Hello everyone, I wanted to share some news (not so much news for us but - it's just now reached publication stage) that we have nice security / release process improvements on-going in Apache Airflow - with several months of work funded by the Sovereign Tech Fund - German government backed fund that aims to improve Open Source software.
You can read a nice blog post we wrote with Pierre at the ASF blog about it [1] and social media posts are following. In-short - several of us banded together and applied to the Sovereign Tech Fund as a group of individuals who committed to working on improving Airflow security. And we've got the grant for it. You should see the efforts coming from those individuals - we are much more focused on the Security improvements for the last few months and upcoming few months. You will see results of it by more security advisories but also by improvements in our processes and some more automation, we are generally preparing for the future where software development will be more regulated in terms of security - both EU and US are very advanced in passing new regulations that will affect all kind of software - including open-source software and we want to be ahead of the game, not only following but also setting the standards for the industry. The importance of Airflow has been recognized - we've been selected by STF as one of 10 most important projects they decided to fund (and they had many, many applications). Security is something that has been pretty close to my heart for quite some time and we've already started to rethink our security approach before that. We formed quite a bit more focused security team earlier this year - which resulted in improving our security policy [2] , Security model [3] and more formal and organizer approach to our Security team [4]. But with the STF funding we can double-down on the efforts and spend much more time and focus by several of us to improve and iterate over processes and tools we are using. Stay tuned for more security related news from Airflow. [1] https://news.apache.org/foundation/entry/strengthening-security-for-apache-airflow [2] https://github.com/apache/airflow/security/policy [3] https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html [4] https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#security-team
