Red Hat Trusted Libraries Support Policy
Red Hat Trusted Libraries provides a curated set of enterprise-ready Python libraries—starting with commonly used packages such as NumPy, Pandas, and Flask—that are built from upstream source, continuously monitored, and distributed with signed provenance and Software Bill of Materials (SBOMs).
These libraries are produced through Red Hat's hardened software factory and made available via Red Hat-managed distribution channels, along with associated build attestations and security metadata.
Key characteristics:
- Built on hardened infrastructure aligned with SLSA Level 3
- Continuously tracked and rebuilt from upstream sources
- Distributed in standard, consumable formats (e.g., Python wheels)
- Accompanied by SBOMs and signed build attestations
- Rebuilt in alignment with upstream updates, with a target of ~24 hours for incorporating upstream fixes (best-effort)
Red Hat supports customers using Red Hat Trusted Libraries in line with Red Hat Third Party Component Policy. The included libraries are third-party open source components whose functionality, maintenance, and security remediation are controlled by their respective upstream communities.
Accordingly, Red Hat:
- Does not provide support for the functional behavior or performance of upstream libraries
- Does not backport fixes or maintain custom patched versions of upstream libraries
- Does not independently remediate vulnerabilities (CVEs) in upstream components
If a vulnerability or software issue is identified:
- Remediation is dependent on upstream availability of a fix
- Customers are responsible for upgrading to versions where upstream fixes are available
- If a vulnerability exists in the latest upstream version, resolution is expected from the upstream community
Red Hat's support for Red Hat Trusted Libraries is limited to:
- Integrity and security of the build and supply chain (source-to-artifact)
- Availability of Provenance, signing, and verification of distributed artifacts
- Availability and reliability of Red Hat distribution services
- Availability of SBOMs and build attestations generated by Red Hat
- Rebuilding and redistribution of artifacts based on upstream releases