Abacn commented on code in PR #36476:
URL: https://github.com/apache/beam/pull/36476#discussion_r2421665073
##########
sdks/python/apache_beam/utils/subprocess_server.py:
##########
@@ -431,6 +433,24 @@ def _download_jar_to_cache(
cached_jar_path (str): The local path where the jar should be cached.
user_agent (str): The user agent to use when downloading.
"""
+ # Issue warning when downloading from public repositories
+ public_repos = [
+ cls.MAVEN_CENTRAL_REPOSITORY,
+ cls.GOOGLE_MAVEN_MIRROR,
+ ]
+
+ if any(download_url.startswith(repo) for repo in public_repos):
+ _LOGGER.warning(
+ " WARNING: Apache Beam is downloading dependencies from a "
+ "public repository at runtime.\n"
+ " This may pose security risks or cause instability due to "
+ "repository availability.\n"
+ " URL: %s\n"
+ " Consider pre-staging dependencies or using a private repository "
+ "mirror.\n"
+ " For more information, see: "
+ "https://beam.apache.org/documentation/sdks/python-dependencies/";,
Review Comment:
I don't think
https://beam.apache.org/documentation/sdks/python-dependencies/ contains
relevant information for this manner (for now). But we can add recommendation
there
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
