Request: Release 1.7.1 with security patch for CVE-2022-29217

[jtrees]

I'm quite interested in giving NixOps a try but currently the stable version (1.7.0) is affected by CVE-2022-29217 (via the pyjwt dependency) and is not installable by default on NixOS.

Would it be possible to release a patched version of 1.7.0 with this dependency upgraded to a version without the vulnerability (requires an upgrade of pyjwt: 1.7.1 -> 2.4.0)?

[roberth]

All maintenance to the NixOps core currently happens on NixOps 2 (master / pre-release), because of the project's limited resources. NixOps 1 relies on python 2.7, so maintaining it is not feasible with this project's limited resources. Please consider helping with maintenance and testing, or donate to https://opencollective.com/nix-deployments. This fund currently supports reviews and fixes on master. Donations greatly increase our ability to get things merged and work towards a functional NixOps 2 release.

[jtrees]

I understand. That sounds reasonable.

May I also point out though, that this puts the project in an unfortunate position:

Currently NixOps 1 is no longer usable because it is unmaintained and probably affected by security issues. And NixOps 2 isn't usable yet because it is still under heavy development and has not been stabilized.