| Version | Supported |
|---|---|
| Latest | ✅ |
| Latest - 1 | ✅ |
| Latest - 2 | ✅ |
Support Policy: Security patches are provided for the latest 3 minor releases. Older versions do not receive security updates.
Since this is a personal utility library (not a professional-oriented library), security vulnerabilities should be reported by creating an issue in the repository.
- Create a new issue in the GitHub repository
- Use the "Security" label (if available) or "Bug"
- Mark as sensitive in the issue description if GitHub provides that option
- Type of vulnerability (e.g., buffer overflow, race condition, etc.)
- Affected versions of Ain
- Steps to reproduce the vulnerability
- Impact assessment (what could happen if exploited)
- Any potential mitigations you're aware of
- Initial response: We'll acknowledge the issue within 7 days
- Assessment: We'll investigate and validate the vulnerability
- Fix: We'll develop and test a patch
- Release: We'll release a new version with the fix
- Disclosure: We'll update the issue once fixed
This library contains high-performance concurrent data structures. Be aware of:
- Race detector: Some code may trigger false positives with
-raceflag due to lock-free implementations - Atomic operations: The Disruptor uses atomic operations with specific memory ordering
- Memory safety: Zero-allocation paths are used to prevent GC pressure
There are no third-party dependencies for this library.
Ain is a library only and does not:
- Collect user data
- Make network calls (except for testing/benchmarking)
- Access filesystem (except for optional file logging)
- Handle sensitive information directly
The Disruptor implementation may trigger race detector warnings even though the code is thread-safe. This is documented in structs/disruptor.go:120:
/*
IMPORTANT
Race detector notes: When running with -race, Go's race detector flags publisher-consumer buffer access as data races.
These are false positives because:
1. CAS on writer cursor ensures only one publisher can claim a sequence number
2. Writer is advanced only after CAS succeeds (establishes happens-before relationship)
3. Consumer reads after seeing updated writer cursor (synchronized through atomic operations)
4. No mutexes used - fully lock-free implementation
The race detector doesn't understand happens-before relationships established through
atomic operations on different variables.
*/- Disruptor: Pre-allocated ring buffer prevents dynamic allocations during operation
- SyncQueue: Uses proper synchronization with mutexes
- WorkerPool: Context-based cancellation for safe shutdown
When using Ain in your applications:
- Keep dependencies updated: Regularly update Ain to latest version
- Review your usage: Understand the concurrent patterns you're using
- Test thoroughly: Test your application with race detector enabled
- Monitor performance: Watch for unusual behavior in production
- Patch releases: Security fixes are released as patch versions (e.g., v1.2.3)
- Announcements: Security updates are mentioned in release notes
- Compatibility: Security patches maintain backward compatibility
For security-related questions or concerns:
- Create an issue with the "Security" label
- Check existing issues for similar reports
- Provide detailed information about your security concern
Ain is provided "as is" without warranty. While we take security seriously and will address reported vulnerabilities, users should:
- Review the code before using in security-sensitive applications
- Test thoroughly in their specific use cases
- Consider their threat model when using concurrent data structures
Thank you for helping keep Ain secure!