We provide security updates for the following versions of OMG:

We take security seriously. If you discover a security vulnerability in OMG, please report it privately.

Do NOT open a public issue for security vulnerabilities.

Instead, please email: olen@latham.cloud

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 1-3 days
  • High: 1-2 weeks
  • Medium: 2-4 weeks
  • Low: Next release cycle

• We follow responsible disclosure
• We will credit you in the security advisory (unless you prefer to remain anonymous)
• We will notify you when the fix is released
• Public disclosure happens after the fix is available

OMG includes built-in security features:

• PGP Verification: Automatic package signature verification
• Vulnerability Scanning: CVE detection for installed packages
• SBOM Generation: Software Bill of Materials in CycloneDX format
• Security Grading: Risk assessment for every package install
• Audit Logging: Tamper-proof logs of all package operations

• Privilege Separation: Minimal sudo usage with sudoloop
• Sandbox Support: AUR builds can use bubblewrap/chroot
• Secret Scanning: Detects leaked credentials before commit
• Policy Enforcement: Configurable security policies via policy.toml

• Dependency Pinning: Lockfiles for reproducible builds
• SLSA Provenance: Build attestations (where available)
• Signature Verification: PGP signatures on official packages
• Mirror Verification: Checksum validation on downloads

OMG relies on several third-party crates. We regularly audit dependencies for security issues using cargo audit.

Current Known Issues:

1. libscoop (Windows feature only):

   • Dependency: remove_dir_all 0.7.0
   • Issue: Race condition (RUSTSEC-2023-0018)
   • Impact: Only affects Windows builds with --features windows
   • Mitigation: Waiting for upstream libscoop update
   • Workaround: Use Linux/macOS, or avoid Windows feature

2. debian-packaging (Debian feature only):

   • Dependency: async-std 1.13.2
   • Issue: Unmaintained (RUSTSEC-2025-0052)
   • Impact: Only affects Debian/Ubuntu builds
   • Mitigation: Monitoring for replacement or upstream fix

OMG requires sudo access for:

• Installing/removing system packages
• Modifying system files
• Running AUR builds (when not in user-space)

Mitigation:

• Sudoloop limits password prompts
• Dry-run mode (--dry-run) shows what would happen
• Policy enforcement prevents unauthorized operations
• Audit logs track all privileged operations

AUR packages are community-maintained and not officially verified.

Built-in Protections:

• Security grading (COMMUNITY level)
• Optional PKGBUILD review before build
• Sandboxed builds (bubblewrap/chroot)
• PGP verification where available

Best Practices:

• Review PKGBUILDs before installation
• Use --dry-run to preview changes
• Enable review_pkgbuild = true in config
• Check package popularity and votes

1. Keep OMG Updated:

   omg self-update

2. Enable Security Features:

   # ~/.config/omg/policy.toml
   minimum_grade = "Verified"  # Require PGP signatures
   require_pgp = true
   allow_aur = false  # Disable AUR if not needed

3. Review Audit Logs:

   omg audit log
   omg audit verify  # Check for tampering

4. Scan for Vulnerabilities:

   omg audit scan
   omg audit fix  # Auto-upgrade vulnerable packages

1. Run Security Audits:

   cargo audit
   cargo clippy -- -D warnings

2. Review Dependencies:

   cargo tree
   cargo machete  # Find unused dependencies

3. Test Security Features:

   cargo test --features arch security

4. Follow Secure Coding Practices:

   • Avoid unsafe blocks unless absolutely necessary
   • Use #[must_use] on query functions
   • Add context to all errors
   • Validate all user input

Security updates are announced via:

• GitHub Security Advisories
• Release notes (CHANGELOG.md)
• Email to security@pyro1121.com subscribers

OMG supports compliance requirements for:

• SOC2
• ISO27001
• FedRAMP (future)

Features:

• Audit log export (omg enterprise export-evidence)
• SBOM generation (omg audit sbom)
• Vulnerability reporting (omg audit scan --format json)
• Policy enforcement (policy.toml)

Security Team: olen@latham.cloud
General Support: GitHub Issues

We thank security researchers who responsibly disclose vulnerabilities. Credits will be listed here upon disclosure.

Last Updated: 2026-02-01