Add a draft security threat model (THREAT_MODEL.md) + discoverability wiring#2186
Add a draft security threat model (THREAT_MODEL.md) + discoverability wiring#2186potiuk wants to merge 2 commits into
Conversation
… wiring Generated-by: Claude Code
|
@potiuk thank you for the draft! I made a first pass at edits. I would appreciate clarity on the proper way to edit the inferred areas and address the open questions from a how-to-format-it-in-the-doc perspective. Is the intent to leave the references and simply update, or remove them? A quick example of how to move one question from inferred -> confirmed would be appreciated. Thanks |
|
Two equally-good ways to handle this; pick whichever is less friction for you: Option A — just answer inline (easiest). Drop a comment on this PR with one line per §14 question: confirm / correct / strike. That's genuinely all we need — I fold the answers into Option B — edit the doc directly in the branch, if you'd rather own the wording. The mechanics for that are below. On the "leave the references or remove them?" question — leave them, just flip the tag. The provenance tags are load-bearing (they tell the scan agent and future readers which claims the PMC has ratified vs. which are still our guess), so they stay for the life of the doc. What changes per answered question is three small things:
So: references-in-the-body stay (re-tagged); the §14 question goes away. Worked example — moving Q9 (peer broker) from inferred → confirmed. The claim today, in §2, reads:
and §14 Q9 asks whether ActiveMQ provides any cross-link safety guarantee or whether a malicious peer is wholly the operator's trust decision. Say the PMC answers: "No cross-link authorization guarantee — a compromised/malicious peer is the operator's trust decision." After folding that in, the §2 bullet becomes:
…and §14 Q9 is deleted. That's the whole transformation — tag flips, the answer's substance lands in the prose, question retires. A one-line "Q9: confirmed, no cross-link guarantee" from you produces exactly that edit on my end. A few past models where this played out, if it helps to see the pattern:
No rush on any of it — one line per question whenever you have a moment is plenty. Happy to fold as they come in rather than waiting for all ten. |
This is a proposal for the ActiveMQ PMC to review — please correct, reject, or discuss as needed. Nothing here is a requirement; the maintainers are the decision-makers and the PMC owns the document.
This adds a draft
THREAT_MODEL.mdfor apache/activemq (Classic) and wiresAGENTS.md -> SECURITY.md -> THREAT_MODEL.mdso an automated security scanner can mechanically discover the model. This is the "jump start" the PMC asked us to bootstrap — a concrete starting point to react to rather than a blank form.The draft was generated from ActiveMQ's own public artefacts (
SECURITY.md, the security docs, advisory history) using thethreat-model-producerrubric. Every claim carries a provenance tag:What's most useful from the PMC: walk the §14 questions (10 of them) and answer in-thread / on the PR — a one-line confirm / correct / strike each is enough. We fold the answers in and the (inferred) tags become (maintainer).
Please sanity-check these especially:
SERIALIZABLE_PACKAGESallow-list; OpenWire unmarshalling);ClientId,BlobMessageURIs);Context: the ASF Security team is preparing projects for an automated agentic security scan we're piloting; discoverability (the
AGENTS.mdchain) is the one hard prerequisite — everything else is suggestion. This PR is the public-repo piece; program details are on the PMC's private list. This PR does not edit any existing content — it only adds the model + the discoverability wiring.Questions / pushback welcome.