This gives guidance about which branches are supported with patches to security vulnerabilities.
| Version / branch | Supported |
|---|---|
| main | ✅ 🚧 ALL fixes immediately, but this is a branch under development with a frequently unstable ABI and occasionally unstable API. |
| 1.15.x | ✅ All fixes that can be backported without breaking ABI compatibility. New tagged releases monthly. |
| 1.14.x | |
| <= 1.13.x | ❌ No longer receiving patches of any kind. |
If you think you've found a potential vulnerability in OSL, please report it to the maintainers. Include detailed steps to reproduce the issue, and any other information that could aid an investigation.
The best way to report a vulnerability is to file a GitHub security advisory. If that is not possible, it is also fine to email your report to security@openshadinglanguage.org. Only the project administrators have access to these reports.
Our policy is to respond to vulnerability reports within 14 days, and to address critical security vulnerabilities rapidly and post patches as quickly as possible.
Starting with OSL 1.14.3.0, we cryptographically sign release tags.
To verify a tag, you can use the git tag -v command, which will check
the signature against the public key that is included in the repository.
For example,
git tag -v v1.14.3.0None known