Security
Supported Versionsβ
TunaOS images are built daily with weekly ISO publications. Images are
published with per-flavor tags (e.g. gnome, kde, gnome-hwe).
Only the most recent build of each flavor is actively supported.
See VERSIONING.md for the full tagging scheme.
| Variant | Base OS | Status |
|---|---|---|
| Yellowfin | AlmaLinux Kitten 10 | β Supported |
| Albacore | AlmaLinux 10 | β Supported |
| Skipjack | CentOS Stream 10 | β οΈ Beta |
| Bonito | Fedora 44 | β οΈ In progress |
| Redfin | RHEL 10 | π Local-build only |
Reporting a Vulnerabilityβ
Please do not report security vulnerabilities through public GitHub issues.
Instead, report them privately via GitHub Security Advisories:
- Go to the Security tab
- Click Report a vulnerability
- Provide a detailed description of the issue, including steps to reproduce
You can expect:
- Acknowledgment within 48 hours
- Status update within 5 business days
- Resolution timeline based on severity
Security Modelβ
TunaOS images are:
- Built in CI from pinned base images (see
image-versions.yaml) - Signed with cosign (public key:
cosign.pub) - Scanned for vulnerabilities via GitHub's built-in scanning
- Published as SBOM-attested OCI images
Supply Chain Securityβ
- Base images pinned by digest in
image-versions.yaml - Third-party GitHub Actions pinned to commit SHAs
- Build secrets use BuildKit secret mounts, never environment variables
- RPM packages from official AlmaLinux/CentOS/Fedora repositories and verified COPRs
Disclosure Policyβ
We follow coordinated disclosure:
- Reporter submits vulnerability privately
- We investigate and develop a fix
- Fix is deployed to new builds
- Advisory is published after deployment
See docs/AGENT_GUIDE.md for full build architecture details.