potiuk commented on issue #23: URL: https://github.com/apache/tooling-agents/issues/23#issuecomment-4399149736
Quick PR-link follow-up — the 5 fixes promised above are now open: | Finding | PR | Status | |---|---|---| | F-008 — timing-safe password comparison | apache/airflow#66556 | open | | F-060 — non-string `dag_id`/`team_name` rejected before authz | apache/airflow#66504 (scope extended) | open | | F-039 — production-shape startup warning for SimpleAuthManager | apache/airflow#66563 | open | | F-133 — trust-sentinel for `state.user` injection | apache/airflow#66562 | open | | F-175 — Kerberos ccache docs (no `/tmp` default) | apache/airflow#66557 | open | #66504 was already open from the L1 round (F-008 in old numbering — JSONDecode fail-closed); I extended its scope to also cover the L3-numbered F-060 type-validation since it's the same function. Title and body are updated to reflect the broader scope. Will follow up here once any of them merge or get pushback worth surfacing. As before, happy to dig deeper on any of the by-design ones if the rationale isn't matching what you're seeing on your end. --- This response was generated by AI and may contain mistakes. After you've had a chance to look at the PRs and respond, a real Airflow maintainer (human) will follow up. --- Drafted-by: Claude Opus 4.7 (1M context); reviewed by @potiuk before posting -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
