docs(security): document supported deployment platforms#66931
Open
potiuk wants to merge 2 commits into
Open
Conversation
Add an explicit out-of-scope section for non-Linux platforms to the Security Model. Bugs that only manifest on Windows / macOS / other non-Linux platforms are not eligible for CVE allocation because Airflow does not officially support those platforms as deployment targets. Codifies what was already the security team's practice — most recently the disposition on a 2026-05-14 IMAP-attachment-path-traversal report that only manifested on Windows due to backslash path-separator handling, closed NOT-CVE-WORTHY on this basis. Future Windows-only / macOS-only reports get the same treatment, and reporters can read the rule upfront before submitting. The rule applies symmetrically: a bug that affects Linux is judged on the Linux behavior regardless of whether it also reaches Windows; non-Linux-only bugs are out of scope. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
@potiuk I still have the aim and a task on my bucket list making Edge + Task SDK working on a Windows system. In Airflow 2.10 there was also a experimental setup documented in https://airflow.apache.org/docs/apache-airflow-providers-edge3/stable/install_on_windows.html - so I am not really good in excluding this. |
shahar1
approved these changes
May 15, 2026
potiuk
commented
May 15, 2026
Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an explicit out-of-scope section for non-Linux platforms to the Security Model. Bugs that only manifest on Windows / macOS / other non-Linux platforms are not eligible for CVE allocation because Airflow does not officially support those platforms as deployment targets.
Motivation
Codifies what was already the security team's practice — most recently the disposition on a 2026-05-14 IMAP-attachment-path-traversal report (GHSA-w72r-xvc9-jwgh) that only manifested on Windows due to backslash path-separator handling, closed NOT-CVE-WORTHY on this basis.
Without an explicit Security Model section, reporters routinely submit Windows-only path-traversal / RCE reports that the team has to invalidate one-by-one with manual reasoning. Future Windows-only / macOS-only reports will be closed against this section, and reporters can read the rule upfront before submitting through
security@.The rule applies symmetrically: a bug that affects Linux is judged on the Linux behavior regardless of whether it also reaches Windows; non-Linux-only bugs are out of scope.
Test plan
breeze build-docs apache-airflow --package-filter apache-airflowand confirm the new section appears under the existing out-of-scope items in the Security Model page.#supported-deployment-platformsis generated correctly (Sphinx generates anchor IDs from heading text via kebab-case).