chore: backport commit from develop

[SequeI]

PR Type

Enhancement

---

Description

• Add permission setting for public repository files

• Set 644 permissions on all files in output directory

• Add diagnostic listing of repository structure

---

Diagram Walkthrough

flowchart LR
  A["Delete files"] --> B["Set 644 permissions"]
  B --> C["List directory structure"]
  C --> D["Copy to final location"]

Loading

File Walkthrough

	Relevant files
Enhancement	tuf-repo-init.sh Add file permissions and diagnostic output                              rhtas/tuf-repo-init.sh Add chmod 644 command to set read permissions on all public repository files Add find command to recursively apply permissions in output directory Add diagnostic ls -Rla command to display repository structure Insert permission setup between file deletion and repository copy steps +5/-0

---

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates the TUF repository initialization script to normalize file permissions for generated repository artifacts and add a temporary debug listing after permissions are set.

File-Level Changes

Change	Details	Files
Normalize permissions of generated repository files and add a recursive directory listing for verification/debugging.	After repository creation, set all regular files under the output directory to mode 644 using find and chmod. Print a message indicating that file permissions are being set on public repository files. Run a recursive long-format listing (ls -Rla) of the output directory after permissions are applied, likely for debugging or verification purposes.	rhtas/tuf-repo-init.sh

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Insecure file permissions Description: Recursively forcing mode 0644 on all files in ${OUTDIR} may strip execute bits from required executables/scripts and overly relax permissions on sensitive files (e.g., private keys), potentially breaking integrity checks or exposing data; use targeted chmod (e.g., only public metadata) and preserve intended modes. tuf-repo-init.sh [316-318] Referred Code echo "Setting 644 permissions on public repository files..." find "${OUTDIR}" -type f -exec chmod 644 {} +
	Information disclosure Description: Running ls -Rla "${OUTDIR}" can leak sensitive directory and file names and permission details into logs, which may aid attackers in mapping repository structure; restrict or remove verbose listing in production logs. tuf-repo-init.sh [319-320] Referred Code # test ls -Rla "${OUTDIR}"
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
🟢	No codebase code duplication found No new components were introduced in the PR code
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Incomplete auditing: The script performs critical actions (chmod on repository files and directory listing) without emitting structured audit logs that capture user identity, timestamps, action descriptions, and outcomes. Referred Code echo "Setting 644 permissions on public repository files..." find "${OUTDIR}" -type f -exec chmod 644 {} + # test ls -Rla "${OUTDIR}" Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing error handling: The new commands (find -exec chmod and ls -Rla) lack error checking or fallback handling, so failures would pass silently without actionable context. Referred Code echo "Setting 644 permissions on public repository files..." find "${OUTDIR}" -type f -exec chmod 644 {} + # test ls -Rla "${OUTDIR}" Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Potential info leak: The diagnostic ls -Rla of the output directory may expose internal repository structure and file names to standard output, which could be user-facing in some environments. Referred Code # test ls -Rla "${OUTDIR}" Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Unstructured logs: The added echo and ls output are unstructured and may include sensitive filenames or paths, reducing auditability and risking information exposure. Referred Code echo "Setting 644 permissions on public repository files..." find "${OUTDIR}" -type f -exec chmod 644 {} + # test ls -Rla "${OUTDIR}" Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Broad permissions change: Applying chmod 644 recursively to all files under OUTDIR without validation may alter required executable or restrictive bits, potentially weakening security or breaking execution. Referred Code echo "Setting 644 permissions on public repository files..." find "${OUTDIR}" -type f -exec chmod 644 {} + Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[sourcery-ai]

Hey there - I've reviewed your changes and found some issues that need to be addressed.

• If chmod or find fails, the script currently continues silently; consider adding error handling or set -e-style behavior around the permission-setting step to fail fast on unexpected issues.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- If `chmod` or `find` fails, the script currently continues silently; consider adding error handling or `set -e`-style behavior around the permission-setting step to fail fast on unexpected issues.

## Individual Comments

### Comment 1
<location> `rhtas/tuf-repo-init.sh:316-317` </location>
<code_context>
     rm -- "$file"
 done

+echo "Setting 644 permissions on public repository files..."
+find "${OUTDIR}" -type f -exec chmod 644 {} +
+
+# test
</code_context>

<issue_to_address>
**🚨 issue (security):** Applying 644 to all files in OUTDIR may unintentionally weaken or change permissions on sensitive or executable files.

This `find "${OUTDIR}" -type f -exec chmod 644 {} +` treats all files as public, non-executable. If `OUTDIR` ever holds secrets (keys, internal data) or executables, this will silently relax or change their permissions. Consider limiting this to a known public subdirectory, only specific file types that must be public, or explicitly excluding sensitive paths/files.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Avoid exposing private keys To avoid exposing private keys, scope the chmod 644 command to a specific subdirectory containing only public repository files, such as ${OUTDIR}/repository, instead of applying it to the entire ${OUTDIR}. rhtas/tuf-repo-init.sh [316-317] echo "Setting 644 permissions on public repository files..." -find "${OUTDIR}" -type f -exec chmod 644 {} + +if [ -d "${OUTDIR}/repository" ]; then + find "${OUTDIR}/repository" -type f -exec chmod 644 {} + +else + echo "Warning: 'repository' directory not found in ${OUTDIR}. Skipping public permissions setup." +fi Apply / Chat Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical security vulnerability where applying 644 permissions to the entire ${OUTDIR} could expose private TUF keys, and it proposes a much safer, more targeted approach.	High
More