potiuk commented on issue #10753:
URL: https://github.com/apache/airflow/issues/10753#issuecomment-687673873
> Do they trust all PyPI packages though? Don't they do scan on every
release. A package can add a dependency that might be vulnerable.
There are many big organisations (including my customers) that only allow
specific version of deps and scan them. This - for example happens in Composer
(they literally use allowed and security team vetted whl files only). This was
one of the reasons the provider's package did not work initially because the
way airflow was installed in Composer image (pre-vettted .whl images + airflow
sources- each landing in a different namespace).
The second customer of ours (the big SAAS) has a security team that provides
the repositories that you can use and you have no way to install anything whihc
is not in those repositories (apt, images, apk, pypI are transparently proxied
to those repositories). If you need a new package they will install it for you
and will keep on updating new versions after they security scan them (if you
require that). Their security team scans tthe deps and CVES and alerts when you
use a non-secure dependency. The same I experienced in Telecom and Banking
environment for years, so for me this is "normal".
> > "likely it is already filtered, vetted, allow-listed by those security
teams".
>
> Again, has the same risk as any open source package not on PyPI. The teams
I have worked with do maintain their own mirrors but check on each release and
store a copy of the "approved" release in their "repository manager"
Same here. this means that no binary image of unknown provenience can go
through.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
