This overlay ships kernel patches (sys-kernel/pf-sources*), GPU driver tooling (ROCm, CUDA), and a local-LLM stack (dev-python/vllm, sci-misc/llama-cpp, and their dependency tail). Vulnerabilities in the overlay's ebuilds, patches, or build recipes warrant careful disclosure.

Please use GitHub private vulnerability reporting: the "Report a vulnerability" button under the Security tab. The report stays private until disclosed and auto-tracks discussion.

Please include:

• The exact ebuild atom (e.g. sys-kernel/pf-sources-7.0_p4).
• A description of the issue and how to reproduce it.
• Any CVE identifier if upstream has already assigned one.

Vulnerabilities upstream of this overlay should be reported where the code actually lives. The overlay packages and patches that code but does not maintain it; downstream-only reports tend to languish because the maintainer here can't fix them.

• ::gentoo base-tree packages → Gentoo Security Handbook
• Linux kernel issues (including the pf-kernel patch series) → upstream pf-kernel and/or linux-stable
• ROCm / CUDA / vllm / llama.cpp / spaCy / and similar → their respective upstream projects

Once an upstream advisory is public, we are glad to coordinate the downstream packaging side (revbump, masking the vulnerable version, news item if appropriate).

The overlay is rolling: only the current tip of master is "supported" in any meaningful sense, and there are no point-in-time releases. When a security fix lands, downstream users should emerge --sync stuff and rebuild the affected package.

For the curated pf-sources line specifically, see the per-version ebuild notes in sys-kernel/pf-sources*/ — those carry the explicit CVE-patch curation policy that differs from the upstream pf-kernel cadence.

This is a small overlay maintained by one or two people in their spare time. Response is best-effort:

• Acknowledgement of a credible report within one week.
• A fix, mitigation, or coordinated disclosure plan within a few weeks, longer if upstream coordination is involved.

If you have not heard back within two weeks, please ping the advisory thread again — the first notification may have been missed.