GitHub user potiuk edited a comment on the discussion: Kubernetes Image Builder Vulnerability affects Airflow Container Images?
I think it depends what you are up to. Seems that it's up to you to see if a random vulnerability is affecting apparently unrelated things. If you believe that this vulnerability affects airflow, there is a very clear security policy - see https://github.com/apache/airflow/security that tells you exactly how to report security issues to the security team of Airlfow (it should be accompanied by reproduction scenario that shows how you think Airlfow is impacted by it). Then you also have the image documentation that explains security aspect of the "reference" image of ours (not "official" - you are mistaken in your assesment of the nomenclature of the image that Apache Airflow Community releases). https://airflow.apache.org/docs/docker-stack/index.html#fixing-images-at-release-time Also this chapter https://airflow.apache.org/docs/docker-stack/index.html#what-should-i-do-if-my-security-scan-shows-critical-and-high-vulnerabilities-in-the-image explains how you can use Airlfow source Dockerfile to build your own image, if you are security conscious and want to apply latest security fixes to base image and upgrade your image to latest dependencies. Again - Airflow Image is a "reference" image, it does not have all the security guarantees "officia" name might imply (which is also often misleading because with the open-source you never get any guarantees if you read the licence). Best option: Pay security researchers to see if they find a problem, and report to us if they find reproducible scenario. Then you will be able to have some kind of certainty (or at least someone to blame and sue if they are mistaken) and you will be also able to contribute back for the free software you get in community, we actually encourage and expect the users that get the software for free and paying back researchers and contributing back engineering time is the best you can do to thank those > 3000 contributors who created Airflow. GitHub link: https://github.com/apache/airflow/discussions/43296#discussioncomment-11026294 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
