You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/08/06 15:44:27 UTC

[GitHub] [airflow] potiuk commented on pull request #24825: Dockerfile centos

potiuk commented on PR #24825:
URL: https://github.com/apache/airflow/pull/24825#issuecomment-1207236417

   Hey @mik-laj @sfc-gh-mkmak  - I looked a bit closer to that one, and I have a concern. It looks like the base container image that you used for the image is reatehr old. In Airflow, we strive for releasing our images based on the latest and greatest (i.e. with all known fixed security issues) released by the Python Software Foundation: https://hub.docker.com/_/python?tab=tags
   
   For example, the latest version of 3.7-3.10 debian images has been pushed 2 days ago (and our CI system will automatically refresh our base images we publish to use the latest version in ~ 1 day.
   
   The centos base python image you used `centos/python-38-centos7:20210726-fad62e9` is ratehr old in comparision and unfortunately it looks like:
   
   1) It's been updated  last time > 1 year ago; https://hub.docker.com/r/centos/python-38-centos7
   2) There are no 3.9/3.10 Python images at all released by centos organisation 
   
   I am a little concerned with using those (and I am a little concerned you are not concerned :) ). It does not only miss the latest security fixes, but also the Python 3.8 version there is rather old there were likely 6 or 8 patchlevel releases there bringin bugfixes to the 3.8 line
   
   Do you have any thoughts/ideass/concerns about an up-to-date base for such a centos image? 
   
   I even looked at the "official centos image" and even that seems to be very out-dated (6-12 months) - which in the world of Security/IT and especially Supply Chain attacks is an eternity.  
   
   I am afraid we would not be able to put our "trust" in such rarely released images - especially that our users are deeply concerned about security and we had many requests and questions about up-todatednesss and handingl some known and published CVEs in the images.
   
   Can you think about a good/reliable/updated source for an up-todated centOS based images we could use as a base? Aren't you concerned about it in Snowflake BTW? 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org