We provide security updates for develop
and for the last two
stable (0.x
) release series of Spack. Security updates will be
made available as patch (0.x.1
, 0.x.2
, etc.) releases.
For more on Spack's release structure, see
README.md
.
You can report a vulnerability using GitHub's private reporting feature:
- Go to github.com/spack/spack/security.
- Click "Report a vulnerability" in the upper right corner of that page.
- Fill out the form and submit your draft security advisory.
More details are available in GitHub's docs.
You can expect to hear back about security issues within two days. If your security issue is accepted, we will do our best to release a fix within a week. If fixing the issue will take longer than this, we will discuss timeline options with you.