Roman Kyrylych wrote:
2007/10/3, Paul Mattal <paul@mattal.com>:
As usual, report all problems here.
Found a bug in parser. See http://aur.archlinux.org/packages/cheese/cheese/PKGBUILD and how depends are parsed on http://aur.archlinux.org/packages.php?do_Details=1&ID=11879
Can't we use parsepkgbuild from namcap2? See http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a... This way PKGBUILD is parsed by bash and resulting output is much easier to parse with PHP or Python.
At least the last time we looked into parsing PKGBUILDs with bash, we decided we couldn't do this for unsupported, since the provenance of the bash script is completely unknown. An attacker could write evil bash, simply create an account, upload it, and he's run arbitrary bash on the server. This is why we intentionally did not parse PKGBUILDs using bash, though I really really wanted to. I do, in fact, parse them with bash in the tupkgupdate script, but those are only trusted PKGBUILDs checked into cvs. - P