From 41cbab22c9a3ccfb2eb0c1cde14d8d9fc49b3b52 Mon Sep 17 00:00:00 2001
From: Jarek Potiuk <jarek@potiuk.com>
Date: Sat, 24 Feb 2024 18:07:33 +0100
Subject: [PATCH] Remove gosu binary from our images

We have a "gosu" binary installed in Airflow image but it does not
seem to be used and it brings in a number of security vulnerabilities
because gosu uses an older go stdlib library.

This PR removes the gosu binary from the image altogether.
---
 Dockerfile                                        | 4 ++--
 Dockerfile.ci                                     | 6 +++---
 INSTALL                                           | 2 +-
 contributing-docs/03_contributors_quick_start.rst | 2 +-
 docs/apache-airflow/installation/dependencies.rst | 4 ++--
 docs/docker-stack/changelog.rst                   | 7 +++++++
 scripts/docker/install_os_dependencies.sh         | 4 ++--
 7 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c66e374dfb3ef..4ac935925fd6a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -93,7 +93,7 @@ fi
 function get_dev_apt_deps() {
     if [[ "${DEV_APT_DEPS=}" == "" ]]; then
         DEV_APT_DEPS="apt-transport-https apt-utils build-essential ca-certificates dirmngr \
-freetds-bin freetds-dev git gosu graphviz graphviz-dev krb5-user ldap-utils libffi-dev libgeos-dev \
+freetds-bin freetds-dev git graphviz graphviz-dev krb5-user ldap-utils libffi-dev libgeos-dev \
 libkrb5-dev libldap2-dev libleveldb1d libleveldb-dev libsasl2-2 libsasl2-dev libsasl2-modules \
 libssl-dev libxmlsec1 libxmlsec1-dev locales lsb-release openssh-client pkgconf sasl2-bin \
 software-properties-common sqlite3 sudo unixodbc unixodbc-dev zlib1g-dev"
@@ -120,7 +120,7 @@ function get_runtime_apt_deps() {
     echo
     if [[ "${RUNTIME_APT_DEPS=}" == "" ]]; then
         RUNTIME_APT_DEPS="apt-transport-https apt-utils ca-certificates \
-curl dumb-init freetds-bin gosu krb5-user libgeos-dev \
+curl dumb-init freetds-bin krb5-user libgeos-dev \
 ldap-utils libsasl2-2 libsasl2-modules libxmlsec1 locales ${debian_version_apt_deps} \
 lsb-release openssh-client python3-selinux rsync sasl2-bin sqlite3 sudo unixodbc"
         export RUNTIME_APT_DEPS
diff --git a/Dockerfile.ci b/Dockerfile.ci
index f61929d628b08..f5044a2ef9b4c 100644
--- a/Dockerfile.ci
+++ b/Dockerfile.ci
@@ -53,7 +53,7 @@ fi
 function get_dev_apt_deps() {
     if [[ "${DEV_APT_DEPS=}" == "" ]]; then
         DEV_APT_DEPS="apt-transport-https apt-utils build-essential ca-certificates dirmngr \
-freetds-bin freetds-dev git gosu graphviz graphviz-dev krb5-user ldap-utils libffi-dev libgeos-dev \
+freetds-bin freetds-dev git graphviz graphviz-dev krb5-user ldap-utils libffi-dev libgeos-dev \
 libkrb5-dev libldap2-dev libleveldb1d libleveldb-dev libsasl2-2 libsasl2-dev libsasl2-modules \
 libssl-dev libxmlsec1 libxmlsec1-dev locales lsb-release openssh-client pkgconf sasl2-bin \
 software-properties-common sqlite3 sudo unixodbc unixodbc-dev zlib1g-dev"
@@ -80,7 +80,7 @@ function get_runtime_apt_deps() {
     echo
     if [[ "${RUNTIME_APT_DEPS=}" == "" ]]; then
         RUNTIME_APT_DEPS="apt-transport-https apt-utils ca-certificates \
-curl dumb-init freetds-bin gosu krb5-user libgeos-dev \
+curl dumb-init freetds-bin krb5-user libgeos-dev \
 ldap-utils libsasl2-2 libsasl2-modules libxmlsec1 locales ${debian_version_apt_deps} \
 lsb-release openssh-client python3-selinux rsync sasl2-bin sqlite3 sudo unixodbc"
         export RUNTIME_APT_DEPS
@@ -1029,7 +1029,7 @@ RUN echo "Base image version: ${PYTHON_BASE_IMAGE}"
 ARG DEV_APT_COMMAND=""
 ARG ADDITIONAL_DEV_APT_COMMAND=""
 ARG ADDITIONAL_DEV_ENV_VARS=""
-ARG ADDITIONAL_DEV_APT_DEPS="bash-completion dumb-init git graphviz gosu krb5-user \
+ARG ADDITIONAL_DEV_APT_DEPS="bash-completion dumb-init git graphviz krb5-user \
 less libenchant-2-2 libgcc-11-dev libgeos-dev libpq-dev net-tools netcat-openbsd \
 openssh-server postgresql-client software-properties-common rsync tmux unzip vim xxd"
 
diff --git a/INSTALL b/INSTALL
index 382313ca4e8eb..0f1ba985901fc 100644
--- a/INSTALL
+++ b/INSTALL
@@ -11,7 +11,7 @@ systems/prerequisites are known to work:
 Linux (Debian Bookworm):
 
