potiuk commented on issue #10753: URL: https://github.com/apache/airflow/issues/10753#issuecomment-687672255
> But at least my personal opinion is that having them on PyPI does not guarantee anything. Technically not. But any organisation that I know of that cares for reproducibility of their software installation maintains their own mirrors and archives for those "standard" installation sources. That's what I actually mean by "likely it is already filtered, vetted, allow-listed by those security teams". W even did that in Polidea for our mobile app development. > Is that written somewhere in ASF docs, I haven't checked it so I might be wrong. I don't think there are clear rules in ASF about docker Images nor helm charts - that's precisely something I am trying to get at in the discussion@asf. The above statement of mine (starting with "I think") is what is my interpretation of: > Every ASF release must contain a source package, which must be sufficient for a user to build and test the release provided they have access to the appropriate platform and tools (http://www.apache.org/legal/release-policy.html#what-must-every-release-contain) My point is based on understanding that our users (most of all the corporate ones) care about reproducibility, security and legality of the software they use. They should be able to use the chart without any strings attached. This means for me - they should be able to - legally - "build and test the release provided they have access to the appropriate platform and tools". And they should be told how to do it. Do you agree with the above interpretation? If not, I'd love to hear what's wrong with it :). I'd really love to hear how you would like to approach the case of the user I explained (if you agree with the statement above) otherwise. Imagine the user that has the Helm chart (released by Airflow), that points to some binary image which they cannot use (it's proprietary) and have no way to rebuild it (the code to do that is either not licenced at all or not maintained). Or they simply do not know how to build it because there are no instructions on how to do it. I'd love to know your answer to such a case, please? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
