Opened 7 years ago
Closed 7 years ago
#55229 closed update (fixed)
ansible @2.3.2.0.1_1: update to 2.4.1.0-1
| Reported by: | l2dy (Zero King) | Owned by: | adfernandes (Andrew Fernandes) |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | security | Cc: | blair (Blair Zajac), pedro.salgado@…, jmehnle (Julian Mehnle) |
| Port: | ansible |
Description
Security fix for CVE-2017-7550, see https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md#241-dancing-days---2017-10-25.
Attachments (1)
Change History (10)
comment:1 Changed 7 years ago by adfernandes (Andrew Fernandes)
Changed 7 years ago by adfernandes (Andrew Fernandes)
| Attachment: | _ansible.patch added |
|---|
Major Portfile Update
comment:2 Changed 7 years ago by adfernandes (Andrew Fernandes)
Alrighty. That was fun!
I've converted the old Portfile to use the Ansible-blessed installation method of pip.
The diff is attached.
Blair, can you (or someone else) please look at the diff to see if it passes muster for you?
All new and old Portfiles pass linting, and it seems to work fine on my system.
comment:3 Changed 7 years ago by blair (Blair Zajac)
Comments on the patch. It would be great to get it as a pull request so I can comment on it there.
1) The license was changed in the patch to BSD, but it still appears to be GPL-3+ as seen here: https://github.com/ansible/ansible/blob/devel/COPYING and a random file: https://github.com/ansible/ansible/blob/devel/lib/ansible/__init__.py .
2) The reinplace -q "s#/etc/ansible#${prefix}/etc/ansible#g" ${f} and surrounding lines isn't in the py-ansible.
3) None of post-destroot.
I would do a port -v contents of the original and new ansible and confirm there are no files missing.
comment:4 Changed 7 years ago by adfernandes (Andrew Fernandes)
Thanks, Blair.
1) Crap, you're right about the license. I was working on https://github.com/ansible/ansible/tree/devel/licenses which lists BSD. Sigh.
2) Pip should auto-rebase... oh friggin' heck, don't tell me that they use a global root even in the pip install...
3) Will double-check.
The contents can be misleading because it was never clear what the difference between the git install and the pip install was.
Sigh. I'll roll through it when I've had more sleep.
Thanks for looking - much appreciated.
comment:5 follow-up: 7 Changed 7 years ago by jmehnle (Julian Mehnle)
Andrew, do you by any chance have an update on this?
comment:6 Changed 7 years ago by jmehnle (Julian Mehnle)
| Cc: | jmehnle added |
|---|
comment:7 Changed 7 years ago by adfernandes (Andrew Fernandes)
Replying to jmehnle:
Andrew, do you by any chance have an update on this?
I do - apologies for the delay.
I have the updates (discussed above) ready and almost fully tested.
Should commit within the next 36 hours.
comment:8 Changed 7 years ago by adfernandes (Andrew Fernandes)
Blair - I submitted a pull request on GitHub for your review.
I think I covered all the bases, and it seems to work in my testing.
comment:9 Changed 7 years ago by Andrew Fernandes <andrew@…>
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
So I'm building
2.4.1.0-1and modifying thePortfileand I hit the following annoying errror:`A bit of googling and the official Ansible response appears to be "Huh. Don't do that."
Ansible is somewhat glib in their documentation (http://docs.ansible.com/ansible/latest/intro_installation.html#latest-releases-via-pip), too:
Yeah. Just install it globally. Don't worry about it. Wow.
I may have to try and rework this package using pip. But given past experience (the pip install simply didn't work, and Ansible was glib and insulting replying to people's trouble tickets) I'm not sure how well that would work.