From ed508a1cd3d2cd08077ea38a0b14b105928d71a6 Mon Sep 17 00:00:00 2001 From: Billy Robert O'Neal III Date: Tue, 31 Aug 2021 14:14:57 -0700 Subject: [PATCH] Comply with SDL by adding security guidance. Resolves https://devdiv.visualstudio.com/DevDiv/_workitems/edit/1336590 Drive-by: remove useless build status icon. --- README.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 936cc16819873f..1985861d407ffd 100644 --- a/README.md +++ b/README.md @@ -19,8 +19,6 @@ you can run `vcpkg help`, or `vcpkg help [command]` for command-specific help. * Discord: [\#include \](https://www.includecpp.org), the #🌏vcpkg channel * Docs: [Documentation](docs/README.md) -[![Build Status](https://dev.azure.com/vcpkg/public/_apis/build/status/microsoft.vcpkg.ci?branchName=master)](https://dev.azure.com/vcpkg/public/_build/latest?definitionId=29&branchName=master) - # Table of Contents - [Vcpkg: Overview](#vcpkg-overview) @@ -40,6 +38,7 @@ you can run `vcpkg help`, or `vcpkg help [command]` for command-specific help. - [Examples](#examples) - [Contributing](#contributing) - [License](#license) +- [Security](#security) - [Telemetry](#telemetry) # Getting Started @@ -350,7 +349,18 @@ with any additional questions or comments. # License -The code in this repository is licensed under the [MIT License](LICENSE.txt). +The code in this repository is licensed under the [MIT License](LICENSE.txt). The libraries +provided by ports are licensed under the terms of their original authors. Where available, vcpkg +places the associated license(s) in the location `installed//share//copyright`. + +# Security + +Most ports in vcpkg build the libraries in question using the original build system preferred +by the original developers of those libraries, and download source code and build tools from their +official distribution locations. For use behind a firewall, the specific access needed will depend +on which ports are being installed. If you must install in in an "air gapped" environment, consider +installing once in a non-"air gapped" environment, populating an +[asset cache](docs/users/assetcaching.md) shared with the otherwise "air gapped" environment. # Telemetry