Hi All! I have been digging into the security vulnerabilities around the DataHub canned images. It looks to me like all of the remaining vulnerabilities are coming from usage of Docker’s default Python image, which appears to be based on a vulnerable Debian base linux distro, at least for the severe vulnerabilities. These vulnerabilities were identified at least a year-ish ago, and as far as I can tell who ever owns this image just does not seem to care about it. I think as an org / community DataHub should care about this! (One guy’s opinion!!) So IMHO a better base Python image is needed. Not sure of the best way to make that happen, but there it is.

hey Charles! completely agree here. I know that fixing vulnerability issues is a thing the core datahub team has recently become much more concerned about. However pointing out these Python vulnerabilities is certainly helpful and something we can rally around!

But of course! I think that there are two containers based on the Docker Default Python image and I think that is the only current source of vulnerabilities. We actually toyed with trying to replace the container with one baed on Alpine and got a real education on why the current image is not based on Alpine! 😜 (Do not do this! Amongst other things we learned that Python on Alpine makes for gigantic containers, and support for other necessary components for DH Ingestion just did not exist for Alpine.)

haha much appreciated! so we definitely know not to move to Alpine when we take care of this vulnerability issue 🙂

I’m looking at YOU SAP Hana. 🤦‍♂️