Add maintainer trust system

.travis.yml

@@ -1,5 +1,7 @@
-language: bash
+language: rust
 before_install:
 - wget -c https://goo.gl/ZzKHFv -O - | tar -xvJ -C /tmp/
 - PATH="/tmp/shellcheck-latest:$PATH"
-script: shellcheck $(grep -rl '^#!.*[ /]bash$' .)
+script: |
+  shellcheck $(grep -rl '^#!.*[ /]bash$' .)
+  (cd trust-check && cargo test)

README.md

@@ -7,6 +7,8 @@ An Arch Linux AUR tool for managing an auto-updating local 'aurto' package repos
 - Automatic on startup & hourly update of aur packages in the ***aurto*** repo.
 - Automatic daily update of `*-git` packages in the ***aurto*** repo.
 - Uses _makechrootpkg_ to build packages isolated from the main system.
+- Automatic removal of packages no longer in the AUR from the ***aurto*** repo.
+- Automatic removal of packages with unknown/distrusted maintainers from the ***aurto*** repo.
 
 # Install
 From a plain Arch install, first install **aurutils** from the aur (skip if already installed).
@@ -55,14 +57,38 @@ Add a directory full of built packages to the ***aurto*** repo
 aurto addpkg $(find /path/to/packages/*pkg.tar*)
 ```
 
+Show repo-less installed packages, these may have not been added to ***aurto*** yet or may have been automatically dropped from ***aurto*** because of maintainer change or removal from the AUR.
+```sh
+pacman -Qm
+```
+
 Rebuild all orphans packages into the ***aurto*** repo
 ```sh
 aurto add $(pacman -Qqm)
 ```
 
+# Maintainer Trust
+**aurto** uses a system of maintainer trust for limited security. On adding packages with unknown maintainers you'll be asked whether you want to trust these maintainers.
+```
+$ aurto add spotify
+aurto: Trust maintainer(s): AWhetter? [y/N]
+```
+If not the package will _not_ be added to the ***aurto*** repo.
+
+If any ***aurto*** repo packages changes maintainer to an unknown maintainer they will be removed from the ***aurto*** repo on the next _update-aurto_ run. A warning will appear in the _update-aurto_ logs
+```
+WARNING: Packages with unknown maintainers removed from aurto, ...
+```
+If desired such packages can be re-added and the new maintainer added to the local trusted users.
+
+Local trusted users are stored in `/etc/aurto/trusted-users` initially populated with the [Arch Linux Trusted Users](https://wiki.archlinux.org/index.php/Trusted_Users#Active_Trusted_Users) & me.
+
+Clear `/etc/aurto/trusted-users` to trust no-one.<br/>
+Remove `/etc/aurto/trusted-users` to trust everyone.
+
 # Limitations & Security
-aurto automatically builds and regularly re-builds updated remote code from the aur.
+**aurto** automatically builds and regularly re-builds updated remote code from the aur.
 Code is _built_ in a clean chroot, but presumably will eventually be installed to your system.
-Only add aur packages from maintainers you trust.
+Take care trusting maintainers.
 
-aurto is for simple folk's simple needs. If it can't do what you want uninstall & use [aurutils](https://github.com/AladW/aurutils) directly.
+If aurto can't do what you want use [aurutils](https://github.com/AladW/aurutils) directly.

bin/aurto

@@ -19,19 +19,63 @@ source "$lib_dir/shared-functions"
 
 function aurto_sync { sudo pacsync aurto >/dev/null; }
 
+function check_new_package_trust {
+  local mistrust
+  local not_in_aur
+  local mistrusted_users
+
+  if [ -f /etc/aurto/trusted-users ]; then
+    echo "aurto: Checking maintainer trust..." >&2
+  else
+    echo "aurto: Checking maintainer trust... $(dim disabled)" >&2
+  fi
+
+  mistrust=$("$lib_dir"/trust-check "${@:1}")
+  if [ -z "$mistrust" ]; then
