Jason Chu wrote:
Note of warning!! Do not use these scripts on any PKGBUILDs you don't trust! They source every PKGBUILD to obtain the information - if a single PKGBUILD has rm -rf ~ you'd lose your home directory. You've been warned. ;) (of course you could run it in a sandbox as well, but yeah.)
The new way I parse PKGBUILDs in namcap really rocks for not trusting PKGBUILDs. Apparently bash has a --restricted mode. You have to override the PATH variable to make sure they can't execute any commands, but that's about it.
http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a...
This script basically outputs a PKGBUILD in db format.
Are you sure 'source $1' works with --restricted mode? it doesn't for me. If you wanted to be really paranoid you could use TMPDIR=$(mktemp -d /tmp/parsepkgbuild.XXXXXX) PKGBUILD=$(readlink -f "$1") cd "$TMPDIR" # Start a bash shell with a clean environment. env -i \ TERM=$TERM HOME=$TMPDIR PATH=$TMPDIR \ CARCH=$CARCH PKGBUILD=$PKGBUILD \ /bin/bash --noprofile --norc << EOF # Make PATH readonly to stop the PKGBUILD from changing it readonly PATH source "$PKGBUILD" ... EOF Andrew