     sudo apt install -y --no-install-recommends apt-transport-https apt-utils ca-certificates \
-    curl dumb-init freetds-bin gosu krb5-user libgeos-dev \
+    curl dumb-init freetds-bin krb5-user libgeos-dev \
     ldap-utils libsasl2-2 libsasl2-modules libxmlsec1 locales libffi8 libldap-2.5-0 libssl3 netcat-openbsd \
     lsb-release openssh-client python3-selinux rsync sasl2-bin sqlite3 sudo unixodbc
 
diff --git a/contributing-docs/03_contributors_quick_start.rst b/contributing-docs/03_contributors_quick_start.rst
index 3713459662d7d..0eb7f8efc70d3 100644
--- a/contributing-docs/03_contributors_quick_start.rst
+++ b/contributing-docs/03_contributors_quick_start.rst
@@ -164,7 +164,7 @@ like system, this command will install all necessary dependencies that should be
 .. code-block:: bash
 
   sudo apt install apt-transport-https apt-utils build-essential ca-certificates dirmngr \
-  freetds-bin freetds-dev git gosu graphviz graphviz-dev krb5-user ldap-utils libffi-dev \
+  freetds-bin freetds-dev git graphviz graphviz-dev krb5-user ldap-utils libffi-dev \
   libkrb5-dev libldap2-dev libpq-dev libsasl2-2 libsasl2-dev libsasl2-modules \
   libssl-dev locales lsb-release openssh-client sasl2-bin \
   software-properties-common sqlite3 sudo unixodbc unixodbc-dev
diff --git a/docs/apache-airflow/installation/dependencies.rst b/docs/apache-airflow/installation/dependencies.rst
index a17f55d64d5d6..08d491abc60db 100644
--- a/docs/apache-airflow/installation/dependencies.rst
+++ b/docs/apache-airflow/installation/dependencies.rst
@@ -83,7 +83,7 @@ for development and testing as well as production use.
 .. code-block:: bash
 
   sudo apt install -y --no-install-recommends apt-transport-https apt-utils ca-certificates \
-    curl dumb-init freetds-bin gosu krb5-user libgeos-dev \
+    curl dumb-init freetds-bin krb5-user libgeos-dev \
     ldap-utils libsasl2-2 libsasl2-modules libxmlsec1 locales libffi8 libldap-2.5-0 libssl3 netcat-openbsd \
     lsb-release openssh-client python3-selinux rsync sasl2-bin sqlite3 sudo unixodbc
 
@@ -98,7 +98,7 @@ for Bullseye and we will only build images and explain system level dependencies
 .. code-block:: bash
 
   sudo apt install -y --no-install-recommends apt-transport-https apt-utils ca-certificates \
-    curl dumb-init freetds-bin gosu krb5-user libgeos-dev \
+    curl dumb-init freetds-bin krb5-user libgeos-dev \
     ldap-utils libsasl2-2 libsasl2-modules libxmlsec1 locales libffi7 libldap-2.4-2 libssl1.1 netcat \
     lsb-release openssh-client python3-selinux rsync sasl2-bin sqlite3 sudo unixodbc
 
diff --git a/docs/docker-stack/changelog.rst b/docs/docker-stack/changelog.rst
index 40774dd32c931..90930afdda34c 100644
--- a/docs/docker-stack/changelog.rst
+++ b/docs/docker-stack/changelog.rst
@@ -45,6 +45,13 @@ Airflow 2.9
      ``apache/airflow:slim-2.9.0-python-3.8`` images respectively so while the change is potentially
      breaking, it is very easy to switch to the previous behaviour.
 
+Airflow 2.9
+~~~~~~~~~~~
+
+The ``gosu`` binary was removed from the image. This is a potentially breaking change for users who relied on
+``gosu`` to change the user in the container. The ``gosu`` binary was removed because it was a source of
+security vulnerabilities as it was linked against older go standard libraries.
+
 
 Airflow 2.8
 ~~~~~~~~~~~
diff --git a/scripts/docker/install_os_dependencies.sh b/scripts/docker/install_os_dependencies.sh
index f848846cb63e3..283895f1dae5e 100644
--- a/scripts/docker/install_os_dependencies.sh
+++ b/scripts/docker/install_os_dependencies.sh
@@ -35,7 +35,7 @@ fi
 function get_dev_apt_deps() {
     if [[ "${DEV_APT_DEPS=}" == "" ]]; then
         DEV_APT_DEPS="apt-transport-https apt-utils build-essential ca-certificates dirmngr \
-freetds-bin freetds-dev git gosu graphviz graphviz-dev krb5-user ldap-utils libffi-dev libgeos-dev \
+freetds-bin freetds-dev git graphviz graphviz-dev krb5-user ldap-utils libffi-dev libgeos-dev \
 libkrb5-dev libldap2-dev libleveldb1d libleveldb-dev libsasl2-2 libsasl2-dev libsasl2-modules \
 libssl-dev libxmlsec1 libxmlsec1-dev locales lsb-release openssh-client pkgconf sasl2-bin \
 software-properties-common sqlite3 sudo unixodbc unixodbc-dev zlib1g-dev"
@@ -62,7 +62,7 @@ function get_runtime_apt_deps() {
     echo
     if [[ "${RUNTIME_APT_DEPS=}" == "" ]]; then
         RUNTIME_APT_DEPS="apt-transport-https apt-utils ca-certificates \
-curl dumb-init freetds-bin gosu krb5-user libgeos-dev \
+curl dumb-init freetds-bin krb5-user libgeos-dev \
 ldap-utils libsasl2-2 libsasl2-modules libxmlsec1 locales ${debian_version_apt_deps} \
 lsb-release openssh-client python3-selinux rsync sasl2-bin sqlite3 sudo unixodbc"
         export RUNTIME_APT_DEPS