+    if [ -f /etc/aurto/trusted-users ]; then
+      rm_last_print
+      echo "aurto: Checking maintainer trust... $(green ✓)" >&2
+    fi
+  else
+    not_in_aur=$(not_in_aur_packages "$mistrust")
+    if [ ! -z "$not_in_aur" ]; then
+      rm_last_print
+      echo "aurto: Package not in AUR: $(yellow "$not_in_aur")" >&2
+      exit 1
+    fi
+
+    mistrusted_users=$(new_line_to_space_separated_unique "$(echo "$mistrust" | cut -d: -f2)")
+    rm_last_print
+    echo -n "aurto: Trust maintainer(s): $(bold "$mistrusted_users")? [y/N] " >&2
+    read -n 1 -r
+    echo
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+      echo "aurto: Adding $(bold "$mistrusted_users") >> /etc/aurto/trusted-users" >&2
+      # shellcheck disable=SC2001
+      echo "$mistrusted_users" | sed -e 's/ /\n/g' >> /etc/aurto/trusted-users
+    else
+      exit 1
+    fi
+  fi
+}
+
 if [ "$command" == "add" ] && [ -n "$arg1" ]; then
+  check_new_package_trust "${@:2}"
   aurto_sync
   echo "aurto: Running: $(dim aursync --no-view --no-confirm --chroot --repo=aurto) $(cyan "${*:2}")" >&2
   "$lib_dir"/summerize-build aursync --no-view --no-confirm --chroot --repo=aurto "${@:2}"
   aurto_sync
   echo -e "aurto: To install run: $(green pacman -Syu) $(cyan "${*:2}")" >&2
+
 elif [ "$command" == "addpkg" ] && [ -n "$arg1" ]; then
+  check_new_package_trust "${@:2}"
   echo "aurto: Running: $(dim repo-add /var/cache/pacman/aurto/aurto.db.tar) $(cyan "${*:2}")" >&2
-  repo-add /var/cache/pacman/aurto/aurto.db.tar "${@:2}"
+  "$lib_dir"/summerize-build repo-add /var/cache/pacman/aurto/aurto.db.tar "${@:2}"
   for pkg in "${@:2}"; do
     cp "$pkg" /var/cache/pacman/aurto/
   done
   aurto_sync
+
 elif [ "$command" == "remove" ] && [ -n "$arg1" ]; then
   removed=""
   for pkg in "${@:2}"; do
@@ -47,6 +91,7 @@ elif [ "$command" == "remove" ] && [ -n "$arg1" ]; then
     echo -e "aurto: Removed $(cyan "$removed")" >&2
     aurto_sync
   fi
+
 else
   echo "$(bold aurto) v$version: simple management tool for the 'aurto' repository"
   echo "  Usage: $(green aurto add)|$(green addpkg)|$(green remove) $(cyan PACKAGES...)"

lib/aurto/default-trusted-users.txt

@@ -0,0 +1,49 @@
+alad
+alexheretic
+alucryd
+Ambrevar
+anatolik
+andrewSC
+anthraxx
+arcanis
+arojas
+Barthalion
+BlackIkeEagle
+Bluewind
+City-busz
+coderobe
+ConnorBehan
+lfleischer
+eworm
+Dragonlord
+dvzrv
+eschwartz
+escondida
+farseerfc
+felixonmars
+Foxboron
+foxxx0
+giniu
+grazzolini
+heftig
+jelly
+jleclanche
+jsteel
+keenerd
+Kyrias
+Lordheavy
+mtorromeo
+Muflone
+NicoHood
+schivmeister
+schuay
+seblu
+sergej
+shibumi
+stativ
+svenstaro
+tensor5
+wild
+Xyne
+xyproto
+zorun

lib/aurto/shared-functions

@@ -4,6 +4,7 @@ if test -t 1; then
   function green { echo -e "\\e[32m$*\\e[39m"; }
   function cyan { echo -e "\\e[36m$*\\e[39m"; }
   function red { echo -e "\\e[31m$*\\e[39m"; }
+  function yellow { echo -e "\\e[33m$*\\e[39m"; }
   function dim { echo -e "\\e[2m$*\\e[22m"; }
   function rm_last_print {
     printf "\\033[1A"  # move cursor one line up
@@ -14,6 +15,7 @@ else
   function green { bold "$@"; }
   function cyan { bold "$@"; }
   function red { bold "$@"; }
+  function yellow { bold "$@"; }
   function dim { bold "$@"; }
   function rm_last_print { return; }
 fi
@@ -22,3 +24,29 @@ fi
 function last_pkg_modify {
   stat /var/cache/pacman/aurto/*.pkg.tar* -c '%Y' 2>/dev/null | sort | tail -n1 | tr -d '\n'
 }
+
+## Takes '\n' separated things and returns a ' ' separated unique sequence (no empties)
+function new_line_to_space_separated_unique {
