vulnk000 commented on issue #24344: URL: https://github.com/apache/airflow/issues/24344#issuecomment-1152048300
Hello, I completely understand your answer and the motivations behind. But please, if you are not going to treat vuln reports, add it to your security policy please, as this specific case is not mentioned and for sure it will be common. In the other hand, I don't agree with your statement. You are releasing software with vulnerabilities that may be exploited in several ways or not. But we don't know because (correct me if I'm wrong) you are not looking them. If reports have +200 vulnerabiliteis, maybe there is something wrong behind that may explain these 200 vulns (almost all of them image, not as python dependency). we will try to figure out how to improve the security. Maybe is another base image, creating a new distroless image and adding a pipelines for vulnerability management. What is the proper channel to bring this proposals? just PRs? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
