-
Notifications
You must be signed in to change notification settings - Fork 337
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
First pass at defining our threat model and security policy
Signed-off-by: Jean-Christophe Morin <jean_christophe_morin@hotmail.com>
- Loading branch information
1 parent
aed0108
commit c6ad49b
Showing
3 changed files
with
34 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Security Policy | ||
|
||
## Threat Model | ||
|
||
List assumptions (rez will run inside an internal network, we assume good intentions, package definitions are written in python and executed) | ||
|
||
Access to shared filesystem | ||
|
||
The current assumptions are: | ||
* Rez was designed to be used within a studio environment. | ||
* Package definitions, both for building packages and resulting from a build are Python files (`package.py`). Rez will read and load them in memory at resolve time. | ||
* Rez config files can be written in YAML or Python. | ||
* Package definitions and config files written in Python can contain arbitrary code. | ||
* Rez will create new shells via subprocesses. | ||
* Packages can inject environment variables into the resulting shells via [commands](https://rez.readthedocs.io/en/stable/package_commands.html). | ||
* Packages can inject arbitrary commands to be executed when the shells are started via [commands](https://rez.readthedocs.io/en/stable/package_commands.html). | ||
|
||
With that in mind, the main entry points are config files (written in python) and pacakge definition files. | ||
Config files will be loaded from default paths and it's also posssible to tell rez | ||
to load them from any arbitraty path using the [REZ_CONFIG_FILE](https://rez.readthedocs.io/en/stable/environment.html#envvar-REZ_CONFIG_FILE) which can contain more than one path. | ||
|
||
Document that it can talk to memcached and RabbitMQ (AMQP). | ||
|
||
## Supported Versions | ||
|
||
We only support the latest version. We try our best to keep rez backward | ||
compatible as much as possible, which allows us to to only support the latest version. | ||
|
||
## Reporting a Vulnerability | ||
|
||
If you think you've found a potential vulnerability in rez, please report it by filing a GitHub [security | ||
advisory](https://github.com/AcademySoftwareFoundation/rez/security/advisories/new). Alternatively, email security@openexr.com and provide your contact info for further private/secure discussion. If your email does not receive a prompt acknowledgement, your address may be blocked. | ||
|
||
Our policy is to acknowledge the receipt of vulnerability reports within 72 hours. |