potiuk commented on PR #6709: URL: https://github.com/apache/jmeter/pull/6709#issuecomment-4627678196
Thanks @milamberspace and @vlsi — your full review is already folded into the v1 model; resolving the threads now. Confirmed in-model: the **HTTPS recording-proxy (`ProxyControl`)** local trust boundary (§2/§4/§5a); the **RMI defaults** (`server.rmi.ssl.disable=false`, mutual client-auth, keystore-not-shipped) + **bind-interface-not-restricted** nuance (§4/§5a); the **Security-Manager** JDK-24/JEP-486 removal with OS-level isolation as the forward path (§5/§9/§10); the **open-vs-run / XStream `AnyTypePermission` no-op** boundary (§4/§8/§9); **§11a** seeds (`Runtime.exec`/OS Process Sampler, proxy port, `changeit`); **authorized pen-testing** as a recognized §2 use; and the **`security.html` backlink** tracked as §14 Q8. Wave-1/2 §14 questions are marked answered. Applied @vlsi's AGENTS.md suggestion — trimmed to the bare `Security model: [SECURITY.md](./SECURITY.md)` pointer. Tracked follow-ups (engineering, not model blockers): the XStream allowlist (closes the CVE-2013-7285 TODO), the `security.html` backlink, and a reference hardened-`jmeter-server` Dockerfile/unit. The model is the PMC's to merge whenever — thanks for the deep source-level review. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
