Clarify threat model by highlighting trust boundaries

[MarkLodato]

Based on the conversation in #987 (comment) (@marksisson), we should consider updating Terminology and Threats pages to follow data flow diagrams conventions and in particular focus on trust boundaries. Right now, I see confusion about what constitutes a "package", who the threat actors are, and what we are protecting against. By talking specifically about trust boundaries, I think it could help people better understand. For example, a "package" is specifically something that crosses a trust boundary and we could define "publication" in these terms. (Others have also suggested DFDs and trust boundaries in the past.)

No major changes are necessary, just adding trust boundaries and being more rigorous about DFD entity types (data flow, data store, process, and actor). I don't think we need to stick to DFD symbols, so long as it's clear to readers.

Suggestions:

• I'd keep the top-level "supply chain model" diagram as-is. It's basically already a simplified data flow diagram. I don't think the added detail to make it a "true" DFD is worth the added complexity. (Namely a missing process between Producer/Source and between Package/Consumer.)
  • That said, we might want to make a "true" DFD version of that diagram with trust boundaries and missing processes added.
• Each of the individual sub-models---Source, Build, and Package---could have their own next-level-down DFD. We already have this for Build, but diagrams are missing for Source and Package.
• The build model should be updated to follow DFD conventions and make trust boundaries more explicit. I think that would help answer a lot of questions.
• The package model in particular could use a diagram, specifically to show the trust boundaries.

In case it's helpful, here's a crappy diagram I drew in that other thread: