potiuk commented on PR #3734:
URL: https://github.com/apache/fory/pull/3734#issuecomment-4725027770

   Both changes are fine — go for it.
   
   The scan agent doesn't care where the file physically lives; what it follows 
is the discoverability *chain*: AGENTS.md -> SECURITY.md -> the threat model. 
So moving the file under docs/security/ works as long as the pointer in 
SECURITY.md is updated to the new path. Since AGENTS.md already lists 
docs/security/deserialization.md as loadable guidance, adding the threat-model 
path there too is the natural home for it.
   
   On the dedup: removing content that just restates deserialization.md is good 
hygiene — that doc can stay the authoritative source for the 
untrusted-deserialization boundary, and the threat model can reference it 
rather than duplicate it. The thing to keep in the threat model is the 
project-level framing the scan needs: what Fory considers in vs. out of scope, 
the trust boundaries and user roles, and the known false-positives — i.e. the 
parts deserialization.md doesn't already cover.
   
   One tiny thing: the path you wrote is "thread-model.md" — I'm assuming 
that's a typo for "threat-model.md". Whatever filename you settle on is fine, 
just keep SECURITY.md pointing at it.
   
   Happy to update the PR to match once you've decided on the final layout, or 
you can push directly — either works.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to