Thank you very much for your review, Levente! See below for my answers to the points you raised. On 2022-06-08 21:15, Levente Polyak wrote:
I'm not too sure we really want to mimic gpgv behavior. Validating all signatures sounds great in theory, but the only real security guarantee we can give with the current control mechanisms and options in makepkg is basically "source has any signature available in validpgpkeys".
As we have no constraints to specify a signature threshold, there is no way for makepkg to consider tree, two or one available signature as more or less trustworthy. For instance a rogue maintainer can just distribute whatever they want using a single trusted signature which makepkg will happily consume. Hence the only guarantee we can provide currently is to have `any` signature instead of `all`.
While this is the case, this may lead to potential issues like "random" secondary signatures or potentially even old superseded keys that are still used as a multi signature which we don't actually wanna forcefully trust anymore.
Taking this into account, I'd suggest we go with an `any` approach instead of `all` for the time being. If makepkg ever gets finer trust control per source, such adjustments should be reflected here as well.
Having thought about this for a bit, I agree with your reasoning and have implemented the "any" logic, which I will post as an updated version of the patch.
I believe a better place in libmakepkg would be to move `set_difference` into `scripts/libmakepkg/util/util.sh.in` next to `in_array`, `is_array` and friends and hence make it an exposed util function.
Potentially naming it array instead of set would make sense for such an util function, like `array_diff` or `array_difference`.
Done. Note that due to the changed logic it is not a "set_difference" any more, but an "arrays_intersect" function because we need to check whether any of the fingerprints is also in validpgpkeys to find a valid signature.
+ local -n first=$1 + local -n second=$2 + local -n result=$3
namerefs yield an error in bash if they are named equal to a variable in the caller scope. For all nameref's I would suggest to choose something very unique, possible with an underscore prefix. I'd maybe go with something like `_first_diff_array`, `_result_diff_array` or similar vars.
The variables are now called _arrays_intersect_{first,second} to avoid naming collisions. Best, Jonas