[PR] feat: add PYTHON_LTO build arg for FIPS compliance [airflow]

Sat, 22 Nov 2025 07:26:01 -0800 


Subham-KRLX opened a new pull request, #58583:
URL: https://github.com/apache/airflow/pull/58583

   Enable FIPS Support by making Python LTO configurable
   
   closes: #58337
   
   With FIPS mode enabled, `apt update` may fail if the image was built with 
Python Link Time Optimization (LTO) enabled, as it can involve MD5 verification 
which is blocked in FIPS mode.
   
   This PR introduces a new build argument `PYTHON_LTO` (defaulting to `true`) 
to control whether Python is built with LTO. To build a FIPS-compliant image, 
this argument can be set to `false`.
   
   **Changes:**
   - Added `ARG PYTHON_LTO="true"` to 
[Dockerfile](cci:7://file:///Users/subhamsangwan/airflow/Dockerfile:0:0-0:0) 
and 
[Dockerfile.ci](cci:7://file:///Users/subhamsangwan/airflow/Dockerfile.ci:0:0-0:0).
   - Updated 
[scripts/docker/install_os_dependencies.sh](cci:7://file:///Users/subhamsangwan/airflow/scripts/docker/install_os_dependencies.sh:0:0-0:0)
 to conditionally add `--with-lto` flag to Python's `./configure` script based 
on the `PYTHON_LTO` environment variable.
   
   ---
   Read the **[Pull Request 
Guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#pull-request-guidelines)**
 for more information.
   In case of fundamental code changes, an Airflow Improvement Proposal 
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvement+Proposals))
 is needed.
   In case of a new dependency, check compliance with the [ASF 3rd Party 
License Policy](https://www.apache.org/legal/resolved.html#category-x).
   In case of backwards incompatible changes please leave a note in a 
newsfragment file, named `{pr_number}.significant.rst` or 
`{issue_number}.significant.rst`, in 
[airflow-core/newsfragments](https://github.com/apache/airflow/tree/main/airflow-core/newsfragments).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to