potiuk commented on PR #17823: URL: https://github.com/apache/iotdb/pull/17823#issuecomment-4625591395
Thanks @JackieTien97 — exactly the confirmation pass the v0 needed. All eleven points plus the two corrections are folded into the branch; responding individually: **Wave 1** 1. **Deployment posture** — confirmed; §2/§4/§7 already carried this from @HTHou's pass, now reinforced. §14.1 resolved. 2. **Default `root:root`** — confirmed `OUT-OF-MODEL: non-default-build`; §5a/§10/§11a/§13 unchanged, §14.2 resolved. 3. **TsFile / SDK boundary** — promoted §3 + §14.3 from *(inferred)* to *(maintainer)*: TsFile findings route to `apache/tsfile`; `iotdb-client-*` SDKs out of this batch. **Wave 2** 4. **Default-enabled protocols** — confirmed (Thrift on; REST/MQTT off); already maintainer-tagged, §14.4 resolved. 5. **Inter-node channel** — the big open one. Rewrote §4 (secondary boundary + reachability rule), §6, §9, §14.5: inter-node assumed trusted-network, **no transport encryption today**, interception/modification findings → `OUT-OF-MODEL: adversary-not-in-scope`, operators own segmentation (§10). Now *(maintainer)*. 6. **TLS** — §5a + §9 + §14.6: client Thrift SSL off by default, **no inter-node TLS today**. Promoted. **Wave 3** 7. **Extension code execution** — confirmed `BY-DESIGN` for a principal holding `USE_UDF`/`USE_TRIGGER`/`USE_PIPE`/`USE_MODEL`; §9/§11a/§13 unchanged (maintainer from @HTHou), §14.7 resolved. 8. **Cluster Byzantine posture** — rewrote §7 + §14.8: membership **fully trusted**, no BFT claim, no safety/liveness guarantee against an authenticated-but-malicious peer. Promoted. **Wave 4** 9. **Resource/DoS line** — confirmed, incl. the carve-out: malformed/pre-auth/client input causing crash/OOM/hang stays `VALID` (§8); ordinary expensive queries/write-load are operator capacity. §14.9 resolved. 10. **No additional false positives** — noted; §14.10 resolved (no §11a additions). 11. **Canonical location** — confirmed in-repo (`AGENTS.md → SECURITY.md → THREAT_MODEL.md`), PMC owns revisions; §14.11 resolved, §1 status updated. **Corrections** - **§5 clock** — fixed: server-side time ordering does **not** assume monotonic/synchronized clocks across the cluster. Now *(maintainer)*. - **AGENTS.md symlink** — added a note to the PR description: `AGENTS.md` is a symlink to `CLAUDE.md` here, so the `## Security` section landing in `CLAUDE.md` is intentional and the chain resolves. With your pass and @HTHou's folded in, §2–§13 are PMC-confirmed and §14 is fully resolved — residual *(inferred)* tags are limited to low-stakes environmental details. Re-requesting your review; happy to iterate on any wording. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
