solunatus 0.2.2

High-precision astronomical calculation library and CLI for sun/moon positions, rise/set times, and lunar phases
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

# Security Policy

## Supported Versions

We currently support the following versions with security updates:

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |
| < 0.1   | :x:                |

## Reporting a Vulnerability

We take the security of Solunatus seriously. If you discover a security vulnerability, please report it responsibly.

### How to Report

**For security vulnerabilities, please DO NOT open a public issue.**

Instead, please report security issues using GitHub's private security advisory feature:

1. Go to https://github.com/FunKite/solunatus/security/advisories
2. Click "New draft security advisory"
3. Fill in the details:
   - A description of the vulnerability
   - Steps to reproduce the issue
   - Potential impact
   - Any suggested fixes (optional)

### What to Expect

- **Response time**: You should receive an acknowledgment within 48 hours
- **Updates**: We'll keep you informed about the progress of fixing the vulnerability
- **Credit**: If you'd like, we'll credit you in the release notes for responsible disclosure
- **Timeline**: We aim to release patches for confirmed vulnerabilities within 7-14 days

### Security Update Process

Once a vulnerability is confirmed:

1. We'll develop and test a fix
2. Create a new patch release (e.g., 0.1.2)
3. Publish the fix to:
   - GitHub releases
   - crates.io
4. Publish a security advisory with:
   - Description of the vulnerability
   - Affected versions
   - Upgrade instructions
   - Credit to the reporter (if desired)

## Security Best Practices for Users

### Installation

```bash
# Always install from official sources
cargo install solunatus

# Or download from official GitHub releases
# https://github.com/FunKite/solunatus/releases
```

### Verify Checksums

When downloading binaries from GitHub releases:

```bash
# Download the binary and checksum file
curl -LO https://github.com/FunKite/solunatus/releases/download/v0.1.1/solunatus-v0.1.1-linux-x86_64.tar.gz
curl -LO https://github.com/FunKite/solunatus/releases/download/v0.1.1/solunatus-v0.1.1-linux-x86_64.tar.gz.sha256

# Verify checksum (Linux/macOS)
sha256sum -c solunatus-v0.1.1-linux-x86_64.tar.gz.sha256
```

### Keep Your Installation Updated

```bash
# Update to the latest version
cargo install solunatus --force
```

## Known Security Considerations

### Configuration File

Solunatus stores your location preferences in `~/.astro_times.json`. This file contains:
- Latitude/longitude coordinates
- Timezone information
- City name (if selected)

**Privacy note**: This information is stored locally and never transmitted over the network.

### Network Requests

Solunatus makes network requests for:

- **NTP time synchronization**: Queries time.google.com or pool.ntp.org
  - Purpose: Detect system clock drift
  - Frequency: Cached for 30 minutes
  - Data sent: Standard SNTP request (no personal information)

- **USNO validation** (optional): Queries aa.usno.navy.mil
  - Only when using `--validate` or pressing 'r' in watch mode
  - Purpose: Accuracy verification against U.S. Naval Observatory data

**No location data or personal information is ever transmitted.**

### Dependencies

We regularly update dependencies to address security vulnerabilities. To check for vulnerabilities in the current version:

```bash
# Install cargo-audit
cargo install cargo-audit

# Check for vulnerabilities
cargo audit
```

## Dependency Management

### Automated Updates

- **Dependabot**: Automatically monitors dependencies for security vulnerabilities
- **Dependabot Security Updates**: Automatically creates PRs for security patches

### Manual Review

All dependency updates are reviewed before merging, with special attention to:
- Breaking changes
- New permissions or capabilities
- Upstream security track record

## Scope

This security policy covers:
- ✅ The Solunatus CLI application
- ✅ The Solunatus Rust library (published on crates.io)
- ✅ Build scripts and release binaries
- ✅ Dependencies with known vulnerabilities

This policy does NOT cover:
- ❌ Third-party dependencies (report directly to their maintainers)
- ❌ Issues with Rust toolchain or cargo (report to rust-lang)
- ❌ Operating system or terminal emulator issues

## Security Features

### Current Protections

- **No remote code execution**: All astronomical calculations are performed locally
- **No data collection**: No telemetry, analytics, or usage tracking
- **Minimal attack surface**: Single-purpose CLI tool with no web server or network listening
- **Memory safety**: Written in Rust for memory safety guarantees
- **Dependency scanning**: Automated vulnerability detection via Dependabot

### Future Enhancements

We're considering:
- Code signing for macOS binaries (to avoid Gatekeeper warnings)
- Notarization for macOS releases
- Reproducible builds for verification
- Supply chain security with cargo-vet

## Questions?

If you have questions about security that don't involve reporting a vulnerability, feel free to:
- Open a discussion on GitHub
- Open a regular issue with the "question" label

---

**Last Updated**: 2025-10-24
**Maintainer**: @FunKite