This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new ea60a4d6844 docs(security): document supported deployment platforms
(#66931)
ea60a4d6844 is described below
commit ea60a4d6844f39e3c5793468ba75c7e661825aad
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sat May 16 02:00:05 2026 +0200
docs(security): document supported deployment platforms (#66931)
* docs(security): document supported deployment platforms
Add an explicit out-of-scope section for non-Linux platforms to the
Security Model. Bugs that only manifest on Windows / macOS / other
non-Linux platforms are not eligible for CVE allocation because Airflow
does not officially support those platforms as deployment targets.
Codifies what was already the security team's practice — most recently
the disposition on a 2026-05-14 IMAP-attachment-path-traversal report
that only manifested on Windows due to backslash path-separator
handling, closed NOT-CVE-WORTHY on this basis. Future Windows-only /
macOS-only reports get the same treatment, and reporters can read the
rule upfront before submitting.
The rule applies symmetrically: a bug that affects Linux is judged on
the Linux behavior regardless of whether it also reaches Windows;
non-Linux-only bugs are out of scope.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
* Apply suggestions from code review
Co-authored-by: Jarek Potiuk <[email protected]>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
---
airflow-core/docs/security/security_model.rst | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/airflow-core/docs/security/security_model.rst
b/airflow-core/docs/security/security_model.rst
index e7a95d44db7..d46323745b4 100644
--- a/airflow-core/docs/security/security_model.rst
+++ b/airflow-core/docs/security/security_model.rst
@@ -826,3 +826,22 @@ significantly from typical web applications — many scanner
findings (such as "
code" or "database credentials accessible in configuration") are expected
behavior. Reports must
include a proof-of-concept that demonstrates how the finding violates the
security model described
in this document, including identifying the specific user role involved and
the attack scenario.
+
+Supported deployment platforms
+..............................
+
+Apache Airflow officially supports Linux-based deployment environments only.
The reference
+deployment, the CI matrix, and the official Docker image are all
Linux-targeted (Debian Bookworm).
+macOS is supported for local development but is not a deployment platform.
Windows is not supported
+for deployment - except WSL2 for develop (buy only with POSIX filesystem which
is the same as Linux).
+
+Vulnerability reports that only manifest on a non-Linux platform — behavior
that depends on Windows
+path separators, macOS-specific filesystem semantics, etc. — are **out of
scope** for the security
+process. We do not issue CVEs or advisories for platform-specific bugs in
deployment configurations
+the project does not support.
+
+Reports where the bug affects both supported (Linux) and unsupported (Windows,
macOS) platforms are
+judged on the Linux behavior; the non-Linux aspect is informational.
+
+Reporters who identify a non-Linux-only bug should still report it through the
regular contribution
+process — fixes are welcome as defense-in-depth hardening, with no CVE or
advisory.
