Hello, On Sun, May 09, 2010 at 12:06:34PM -0400, Loui Chang wrote:
On Sun 09 May 2010 16:21 +0200, Xavier Chantry wrote:
On Sun, May 9, 2010 at 2:44 PM, Allan McRae <allan@archlinux.org> wrote:
Sourcing is dangerous if the PKGBUILD is from an untrusted source. It also fails with package splitting...
But I just had an idea now, if we're thinking about AUR use case : makepkg --source could generate a suitable and parsable file providing all information that AUR needs, and ships that next to the PKGBUILD in the source tarball. Does that sound crazy ? This would not fix the problem now, but it could fix it eventually, when most pkgbuilds are re-submitted. Or this parsable file could be generated for all pkgbuilds in a row, just for the conversion, in a chroot/jail on a machine not in production.
Yeah I've thought about this as well. Source packages could have a similar format as binary packages with a .PKGINFO file to present the metadata in an easily parsable format. The idea of a separate file only for parsing metadata is pretty good. The functions are not needed for the metainformation of the src.tar.gz. In pkgman I cut the functions out of the PKGBUILD and source only the remaining variables: " # get rid of all functions (from first appearing function to EOF) and empty lines in $_BuildScript sed -i -e "/[[:space:]]*()[[:space:]]*[^}]/,$ d" -e "/^[[:space:]]*pkgname=/,$ { /^$/d; }" ${__TMPPKGBUILD} bash -n ${__TMPPKGBUILD} && source ${__TMPPKGBUILD} && rm --force ${__TMPPKGBUILD} || error "blablabla" "
Sure, if one is really malevolent, he can add a var like "_iamevil=$(rm -fr ${HOME})". But this is a common sourcing problem which one has with all script languages. The problem with additional files is the one debian has. The control.tar.gz in debian packages contains multiple files, which provide almost no information. So most of these files are useless. But I think this is not intended in Arch. However, Xyne made a function based information parser, which I actually didn't understand. It would be nice if Xyne could explain his ideas more detailed and give some hints how to use it with bash.
You can read some of my incomplete brainstormings here: http://louipc.mine.nu/arch/%5BRFC%5D-PKGINFO-in-srctargz
--