Kicksecure · assisted-by-ai · Apr 1, 2026
diff --git a/derivative-maker b/derivative-maker
@@ -3,6 +3,9 @@
 ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## Comments for reviewers:
+## Verbose logs (set -x) are preferred for build debugging.
+## Secret leak prevention in CI must be handled at the CI/environment level, not by disabling trace output.
 set -x
 set -e
 

diff --git a/help-steps/pre b/help-steps/pre
@@ -176,6 +176,8 @@ exit code $interactive_chroot_shell_bash_exit_code, cleanup and exit as requeste
 }
 
 exception_handler_retry() {
+   ## Comments for reviewers:
+   ## threat model: command line is considered trusted in derivative-maker.
    if [ ! "$dist_build_dispatch_before_retry" = "" ]; then
       $output_cmd "${cyan}${bold}INFO: dispatch before retry (--retry-before)...: $dist_build_dispatch_before_retry ${reset}"
       dist_build_dispatch_before_retry_exit_code="0"

diff --git a/help-steps/variables b/help-steps/variables
@@ -791,6 +791,8 @@ set_default_variable() {
 
   if [ -z "${!var_name:-}" ]; then
     #printf "%s\n" "INFO: Variable '$var_name' is already set? No. - Setting: $var_name='$var_content'"
+    ## Comments for reviewers:
+    ## threat model: command line is considered trusted in derivative-maker.
     eval "$var_name='$var_content'"
     return 0
   fi
@@ -913,6 +915,8 @@ fi
 
 ## {{{ buildconfig.d
 
+## Comments for reviewers:
+## threat model: files on the file system are considered trusted.
 [ -n "$dist_build_config_dirs" ] || dist_build_config_dirs="${source_code_folder_dist}/buildconfig.d /etc/buildconfig-dist.d ../buildconfig.d"
 
 dist_build_source_config_dir() {