kaxil commented on pull request #16577: URL: https://github.com/apache/airflow/pull/16577#issuecomment-865862558
> > @potiuk @uranusjr Did you guys actually try out? I had, unless I missed something (which is also possible :) ) > > Yep. I tried. I think the main point (and @urunsjr I believe agrees with me on that) is that we should NOT exclude yarn.lock from the sdist package. It's quite useful to have it ithere, because this will allow the users to repeatably build the package on their own using sources. Well that defeats the purpose of what this PR is solving, clair and trivy and other scanners will find it. For ASF project, if someone wants to build from source they can use `apache-airflow-VERSION-source.tar.gz`, example https://dist.apache.org/repos/dist/release/airflow/2.1.0/apache-airflow-2.1.0-source.tar.gz -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
