On Wed, Jun 11, 2008 at 2:25 AM, Cilyan Olowen <gaknar@gmail.com> wrote:
Is it really such a hard work to parse PKGBUILD and simulate a bash behaviour only on variables preceding the build() function ? The parser needs to be able to : - affect and replace variables - support arrays - support the simple ${x//find/replace} syntax - what else ?
If this can be tedious with PHP, is it that difficult to realize in python ?
It's not that it's tedious in PHP, it would be equally tedious and difficult in any other language to write something to parse bash as nicely as bash does. At this point although the bash parser works and there's no way for any really malicious stuff to happen this is really only a good solution on a local machine, that's why namcap is fine with it. There's nothing stopping a user from, say, embedding an infinite loop which would be evaluated by the server or at very least listing any files in the FS (thanks to the globbing). It's not bad but it's more than enough to stop its use on a server. I think at this point we'll just have to write a better parser for pkgbuilds than what we have now (we really need to, the current one is pretty wishy washy and it amazes me how long it's stood up). -- Callan Barrett