Merge pull request #4991 from weiznich/feature/more_policies

weiznich · web-flow · commit 24e1823ea73c · 2026-03-20T15:27:55.000Z
Add a security and a LLM/AI policy to the projects
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -9,3 +9,6 @@ contact_links:
   - name: Feature Requests
     url: https://github.com/diesel-rs/diesel/discussions/categories/ideas
     about: If you want to suggest a new feature please create a new topic in our discussions forum
+  - name: Report a security vulnerability
+    url: https://github.com/diesel-rs/diesel/security/advisories/new
+    about: Please review our security policy for more details
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,16 @@
+<!-- 
+Please provide a short brief summary description of your change here. 
+Also make sure that your code passes all tests and style checks. 
+Checkout the `CONTRIBUTING.md` file in the root of the repository for running these checks locally.
+It's also fine to use the CI setup for running these tests, but in this case please indicate that your PR 
+is not ready for review yet by marking it as DRAFT until it is ready.
+
+If you submit a notable change please ensure to include it into the CHANGELOG.md file in
+the root of the repository.
+
+Also make sure to follow the projects guide lines about the usage of LLM's and AI agents as outlined
+in the CONTRIBUTING.md file in the root of the repository.
+-->
+
+- [ ] I checked for similar changes and make sure to reference them
+- [ ] I included a changelog entry for relevant new features or changes
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -152,16 +152,27 @@ To run rustfmt tests locally:
 You can also use rustfmt to make corrections or highlight issues in your editor.
 Check out [their README](https://github.com/rust-lang/rustfmt) for details.
 
-### Usage of LLMs and AI agents
-
-The Diesel project doesn't completely disallow to usage of LLMs and AI agents for contributions. There are still a number of restrictions and rules you as a PR author are asked to follow.
-
-Most importantly you as the author of the PR are responsible for carefully reviewing the generated code to make sure that:
-
-* It is correct to your best knowledge
-* It does not contain any copyrighted code that is incompatible with the license used by Diesel
-
-Furthermore you are asked to disclose the usage of any such tools in your PR description. 
+### Usage of LLM's/AI agents
+
+The Diesel project does not strictly forbid the usage of LLM's and AI agents for submitting pull requests. 
+There are still a number of restrictions and rules you as a PR author are asked to follow:
+
+* You need to make sure that the code you are trying to submit can be licences under the relevant open source License used by Diesel. It cannot contain any code that is incompatible with the licenses used by Diesel.
+* You need to fully understand and review any generated code before submitting a PR. The expectation from the reviewer team is 
+  to discuss these changes with you as a person.
+* You need to ensure that the submitted code satisfies the general requirements of submitting PR's to Diesel. That especially includes the following points:
+    + The Code passes all tests and style checks
+    + The change is as minimal as possible. Huge changes will be just dismissed
+    + You verified that the change actually fixes/implements what it is supposed to fix/implement
+    + The change contains a sufficient amount of documentation to help others following the code
+* The usage of LLM's/AI need to be disclosed (See the linked NlNet resource on how to do that in a meaningful way)
+* We ask you to write pull request descriptions and discussion comments on your own. 
+  We are able to ask an AI agent on our own if we feel that might be helpful.
+* For issues marked as "mentoring available" or "good first issue" consider that these issues are for onboarding new contributors 
+  to the code base. Consider if fully solving such an issue only by using LLM's/AI is helping you to gain experience.
+
+For a more in depth description we would like to point to NlNet's policies about [using generative AI](https://nlnet.nl/foundation/policies/generativeAI/) in projects they are funding. This document outlines many of the points 
+above in with more details and explanations. 
 
 ### Common Abbreviations
 
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,58 @@
+# Security Policy for Diesel
+
+## Supported Versions
+
+The Diesel team provides only support for the latest released version at Diesel at any point in time. Users are strongly encouraged to upgrade to the latest version for the best security posture.
+
+## Reporting a Vulnerability
+
+We take the security of Diesel very seriously. If you believe you've found a security vulnerability, we encourage you to inform us responsibly through coordinated disclosure.
+
+### How to Report
+
+**Do not report security vulnerabilities through public GitHub issues, discussions, or social media.**
+
+Instead, please use one of these secure channels:
+
+1. **GitHub Security Advisories** (preferred): Use the "Report a vulnerability" button in the Security tab
+2. **Email** (backup): Send details to `github@weiznich.de`
+
+### What to Include
+
+To help us understand and address the issue quickly, please include:
+
+**Required Information:**
+- Brief description of the vulnerability type (6 or less sentences)
+- Affected version(s) and components
+- Proof-of-concept code to reproduce the issue
+
+**Helpful Additional Details:**
+- Full paths of affected source files
+- Suggested mitigation or fix (if you have ideas)
+- A path resolving the reported problem
+
+Your initial report should be rather brief. For the case that additional details might be required for confirming the reported problem or to asses the severity of the reported issue the Diesel team will provide detailed followup questions.
+
+### Our Response Process
+
+**What We'll Do:**
+1. Acknowledge your report and assign a tracking ID
+2. Assess the vulnerability and determine severity
+3. Develop and test a fix
+4. Coordinate disclosure timeline with you
+5. Release security update and publish advisory
+6. Credit you in our security advisory (if desired)
+
+## Scope
+
+This security policy applies to:
+
+**In Scope:**
+- The Diesel Query builder 
+- Any Diesel procedural macro
+- The Diesel command line tool
+
+**Out of Scope:**
+- Any general Rust/Cargo security issue
+- Any issue occurring in a third party crate that cannot be triggered through Diesel code
+
