Files
RedBear-OS/recipes/libs/pcre2/source/SECURITY.md
T
vasilito facf0c92e0 feat: track all source trees in git — full fork offline-first model
Red Bear OS is a full fork. All sources must be available from git clone
with zero network access. Removed gitignore rules that excluded fetched
source trees under recipes/*/source/, local/recipes/kde/*/source/,
local/recipes/qt/*/source/, and vendor source trees.

Build artifacts (target/, build/, source.tar, *.o, *.so) remain excluded.

127291 files added — kernel, relibc, base, bootloader, pkgar, all KDE/Qt
frameworks, mesa, wayland, DRM drivers, and every other recipe source.
2026-05-14 10:55:53 +01:00

1.7 KiB

Security policies

Release security

The PCRE2 project provides source-only releases, with no binaries.

These source releases can be downloaded from the GitHub Releases page. Each release file is GPG-signed.

  • Releases up to and including 10.44 are signed by Philip Hazel (GPG key: 45F68D54BBE23FB3039B46E59766E084FB0F43D8)
  • Releases from 10.45 onwards will be signed by Nicholas Wilson (GPG key: A95536204A3BB489715231282A98E77EB6F24CA8, cross-signed by Philip Hazel's key for release continuity)

From releases 10.45 onwards, the source code will additionally be provided via Git checkout of the (GPG-signed) release tag.

Please contact the maintainers for any queries about release integrity or the project's supply-chain.

Reporting vulnerabilities

The PCRE2 project prioritises security. We appreciate third-party testing and security research, and would be grateful if you could responsibly disclose your findings to us. We will make every effort to acknowledge your contributions.

To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" tab. (Alternatively, if you prefer you may send a GPG-encrypted email to one of the maintainers.)

Timeline

As a very small volunteer team, we cannot guarantee rapid response, but would aim to respond within 1 week, or perhaps 2 during holidays.

Response procedure

PCRE2 has never previously made a rapid or embargoed release in response to a security incident. We would work with security managers from trusted downstream distributors, such as major Linux distributions, before disclosing the vulnerability publicly.