15:09:55 <sdoran> #startmeeting Ansible Core Public IRC Meeting https://github.com/ansible/community/issues/507 15:09:55 <zodbot> Meeting started Thu Dec 5 15:09:55 2019 UTC. 15:09:55 <zodbot> This meeting is logged and archived in a public location. 15:09:55 <zodbot> The chair is sdoran. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:09:55 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 15:09:55 <zodbot> The meeting name has been set to 'ansible_core_public_irc_meeting_https://github.com/ansible/community/issues/507' 15:10:00 <shertel> Hi 15:10:21 <resmo> hi 15:10:28 <keylemon> hello 15:10:57 <sdoran> #chair shertel 15:10:57 <zodbot> Current chairs: sdoran shertel 15:11:05 <sdoran> #topic https://github.com/ansible/ansible/pull/55268 15:11:30 <sdoran> Is evitalis around? 15:11:39 <keylemon> i am here, forgot to include my id in the issue sorry 15:11:40 <sdoran> We tried to discuss this last time but I don't think it went anywhere. 15:11:49 <sdoran> Ah, no worries. 15:11:54 <sdoran> You have the floor. 15:12:31 <keylemon> thanks, first meeting i have attended. i wanted to discuss https://github.com/ansible/ansible/pull/55268 which seems to have stalled out and got changed from my original pr. 15:12:54 <sdoran> I'm reading up on the issue. 15:14:28 <shertel> webknjaz, just in case you're around and free to take a look at the last comment 15:14:37 <keylemon> openbsd uses a the $2b designation for bcrypt which is an updated version solving for some issues in implementation. linux doesn't natively support bcrypt which is why i think the tests fail but am not sure. 15:15:13 <sivel> I'm concerned with portability 15:15:36 <sivel> what if you are on a team, and 1 person is using linux and another OpenBSD? Running the same playbooks 15:15:45 <sdoran> #chair sivel 15:15:45 <zodbot> Current chairs: sdoran shertel sivel 15:15:53 <sivel> building hashes differently due to special casing this way 15:16:05 <sdoran> Yeah, this is really tricky. 15:16:28 <sivel> Also, we have communicated before that the difference between 2a and 2b isn't really hugely important. I might have my response saved somewhere 15:16:30 <sivel> let me see 15:16:37 <sivel> it also included how we might go about allowing it 15:16:38 <keylemon> yeah i have that response as well 15:16:55 <sdoran> https://github.com/ansible/ansible/issues/54071#issuecomment-474616949 15:17:10 <sivel> Yes, that is my saved response 15:17:18 <sivel> to quote: 15:17:20 <sivel> > We would still be open to accepting a change which modified the passlib code path to use 2b instead of 2a. 15:18:06 <sivel> so our previous decision was to allow this change, but to make it only possible when using passlib 15:18:43 <sivel> and with that, I am sorry, but I must leave for another meeting 15:19:31 <keylemon> so should i open a pr with passlib or is there some other change to my pr here? i am not really sure how to fix it based on the conversation in the pr unfortunately 15:20:10 <keylemon> also its my understanding that the platform module may be deprecated for this use case 15:20:55 <sivel> There are 2 code paths in that file, one that uses crypt, another that uses passlib 15:21:13 <sdoran> Alright, so keylemon: it seems the the change to using `2b` should only be if using `PASSLIB_AVAILABLE=True`. 15:21:19 <sivel> PasslibHash would need to be updated to update the `algorithms` to specify 2b 15:21:39 <sivel> so that 2b only affected the PasslibHash class 15:22:39 <keylemon> got it. i think i see where to change it now thank you sivel . should i close this pr and just open a new one with the change in the right spot? 15:22:52 <sdoran> You can just change the existing PR. 15:23:55 <sivel> and it need not be specific to OpenBSD, should just generically apply 15:24:33 <shertel> +1 15:24:33 <sdoran> #action keylemon to update logic in PR #55268 so it only affects the `PasslibHash` class and is not OpenBSD specific. 