+  local space_sep=""
+
+  while read -r line; do
+    if [ ! -z "$line" ] && [[ $space_sep != *" $line "* ]]; then
+      space_sep="$space_sep $line "
+    fi
+  done <<< "$1"
+
+  echo "$space_sep" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | tr -s ' '
+}
+
+## Works on trust-check output returning packages that are not/no longer in AUR
+function not_in_aur_packages {
+  local packages=""
+
+  while read -r line; do
+    if [ ! -z "$line" ] && [[ $line = *"::not-in-aur"* ]]; then
+      packages="$packages $(echo "$line" | cut -d':' -f1)"
+    fi
+  done <<< "$1"
+
+  echo "$packages" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | tr -s ' '
+}

lib/aurto/update-aurto

@@ -20,6 +20,39 @@ fi
 
 pacsync aurto >/dev/null || true
 
+## Check trust
+## - remove packages no longer in the AUR
+## - remove packages with maintainers lacking trust
+if [ -f /etc/aurto/trusted-users ]; then
+  echo "aurto: Checking maintainer trust..." >&2
+else
+  echo "aurto: Checking maintainer trust... $(dim disabled)" >&2
+fi
+# shellcheck disable=SC2046
+mistrust=$("$lib_dir"/trust-check $(pacman -Slq aurto))
+if [ -z "$mistrust" ]; then
+  if [ -f /etc/aurto/trusted-users ]; then
+    rm_last_print
+    echo "Checking maintainer trust... $(green ✓)" >&2
+  fi
+else
+  not_in_aur=$(not_in_aur_packages "$mistrust")
+  mistrusted_pkgs=$(new_line_to_space_separated_unique "$(echo "$mistrust" | grep -v '::' | cut -d: -f1)")
+
+  if [ ! -z "$not_in_aur" ]; then
+    rm_last_print
+    # shellcheck disable=SC2086
+    aurto remove $not_in_aur
+    echo "$(yellow WARNING:) Packages no longer in AUR removed from aurto: $(yellow "$not_in_aur")" >&2
+  fi
+  if [ ! -z "$mistrusted_pkgs" ]; then
+    # shellcheck disable=SC2086
+    aurto remove $mistrusted_pkgs
+    echo -n "$(yellow WARNING:) Packages with unknown maintainers removed from aurto, " >&2
+    echo "re-add with: $(green aurto add) $(cyan "$mistrusted_pkgs")" >&2
+  fi
+fi
+
 modify=$(last_pkg_modify)
 
 echo "Running: aursync --no-view --no-confirm --repo aurto --chroot --update" >&2

makefile

@@ -3,12 +3,15 @@ PREFIX = /usr
 all:
 	@rm -rf target
 
+	@(cd trust-check && cargo build --release && strip target/release/trust-check)
+
 	@install -D conf/aurto.pacman.conf target/etc/pacman.d/aurto
 	@install -Dm440 conf/50_aurto_passwordless -t target/etc/sudoers.d
 	@chmod 750 target/etc/sudoers.d
 
 	@install -D bin/* -t target$(PREFIX)/bin
 	@install -D lib/aurto/* -t target$(PREFIX)/lib/aurto
+	@install trust-check/target/release/trust-check -t target$(PREFIX)/lib/aurto
 	@install -D timer/* -t target$(PREFIX)/lib/systemd/system
 
 	@install -D completion/bash/aurto target$(PREFIX)/share/bash-completion/completions/aurto

makelocalaur

@@ -2,8 +2,10 @@
 set -eu
 script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
+rm -rf "$script_dir"/*-999-*pkg*
+
 cd "$script_dir"/..
-tar zcf aurto-git.tar.gz -C "$script_dir" .
+tar zcf aurto-git.tar.gz --exclude='./target' --exclude='./trust-check/target' -C "$script_dir" .
 mv aurto-git.tar.gz "$script_dir"/aur
 cd "$script_dir"/aur
 

makelocalaur.PKGBUILD

@@ -11,9 +11,10 @@ depends=('aurutils<1.6.0'
          'devtools'
          'systemd'
          'pacutils'
-         'pacman-contrib')
+         'pacman-contrib'
+         'curl')
 optdepends=()
-makedepends=()
+makedepends=('cargo')
 install="aurto.install"
 source=("aurto-git.tar.gz")
 sha256sums=('eb94c0a2920ddea570621da7326f3d60c30401e8c42073b5b3ed3b1216c1ce4b')

trust-check/.gitignore

@@ -0,0 +1,2 @@
+/target/
+**/*.rs.bk