potiuk commented on PR #13293: URL: https://github.com/apache/cloudstack/pull/13293#issuecomment-4885683465
@shwstppr fair question — this one reviews differently from a code PR. A few notes to unstick it: - **It's docs-only:** a single `THREAT_MODEL.md` plus the `AGENTS.md → SECURITY.md` wiring. No code path to review, and the red CI is CloudStack's normal code/integration checks, which don't apply to a docs change — safe to ignore here. - **It's a v0 *draft* to react to,** not a finished document. Every inferred claim is tagged and collected into open questions at the end (§14) — so "reviewing" it is really answering those (confirm / correct / strike) and fixing anything factually wrong for CloudStack. Vishesh already did a solid pass on the global-setting names; that's exactly the shape of review that helps. - **Copilot / automated review won't say anything useful** about a prose threat model — agreed. - **Merging is the ratification:** once it's in, the model is the CloudStack PMC's document, owned and refined in place. It doesn't have to be perfect at merge — just correct enough that the PMC is comfortable it represents the project. Happy to jump on any specific §14 question if that helps reviewers move. — Jarek -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
