gaogaotiantian commented on PR #55641: URL: https://github.com/apache/spark/pull/55641#issuecomment-4433890370
The important thing is to prevent future supply chain attack. We should assume that running any code with the new dependency could potentially cause security issues in GHA. So we have to block it pre-merge. We rely on the github action result from the forks for CI checks so we can't just allow it in forks and do it in our own repo. Allowing the GHA for testing meaning we don't care the forked repo is compromised, which might be valid. If the user tries to test against a new version of package, the risk that their repo gets attacked is on their own. It should not impact us as long as the code is not merged. On the other hand, I don't see the emergency to test any dependency package in the 7-day buffer time, unless it's security related. Overall, personally I still believe this patch is the safest, and should be accepatble (block any attempt to upgrade the dependency that's too new). However, I think allowing it to run on forked repo is not that big a deal so if we want to just move it to lint/dependency check and fail that specific task, that's totally fine to me too. I don't like the idea to just run the check in our own repo, because that could be too late. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
