[
https://issues.apache.org/jira/browse/HDDS-15526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated HDDS-15526:
----------------------------------
Labels: pull-request-available (was: )
> Add security threat model (THREAT_MODEL.md + SECURITY.md + AGENTS.md)
> ---------------------------------------------------------------------
>
> Key: HDDS-15526
> URL: https://issues.apache.org/jira/browse/HDDS-15526
> Project: Apache Ozone
> Issue Type: Task
> Reporter: Jarek Potiuk
> Priority: Major
> Labels: pull-request-available
>
> Apache Ozone has no in-repo threat model. As part of the Project Glasswing /
> Mythos security-scan pre-flight (requested by the Ozone PMC; path 3 - drafted
> by the ASF Security team), add a THREAT_MODEL.md plus a SECURITY.md
> threat-model pointer and an AGENTS.md so an automated security-review agent
> can mechanically discover the model (AGENTS.md -> SECURITY.md ->
> THREAT_MODEL.md).
> PR: https://github.com/apache/ozone/pull/10483
> The model is a v0 draft for the PMC to review, correct, own, and merge. It is
> built around Ozone's multi-service architecture (S3 Gateway, OM,
> SCM/internal-CA, Datanodes/Ratis) and treats secure mode
> (ozone.security.enabled) as the load-bearing posture; it carries open
> questions for the maintainers in section 14 (notably the secure-mode default
> and the Ratis honest-majority safety bound).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
