Add a draft THREAT_MODEL.md + SECURITY.md and link it from AGENTS.md#7664
Closed
potiuk wants to merge 1 commit into
Closed
Add a draft THREAT_MODEL.md + SECURITY.md and link it from AGENTS.md#7664potiuk wants to merge 1 commit into
potiuk wants to merge 1 commit into
Conversation
Generated-by: Claude Code
dosubot
Bot
added
size:L
Member
Author
|
Closing as a duplicate of #7641, which is the active draft threat-model PR for this repo. Apologies for the noise. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a v1 draft threat model for the OpenDAL PMC to review — please
correct, reject, or discuss as needed. The maintainer is the
decision-maker; nothing here is a requirement.
This lands a draft
THREAT_MODEL.mdforapache/opendaland wires theconventional
AGENTS.md → SECURITY.md → THREAT_MODEL.mdchain so an automatedsecurity scanner can mechanically locate the model.
THREAT_MODEL.md(new) — a v1 draft modelling OpenDAL's trust boundaries(caller→
Operator, OpenDAL→backend network, config/credential ingestion,FFI), the per-backend credential/auth surface, and the properties OpenDAL
does / does not provide.
SECURITY.md(new) — routes vulnerability reports to the ASF securityprocess and points at the threat model.
AGENTS.md— adds a Security section linkingSECURITY.md; your existingAGENTS.mdis otherwise unchanged.How it was produced. Drafted from OpenDAL's public artifacts (README, the
core/services/+core/layers/structure) following the threat-model rubricat https://gist.github.com/scovetta/2dc9a0695c7cbcc32e23799e00d2ced3. Every
claim is tagged (documented) — from your docs/source — or (inferred) —
our reasoning, not yet confirmed. The inferred claims are collected as
"§14 Open questions for the maintainers"; a one-line confirm/correct per
question is enough, and we fold answers in (inferred → maintainer).
The 15 open questions cover what only the PMC can settle: whether a
malicious/compromised backend is in the adversary model (and how hardened
response/listing parsing is); TLS fallback posture; whether the
logging/tracing layers can ever emit credentials; SSRF / endpoint-trust
responsibility; presigned-URL semantics; the
unsafe/FFI memory-safetyposture; and what scanners report that you consider non-findings (§11a).
Context: the ASF Security team is preparing OpenDAL for an automated agentic
security scan being piloted by the team; a discoverable model is the one hard
pre-flight gate. This is the first of the in-scope repos —
opendal-reqsign,opendal-go-services, andopendal-olifollow as separate PRs.Questions / pushback welcome — happy to adjust file placement or wording to
match the project's house style.