15:24:46 <sdoran> keylemon: Anything else on that topic? 15:24:47 <keylemon> makes sense. how should i handle the existing 9 commits in this case? to make sure i am consistent with the project 15:24:55 <keylemon> just that last question 15:25:35 <sdoran> You can leave them. We squash before merging into `devel`. 15:25:43 <keylemon> ok thank you. that is all for that pr 15:25:49 <sdoran> #topic https://github.com/ansible/ansible/pull/65112 15:26:36 <keylemon> on 65112 i talked to acozine the other day in #ansible-docs . it doesn't appear the logic broke it since if i revert the shell the ci reports the same errors 15:27:13 <keylemon> i also cannot seem to reproduce the ci failure locally 15:27:56 <sdoran> You could try running it using the container that we use in CI. 15:28:21 <sdoran> `ansible-test sanity --docker default --test docs-build` 15:28:28 <agaffney> that /usr/bin/command doesn't seem to exist on Linux, which makes it return non-zero and do the SHA_CMD=sha1 assignment, which seems to be backward from how it should work 15:28:58 <agaffney> I'm not sure why that '/usr/bin/command -v' part is needed in there at all 15:29:24 <sdoran> Maybe that's a BSDism? 15:29:27 <keylemon> i do see /usr/bin/command on my fedora workstation. but i can drop that check 15:29:33 <sdoran> Or a way to not use the shell built in `which`? 15:30:02 <agaffney> 'command' seems to be a shell built-in in bash, but there's no 'command' binary in Ubuntu 15:30:11 <keylemon> i looked it up and yeah it was a way to use the true command and not get mixed up with a built in. easy enough to remove and just let it use whatever for `which` 15:30:53 <sdoran> That's probably the most portable, though I understand trying to avoid using the shell builtin. 15:31:02 <sdoran> Some shell don't have it. 15:31:26 <sdoran> So try changing that test as well as trying to duplicate the failure locally using the CI container. 15:31:29 <sdoran> Maybe that will help. 15:31:45 <keylemon> sure both should be quick fixes and tests. 15:31:51 <sdoran> Anything else on this topic? 15:31:58 <sdoran> You can stop by #ansible-devel if you run into issues 15:32:25 <keylemon> it should be good to go once the ci passes or shouls i make any other changes? 15:33:05 <keylemon> otherwise that is all on that topic 15:33:07 <keylemon> thank you 15:33:29 <sdoran> I don't really know anything about that script. I would yield to acozine for final approval. 15:33:52 <keylemon> ok, thank you 15:33:57 <sdoran> You're quite welcome. 15:34:03 <sdoran> #topic https://github.com/ansible/ansible/pull/64436 15:34:28 <agaffney> that PR was merged already 15:34:39 <shertel> it looks like felix is not around to discuss this today 15:35:22 <sdoran> agaffney: It's merged in `devel`. nitzmahone came across it in the 2.9 backports and would like to discuss possibly reverting it (the backports have not been merged) 15:35:25 <shertel> may be a bit early for nitzmahone too 15:35:42 <sdoran> Yup. 15:35:53 <sdoran> Here's the comment from nitzmahone : https://github.com/ansible/community/issues/507#issuecomment-561384958 15:37:56 * nitzmahone blinks 15:39:00 <sdoran> Seems like this needs to be opt in and the existing dangerous behavior, as described by felixfontein, should be removed. 15:39:13 <nitzmahone> I'm uncomfortable with automatically blowing away perceived "invalid" keys by default. IMO there needs to be "force_regen_invalid" flag or something 15:39:19 <sdoran> > Finally, this can only lock you out of systems if you let the module operate on the only copy of the private key you have (i.e. you don't have any backup). 15:39:25 <sdoran> No one ever has backups. :) 15:39:36 <sdoran> (That's a quote from felixfontein ) 15:39:43 <nitzmahone> Esp when the keys are being generated by the playbook :) 15:40:17 <shertel> do we want to change openssl_privatekey to be opt-in as well? Seems like it was done somewhat for consistency. 