kaxil commented on issue #10753: URL: https://github.com/apache/airflow/issues/10753#issuecomment-687674352
"There are many big organisations (including my customers) that only allow specific version of deps and scan them. " -- You are agreeing with here, aren't you? I was making the exact same point, they only allow specific versions and not trust PyPI blindly. >The second customer of ours (the big SAAS) has a security team that provides the repositories that you can use and you have no way to install anything which is not in those repositories (apt, images, apk, pypI are transparently proxied to those repositories). This is a company-specific thing, even ASF says that "downloads.apache.org" is the only "official" place for our product. The previous company I worked with who had a bank as their client had automated the downloads, verifying checksums and signs using Ansible. The "images" you mention I think might be dockerhub right? So if the sources are available somewhere else and not under ASF like you are asking for this should still be fine. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
