diff --git a/MANIFEST.in b/MANIFEST.in index d73ee8897..fc0891218 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,4 +1,4 @@ -include README.md README_contrib.md CHANGELOG.md LICENSE.txt NOTICE.txt CMakeLists.txt +include README.md README_contrib.md CHANGELOG.md LICENSE.txt NOTICE.txt SECURITY.md CMakeLists.txt recursive-include examples * recursive-include src * recursive-include tests * diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..552147b2d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,55 @@ + + + +# Security Policy + +## Reporting a Vulnerability + +If you think you've found a potential vulnerability in OpenTimelineIO, please +report it by filing a GitHub [security +advisory](https://github.com/AcademySoftwareFoundation/OpenTimelineIO/security/advisories/new). Alternatively, email +[security@opentimeline.io](mailto:security@opentimeline.io?subject=OpenTimelineIO%20Vulnerability%20Report&body=Impact%0A_What%20is%20it,%20who%20is%20impacted_%0A%0APatches%0A_Has%20it%20been%20patched%20and%20in%20which%20version_%0A%0AWorkarounds%0A_Is%20there%20a%20way%20for%20users%20to%20fix%20or%20remediate%20without%20upgrading_%0A%0AReferences%0A_Where%20can%20users%20visit%20to%20find%20out%20more_) +and provide your contact info for further private/secure discussion. If your email does not receive a prompt +acknowledgement, your address may be blocked. + +Our policy is to acknowledge the receipt of vulnerability reports +within 48 hours. Our policy is to address critical security vulnerabilities +rapidly and post patches within 14 days if possible. + +## Known Vulnerabilities + +These vulnerabilities are present in the given versions: + +* No known vulnerabilities + +See the [release notes](https://github.com/AcademySoftwareFoundation/OpenTimelineIO/releases) for more information. + +## Supported Versions + +This gives guidance about which branches are supported with patches to +security vulnerabilities. + +| Version / branch | Supported | +|------------------|------------------------------------------------------------------------------------------------------------------------------------| +| main | :white_check_mark: :construction: ALL fixes immediately, but this is a branch under development and may be unstable in other ways. | +| 0.17.0 | :white_check_mark: All fixes that can be backported without breaking compatibility. | +| 0.16.x | :warning: Only the most critical fixes, only if they can be easily backported. | +| <= 0.15.x | :x: No longer receiving patches of any kind. | + + +### Software Dependencies + +#### OpenTimelineIO C++ + +- [Imath](https://github.com/AcademySoftwareFoundation/Imath) - Provides Vector, Matrix, and Bounding Box primitives. +- [rapidjson](https://github.com/Tencent/rapidjson/) - Used in serialization/deserialization of the `.otio` JSON file format. + +#### OpenTimelineIO Python + +- [pybind11](https://github.com/pybind/pybind11) (only if built with Python bindings) - Used to create Python bindings for the C++ library. +- [importlib_metadata](https://pypi.org/project/importlib-metadata/) - Provides backward compatability for Python 3.7. + +Optionally, OTIOView requires: + +- [PySide2](https://pypi.org/project/PySide2/) - on x86_64. +- [PySide6](https://pypi.org/project/PySide6/) - on AArch64. diff --git a/docs/conf.py b/docs/conf.py index f83edac93..a6fd5afbe 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -100,6 +100,9 @@ r'cxx/cxx' ] +# For some reason this URL gives 403 Forbidden when running in github actions +linkcheck_ignore = [r'https://opensource.org/licenses/MIT'] + # -- Options for MySt-Parser ----------------------------------------------------------- # https://myst-parser.readthedocs.io/en/latest/sphinx/reference.html