kaxil commented on issue #10753: URL: https://github.com/apache/airflow/issues/10753#issuecomment-687673328
>Technically not. But any organisation that I know of that cares for reproducibility of their software installation maintains their own mirrors and archives for those "standard" installation sources. Do they trust all PyPI packages though? Don't they do scan on every release. A package can add a dependency that might be vulnerable. >"likely it is already filtered, vetted, allow-listed by those security teams". Again, has the same risk as any open source package not on PyPI. The teams I have worked with do maintain their own mirrors but check on each release and store a copy of the "approved" release in their "repository manager" ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
