kaxil edited a comment on issue #10753: URL: https://github.com/apache/airflow/issues/10753#issuecomment-687669753
> I think everything is clear when we use installing from "official" repositories - pypi, apt, apk - those are officially maintained projects. Is that written somewhere in ASF docs, I haven't checked it so I might be wrong. But at least my personal opinion is that having them on PyPI does not guarantee anything. The repo owner can just delete it. Uploading on PyPI means nothing. I understand that on Dockerhub they verify the "official" images but that is not true for PyPI. That is also the main reason ASF states that official place is downloads.apache.org so thinking if it is on PyPI it is official does not make sense to me. Again to reiterate, I don't have any objection on what we are doing with sources but I don't think it is mandatory if the sources are public with correct licenses. For any company adopting a new library, they need to scan it the entirety of it, because a library didn't contain any malicious code previously does not guarantee it does not contain it now. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
