From 13348f033e2bcdae0592956d5f779b4df71aab34 Mon Sep 17 00:00:00 2001 From: Eric Reinecke Date: Wed, 23 Oct 2024 13:44:10 -0700 Subject: [PATCH 1/3] Add proposed security policy Signed-off-by: Eric Reinecke --- SECURITY.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..7bae92320 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,48 @@ + + + +# Security Policy + +## Reporting a Vulnerability + +If you think you've found a potential vulnerability in OpenTimelineIO, please +report it by filing a GitHub [security +advisory](https://github.com/AcademySoftwareFoundation/OpenTimelineIO/security/advisories/new). Alternatively, email +[security@opentimeline.io](mailto:security@opentimeline.io?subject=OpenTimelineIO%20Vulnerability%20Report&body=Impact%0A_What%20is%20it,%20who%20is%20impacted_%0A%0APatches%0A_Has%20it%20been%20patched%20and%20in%20which%20version_%0A%0AWorkarounds%0A_Is%20there%20a%20way%20for%20users%20to%20fix%20or%20remediate%20without%20upgrading_%0A%0AReferences%0A_Where%20can%20users%20visit%20to%20find%20out%20more_) +and provide your contact info for further private/secure discussion. If your email does not receive a prompt +acknowledgement, your address may be blocked. + +Our policy is to acknowledge the receipt of vulnerability reports +within 48 hours. Our policy is to address critical security vulnerabilities +rapidly and post patches within 14 days if possible. + +## Known Vulnerabilities + +These vulnerabilities are present in the given versions: + +* No known vulnerabilities + +See the [release notes](https://github.com/AcademySoftwareFoundation/OpenTimelineIO/releases) for more information. + +## Supported Versions + +This gives guidance about which branches are supported with patches to +security vulnerabilities. + +| Version / branch | Supported | +|------------------|------------------------------------------------------------------------------------------------------------------------------------| +| main | :white_check_mark: :construction: ALL fixes immediately, but this is a branch under development and may be unstable in other ways. | +| 0.17.0 | :white_check_mark: All fixes that can be backported without breaking compatibility. | +| 0.16.x | :warning: Only the most critical fixes, only if they can be easily backported. | +| <= 0.15.x | :x: No longer receiving patches of any kind. | + + +### Software Dependencies + +OpenTimelineIO depends on: + +- [Imath](https://github.com/AcademySoftwareFoundation/Imath) - Provides Vector, Matrix, and Bounding Box primitives. + +- [pybind11](https://github.com/pybind/pybind11) (only if built with Python bindings) - Used to create Python bindings for the C++ library. + +- [rapidjson](https://github.com/Tencent/rapidjson/) - Used in serialization/deserialization of the `.otio` JSON file format. From 6c1ad057c4b4852b6023505a442b144e1b0585e0 Mon Sep 17 00:00:00 2001 From: Eric Reinecke Date: Wed, 23 Oct 2024 14:23:51 -0700 Subject: [PATCH 2/3] Updated dependencies in security policy to cover python vs. C++. Added SECURITY.md to MANIFEST.in Signed-off-by: Eric Reinecke --- MANIFEST.in | 2 +- SECURITY.md | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/MANIFEST.in b/MANIFEST.in index d73ee8897..fc0891218 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,4 +1,4 @@ -include README.md README_contrib.md CHANGELOG.md LICENSE.txt NOTICE.txt CMakeLists.txt +include README.md README_contrib.md CHANGELOG.md LICENSE.txt NOTICE.txt SECURITY.md CMakeLists.txt recursive-include examples * recursive-include src * recursive-include tests * diff --git a/SECURITY.md b/SECURITY.md index 7bae92320..552147b2d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -39,10 +39,17 @@ security vulnerabilities. ### Software Dependencies -OpenTimelineIO depends on: +#### OpenTimelineIO C++ - [Imath](https://github.com/AcademySoftwareFoundation/Imath) - Provides Vector, Matrix, and Bounding Box primitives. +- [rapidjson](https://github.com/Tencent/rapidjson/) - Used in serialization/deserialization of the `.otio` JSON file format. + +#### OpenTimelineIO Python - [pybind11](https://github.com/pybind/pybind11) (only if built with Python bindings) - Used to create Python bindings for the C++ library. +- [importlib_metadata](https://pypi.org/project/importlib-metadata/) - Provides backward compatability for Python 3.7. -- [rapidjson](https://github.com/Tencent/rapidjson/) - Used in serialization/deserialization of the `.otio` JSON file format. +Optionally, OTIOView requires: + +- [PySide2](https://pypi.org/project/PySide2/) - on x86_64. +- [PySide6](https://pypi.org/project/PySide6/) - on AArch64. From e24180f0099a7e966af35a5097990d8a23d11e23 Mon Sep 17 00:00:00 2001 From: Eric Reinecke Date: Fri, 1 Nov 2024 12:43:24 -0700 Subject: [PATCH 3/3] Added MIT license URL to linkcheck ignore due to 403 when attempted from github runner Signed-off-by: Eric Reinecke --- docs/conf.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/conf.py b/docs/conf.py index f83edac93..a6fd5afbe 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -100,6 +100,9 @@ r'cxx/cxx' ] +# For some reason this URL gives 403 Forbidden when running in github actions +linkcheck_ignore = [r'https://opensource.org/licenses/MIT'] + # -- Options for MySt-Parser ----------------------------------------------------------- # https://myst-parser.readthedocs.io/en/latest/sphinx/reference.html