GitHub's bots crawl nativelink to detect security vulnerabilities wherever
possible.
TraceMachina and the nativelink authors place a high emphasis on fixing any
vulnerabilities. Please send a report if something doesn't look right.
We support the most recent tagged version, primarily via
the Docker images, but also the other install methods listed there. We also publish, but don't directly support per-commit
Docker images for everything on main. For anything more than this, please contact marcus@tracemachina.com for commercial
support, or join our Slack for community support.
Prefer reporting vulnerabilities via GitHub.
If you'd rather communicate via email please contact marcus@tracemachina.com, tom@tracemachina.com or aman@tracemachina.com.
See Advisories for publicly disclosed vulnerabilities.
See the published OCI images for pull commands.
Images are tagged by nix derivation hash. The most recently pushed image
corresponds to the main branch. Images are signed by the GitHub action that
produced the image. Note that the OCI workflow might take a few minutes to publish the latest image.
export LATEST=$(nix eval github:TraceMachina/nativelink#image.imageTag --raw)cosign verify ghcr.io/tracemachina/nativelink:${LATEST} \
--certificate-identity=https://github.com/TraceMachina/nativelink/.github/workflows/image.yaml@refs/heads/main \
--certificate-oidc-issuer=https://token.actions.githubusercontent.comFor use in production pin the image to a specific revision:
# Get the tag for a specific commit
export PINNED_TAG=$(nix eval github:TraceMachina/nativelink/<revision>#image.imageTag --raw)Tip
The images are reproducible on x86_64-unknown-linux-gnu. If you're on such a
system you can produce a binary-identical image by building the .#image
flake output locally. Make sure that your git status is completely clean and
aligned with the commit you want to reproduce. Otherwise the image will be
tainted with a "dirty" revision label.