potiuk commented on issue #10753: URL: https://github.com/apache/airflow/issues/10753#issuecomment-687658536
I think everything is clear when we use installing from "official" repositories - pypi, apt, apk - those are officially maintained projects. I think there is this non-immediately-obvious criteria (but I think one that perfectly reflects the "commercially-friendly" nature of ASF): "is this likely that the software will be officially blessed by the security team in big corporate when installing stuff?" * Pypi, apt, apk - for binary installation : for sure yes (likely it is already filtered, vetted, allow-listed by those security teams). * Binary version of pgbouncer-exporter from jhub: for sure it won't be accepted. * Snapshotted sources of pgbouncer-exported from jhub with permissive licence, easily buildable by the security team using standard libraries: likely yes. * binary image of astronomerinc - without appropriately licenced sources to rebuild them: for sure not. I think those are the kinds of users that we have to fulfill the criteria of rebuildability for. It is quite a different thing comparing to the "GNU" rebuildability ideals introduced by -infamous now- Richard Stallman. There the "ideal" (**almost** fulfilled with Linux, GnuMake, GnuC++, and many others) was "You can build the software from zero without using ANY proprietary stuff". But ASF is definitely not as orthodox and being commercially friendly means that "appropriate tools and platforms" are available - and it's a bit of interpretation what those are. Still being vendor-neutral here and forcing dependency on potentially 3rd-party controlled software or it's availability is a bad idea. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
