Am 28.02.2019 um 17:34 schrieb Jerome Leclanche:
On Thu, Feb 28, 2019 at 5:22 PM Daniel M. Capella via aur-general <aur-general@archlinux.org> wrote:
On February 28, 2019 8:58:06 AM EST, Jerome Leclanche <jerome@leclan.ch> wrote:
<snip>
OT: We should maybe have the AUR lint PKGBUILDs on git push (and reject really bad ones) if we want to improve that situation.
J. Leclanche I've been thinking enforcing the use of makechrootpkg and namcap on package submission should be introduced, and maybe even on major (and minor?) version bumps for packages following semver. Inb4 yes I'm aware of the number of false-positives in namcap.
-- Best, polyzen Can we give namcap's outputs error codes and blacklist some of the false positives?
I was mostly thinking about things that can be done just by static analysis of the PKGBUILD, rather than anything requiring packages to be built, so that they can be rejected immediately during git push. Things such as running mksrcinfo, verifying local sources (and their hashes), etc.
J. Leclanche
That's the issue though, how do you do static analysis of a PKGBUILD - a random bash script which should include certain named functions and variables - without executing it? For example, mksrcinfo simply sources the PKGBUILD, i.e. evaluates it in bash. The aura AUR helper has a side-project which tries to check PKGBUILDs for "security issues" in Haskell. I'm not sure how well this approach scales though. https://github.com/aurapm/aura/blob/master/aura/lib/Aura/Pkgbuild/Security.h...