potiuk commented on code in PR #34805: URL: https://github.com/apache/airflow/pull/34805#discussion_r1367956354
########## clients/gen/common.sh: ########## @@ -17,7 +17,7 @@ # specific language governing permissions and limitations # under the License. -OPENAPI_GENERATOR_CLI_VER=5.4.0 +OPENAPI_GENERATOR_CLI_VER=7.0.1 Review Comment: Yeah. I think there are also another reason we should discuss it - namely security/release process for the clients. The "Python API" client we release might be seen as an "official ASF Source package" Currently we are voting on Python Client and we do not check the provenence of it - because this is code that got genereated by the release manager. and committed - unreviewable and unverifiable. So IMHO upgrading the client is also an opportunity to update the build and release process - what should happen, we (PMC members) should be able to verify that the build has been generated by the release manager from the API specification and not tampered with. It might be a "reproducible" build or just "verifiable build" - but it boils down to being able to run the build and compare if what comes out of it (providing sufficient external tools we can rely-on - such as official image released by open-api). I think we can solve both problems at the same time - by improving automation and adding simple-to-add verification step whether the package we are voting on is "really" generated from the specification without being tampered with. This is part of the security improvement of our release process. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
