bangjiehan commented on PR #40015: URL: https://github.com/apache/airflow/pull/40015#issuecomment-2146812782
> Is there a "real" problem you want to avoid by removing it? Lower mind burden in the situation which user want to check dependency list manually before execute it. Sure, There is no real problem if user just copy and execute the script without inspection. > And how would you approach security for those users? Installing package apt-transport-https do not change protocol using by apt from HTTP to HTTPS. It just enable apt to use HTTPS repository in apt 1.4 and below and Debian installer use HTTP without TLS by default. There is GPG-signed MD5/SHA1 hashes for packages to ensure package integrity. Yeah, security is a complex issue. Indeed, there is some research paper reveal potential risks about apt using HTTP transport but it should not be a issue which airflow concern. At least it should not by a way that add unnecessary dependencies. Otherwise, should it add dependencies like firewall or SELinux. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
