|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Threat Model |
| 4 | + |
| 5 | +List assumptions (rez will run inside an internal network, we assume good intentions, package definitions are written in python and executed) |
| 6 | + |
| 7 | +Access to shared filesystem |
| 8 | + |
| 9 | +The current assumptions are: |
| 10 | +* Rez was designed to be used within a studio environment. |
| 11 | +* Package definitions, both for building packages and resulting from a build are Python files (`package.py`). Rez will read and load them in memory at resolve time. |
| 12 | +* Rez config files can be written in YAML or Python. |
| 13 | +* Package definitions and config files written in Python can contain arbitrary code. |
| 14 | +* Rez will create new shells via subprocesses. |
| 15 | +* Packages can inject environment variables into the resulting shells via [commands](https://rez.readthedocs.io/en/stable/package_commands.html). |
| 16 | +* Packages can inject arbitrary commands to be executed when the shells are started via [commands](https://rez.readthedocs.io/en/stable/package_commands.html). |
| 17 | + |
| 18 | +With that in mind, the main entry points are config files (written in python) and pacakge definition files. |
| 19 | +Config files will be loaded from default paths and it's also posssible to tell rez |
| 20 | +to load them from any arbitraty path using the [REZ_CONFIG_FILE](https://rez.readthedocs.io/en/stable/environment.html#envvar-REZ_CONFIG_FILE) which can contain more than one path. |
| 21 | + |
| 22 | +Document that it can talk to memcached and RabbitMQ (AMQP). |
| 23 | + |
| 24 | +## Supported Versions |
| 25 | + |
| 26 | +We only support the latest version. We try our best to keep rez backward |
| 27 | +compatible as much as possible, which allows us to to only support the latest version. |
| 28 | + |
| 29 | +## Reporting a Vulnerability |
| 30 | + |
| 31 | +If you think you've found a potential vulnerability in rez, please report it by filing a GitHub [security |
| 32 | +advisory ](https://github.com/AcademySoftwareFoundation/rez/security/advisories/new). Alternatively, email [email protected] and provide your contact info for further private/secure discussion. If your email does not receive a prompt acknowledgement, your address may be blocked. |
| 33 | + |
| 34 | +Our policy is to acknowledge the receipt of vulnerability reports within 72 hours. |
0 commit comments