potiuk commented on a change in pull request #16935:
URL: https://github.com/apache/airflow/pull/16935#discussion_r668168272
##########
File path: docs/docker-stack/entrypoint.rst
##########
@@ -262,11 +262,28 @@ and Admin role. They also forward local port ``8080`` to
the webserver port and
Installing additional requirements
..................................
+.. warning:: Installing requirements this way is a very convenient method of
running Airflow, very useful for
+ testing and debugging. However, do not be tricked by its convenience. You
should never, ever use it in
+ production environment. We have deliberately chose to make it a
development/test dependency and we print
+ a warning, whenever it is used. There is an inherent security-related
issue with using this method in
+ production. Installing the requirements this way can happen at literally
any time - when your containers
+ get restarted, when your machines in K8S cluster get restarted. In a K8S
Cluster those events can happen
+ literally any time. This opens you up to a serious vulnerability where
your production environment
+ might be brought down by a single dependency being removed from PyPI - or
even dependency of your
Review comment:
Yeah. But you can protect from that by specifying `==version` (which
makes an easy counter-argument here like "always specify all dependencies and
make them with `==`").
However. there is no way to protect even if you specify `==version` and
someone removes that version. Which already happened to Airflow at least once
that I rememeber. And this is exactly what happened with leftpad.
I really think that it's the "removal" of dependency which is far more
disastrous and the REAL reason why we should never use this variable in
production.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
