potiuk commented on PR #3734: URL: https://github.com/apache/fory/pull/3734#issuecomment-4725027770
Both changes are fine — go for it. The scan agent doesn't care where the file physically lives; what it follows is the discoverability *chain*: AGENTS.md -> SECURITY.md -> the threat model. So moving the file under docs/security/ works as long as the pointer in SECURITY.md is updated to the new path. Since AGENTS.md already lists docs/security/deserialization.md as loadable guidance, adding the threat-model path there too is the natural home for it. On the dedup: removing content that just restates deserialization.md is good hygiene — that doc can stay the authoritative source for the untrusted-deserialization boundary, and the threat model can reference it rather than duplicate it. The thing to keep in the threat model is the project-level framing the scan needs: what Fory considers in vs. out of scope, the trust boundaries and user roles, and the known false-positives — i.e. the parts deserialization.md doesn't already cover. One tiny thing: the path you wrote is "thread-model.md" — I'm assuming that's a typo for "threat-model.md". Whatever filename you settle on is fine, just keep SECURITY.md pointing at it. Happy to update the PR to match once you've decided on the final layout, or you can push directly — either works. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
