If you think you've found a potential vulnerability in Imath, please report it by filing a GitHub security advisory. Alternatively, email security@openexr.com and provide your contact info for further private/secure discussion. If your email does not receive a prompt acknowledgement, your address may be blocked.
Our policy is to acknowledge the receipt of vulnerability reports within 48 hours. Our policy is to address critical security vulnerabilities rapidly and post patches within 14 days if possible.
This gives guidance about which branches are supported with patches to security vulnerabilities.
Version / branch | Supported |
---|---|
main | ✅ 🚧 ALL fixes immediately, but this is a branch under development with a frequently unstable ABI and occasionally unstable API. |
3.1.x | ✅ All fixes that can be backported without breaking ABI compatibility. |
3.0.x |
Releases artifacts are signed via sigstore. See release-sign.yml for details.
To verify a downloaded release at a given tag:
% pip install sigstore
% sigstore verify github --cert-identity https://github.com/AcademySoftwareFoundation/Imath/.github/workflows/release-sign.yml@refs/tags/<tag> Imath-<tag>.tar.gz
-
The Imath project implements basic vector, matrix, and math operations, and is used throughout the motion picture industry and beyond, on Linux, macOS, and Windows.
-
The project consists of a software run-time library, implemented in C/C++ and built via cmake. The project also distributes python wrappings for the C/C++ I/O API.
-
The library provides no external input/output.
-
Other than the website and online technical documentation, the project implements no web/online services or network communication protocols. The library never requests any security or authentication credentials or login information from users.
The website implements no interactive features and requires no login credentials.
Imath has no external dependencies.
The Imath python bindings depend on python and boost.
Imath is downloadable and buildable by C/C++ source via GitHub. Only members of the project's Technical Steering Committee, all veteran software engineers at major motion picture studios or vendors, have write permissions on the source code repository. All critical software changes are reviewed by multiple TSC members.
The library is distributed in binary form via many common package managers across all platforms.