15:40:37 <nitzmahone> I'd be +1 for that 15:40:49 <nitzmahone> It seems just as dangerous 15:41:07 <sdoran> Yup. 15:41:22 <shertel> Using opt-in only seems like a good thing here. I'm +1. 15:41:23 <sdoran> I would say being consistent with the less-than-ideal thing is not good. 15:41:36 <nitzmahone> Ayup 15:42:06 <webknjaz> shertel: yes, I saw that but have no idea how to check that, I wish I could easily inspect all those OSs 15:42:37 <sdoran> I'm +1 for making this opt-in as well. 15:43:42 <shertel> webknjaz, sounds like we have a good solution :-) sorry for the unnecessary ping. 15:44:20 <webknjaz> I only noticed it now. Make sure to post that solution back to the PR 15:45:27 <sdoran> #action revert commit da73bbd73c94b6bd5cc459f2e813b11014e44a7e 15:45:45 <sdoran> #action change behavior from PR #64436 to be opt-in 15:45:49 <shertel> the meeting logs will probably suffice. The proposed solution from sivel was already discussed in the pr/issue and just clarified here. 15:45:55 <nitzmahone> And I'll zap the backports 15:46:01 <sdoran> 👍 15:46:11 <sdoran> #topic open floor 15:46:17 <agaffney> https://github.com/ansible/ansible/pull/65487 15:46:53 <sdoran> #topic https://github.com/ansible/ansible/pull/65487 15:47:12 <nitzmahone> +1 from me 15:47:26 * sdoran looking 15:47:39 <agaffney> my only real question is if that's the best place to do the check, but I didn't see a better place 15:48:51 <nitzmahone> It's the best place right now... There's something a few of us have been kicking around that might make a better place someday, but as you know, you don't want to wait for it ;) 15:49:41 <shertel> shipit 15:50:31 <sdoran> My only concern is this could break playbooks that are silently ignoring these keys now. 15:50:41 <sdoran> Does this cause the play to fail? 15:50:56 <agaffney> yes 15:51:00 <nitzmahone> Could warm into it with deprecation, but I think that's an ok thing to break right away 15:51:22 <nitzmahone> "your syntax was bad, we just noticed" 15:51:49 <agaffney> this is no different than previously introduced errors for unsupported fields on include_* and such, imo 15:52:05 <sdoran> 🤔 15:52:08 <nitzmahone> I can't think of a legit purpose for allowing the badness 15:52:18 <agaffney> and it's not a deprecation, because it never worked 15:52:33 <agaffney> it was a silently ignored error before 15:52:50 <nitzmahone> (deprecation being "invalid fields warning, we're gonna break later") 15:53:05 <sdoran> I always just like to weigh introducing immediate breakage, even if it is for something that is totally busted. 15:53:20 <agaffney> I made it a failure for consistency with the existing check for the 'name' attribute 15:53:51 <nitzmahone> But I personally don't think that's necessary since it's always been a bug that we didn't validate that, and there's no legit purpose I can think of to allow bad syntax there 15:53:56 <agaffney> it's also really easy to fix your playbook to get rid of the failure, and that fix would be backward compatible (since it never worked anyway) 15:54:09 <nitzmahone> --^ this 15:54:17 <sdoran> Ok. 15:54:37 <sdoran> Merged. 15:54:43 <sdoran> #topic open floor 15:55:28 <nitzmahone> (and sdoran: keep weighing- it's important to avoid breaking stuff in most cases :) ) 15:55:50 <sdoran> Yup. I just like to pause a reflect for a moment. 15:55:56 <sdoran> It's good mental exercise. :) 15:56:02 <nitzmahone> + 1000 15:56:28 <agaffney> indeed 15:56:39 <sdoran> I try to remember that one tiny decision affects millions of people now. 😬 But I don't dwell on it. 15:56:58 <nitzmahone> Because I'd definitely agree we've been a little cavalier about that on occasion on the past 15:57:12 <nitzmahone> *in 15:59:53 <sdoran> Thank you everyone for participating today. 16:00:01 <sdoran> #endmeeting