Security
Supported Versionsβ
Aurora Tromso images are built on every push to main and published to GHCR.
Only the most recent build of each tag is actively supported. Older tags are
pruned periodically.
| Tag | Status |
|---|---|
latest | β Supported |
<git-sha> | β οΈ Best effort |
<date> | β οΈ Best effort |
Reporting a Vulnerabilityβ
Please do not report security vulnerabilities through public GitHub issues.
Instead, report them privately via GitHub Security Advisories:
- Go to the Security tab
- Click Report a vulnerability
- Provide a detailed description of the issue, including steps to reproduce
You can expect:
- Acknowledgment within 48 hours
- Status update within 5 business days
- Resolution timeline based on severity
Security Modelβ
Aurora Tromso images are:
- Built in CI from pinned BuildStream elements with content-addressed caching
- Published as OCI images to
ghcr.io/tuna-os/tromso - Built inside a pinned
bst2container with local CASD
Supply Chain Securityβ
- Base elements are pinned by junction refs in
elements/kde-build-meta.bst - Build dependencies are resolved via BuildStream's CASD content-addressable store
- KDE package definitions live in
hanthor/kde-build-metawith pinned junction URLs - The build container (
bst2) is pinned by digest
Disclosure Policyβ
We follow coordinated disclosure:
- Reporter submits vulnerability privately
- We investigate and develop a fix
- Fix is deployed to new builds
- Advisory is published after deployment
See AGENTS.md and SPEC.md for full build architecture details.