GitHub user potiuk edited a comment on the discussion: CVE-2024-49767

Airflow 3 is moving away from flask and Werkzeug (and Connexion 2 that is 
blocking is from releasing to later version of Werkzeug).

That's the plan. 

And as explained before several times - you can still do a lot of stuff on your 
own and invest your money and time and energy (yes also yours @lewijw and your 
company) to do something about it.

Airlfow is generally upgrading to latest versions of dependencies with every 
new release - unless it's blocked by something - like this is the case. Also 
Airflow is run by volunters and deliver their software under the umbrella of 
Apache Software Foundation (Opsn Source Steward) for free without any 
guarantees (please read the ASF 2 licence). 

And even according to planned regulations that are coming - CRA - it's the 
commercial users of Airlfow (those who put the software on the market) are 
responsible to check and verify if the software they release is bug free. 

We are a good steward - we are following pretty much absolutely best practices 
for security out there. We are following very well established and governed 
procesesto make airlfow non-vulnerable and we do reasonable efforts there, but 
there are certain situations where others should take action. Especially if 
they want to make sure that the "scans" of all the dependencies they have does 
not contain any vulnerabilities. This is very clearly stated in our [Security 
Policy]( 
https://github.com/apache/airflow/security/policy#what-should-be-and-should-not-be-reported-)
 - please read the policy.

You (not us - we already made our decision to get rid of the dependencies that 
are problematic - i.e. Connexion 2 - in Airflow 3) can do a number of things 
there, if you - commercial users of Airlfow - believe that Airflow is 
vulnerable (we don't think so) - you have several options where you can spend 
your time and energy (and eventually possibly help other commercial users of 
Airflow and have better certainty about this particular issue.

1) you can spend your efforts, time, energy and money to try to reproduce the 
issue show how it impacsts Airflow and report it privately following our 
security policy. 

2) you can also pay some security researchers to produce an in-depth analysis 
on why Airlfow is not vulnerable and publish results here. That would ba a nice 
way how you can make others more certain that they can "tick-off" that report 
and say "not vulnerable".

3)  you can raise simiilar issue to Connexion. The Connexion 2 is the one that 
is blocking us from upgrading Werkzeug. We attempted to migrate to Connexion 3 
(https://github.com/apache/airflow/pull/39055) - but this has proven to be very 
problematic and not-sustainable, so for Airlfow 3 we are getting rid of whole 
set of dependencies that are main reason of these problems (we are replacing 
Connexion with Fast API which is much better maintained and future-proof). This 
is the course of action we can do as maintainers

So you are absolutely not blocked here: you can do 1) 2) or 3) - depending when 
you want to spend your time energy and money to get that question answered. 
@lewijw as you are the one who created the issue, I guess you are really vested 
into knowing the answer, so in the spirit of community, giving back and 
contributing back, I think this might be a good idea that you take the lead on 
that.

Also @Uditmittal -> if you would like to take on any of those tasks, feel free.

GitHub link: 
https://github.com/apache/airflow/discussions/44865#discussioncomment-11656354

----
This is an automatically sent email for commits@airflow.apache.org.
To unsubscribe, please send an email to: commits-unsubscr...@airflow.apache.org

Reply via email to