Following discussion https://lists.apache.org/thread/z0yh528lkc1pfpjwlb3b3qbylg5do2jr - together with Aritra, we want to ask for a lazy consensus of switching the base images of ours to use just bare bookworm-slim images and building python from released, official (and signed) sources.
We tested how building Python impacts us for quite some time in a CI, and we have not seen any side effects. We built the PROD images with all the same optimizations that the "docker official" python images are built with and we solved all the issues that we saw in tests. There is a **slight** change of where Python is installed as a result but impact of it should be minimal and we described it in image release notes. As a result we will have: * newer setuptools (not triggering security scanners) * faster update when new versions are released (automatically once Python packages are released) * certainty about the provenance of the Python code - we build it from signed packages and we verify the signatures. We look for final reviews and approvals: https://github.com/apache/airflow/pull/53770 But in the meantime we call for LAZY CONSENSUS. There is no need to respond, but final reviews on the PR and committer approvals are most welcome. The consensus will run till Monday, 1st of Sep 2025, 6pm CEST: https://www.timeanddate.com/countdown/generic?iso=20250901T18&p0=262&font=cursive J.
