of these policies and their respective reporting requirements before submitting a report.

You can find more information about our policies here:

Submitting content removal requests

Additionally, you may also want to review this blog post on how to handle sensitive data leaks:

Full exposure: A practical approach to handling sensitive data leaks

Please let us know if you have any other questions.

Regards,
GitHub Trust & Safety

cc @gundalow

1 Like
9

@webknjaz As I havenā€™t been though that process before, thank you for the details.

Iā€™m waiting to hear back from Red Hat Legal, and will update the thread once Iā€™ve got an update.

10

This has been reported to GitHub, Iā€™ll report back here once I have an update.

2 Likes