[arch-dev-public] Useful scripts
Jason Chu
jason at archlinux.org
Tue Jul 31 10:16:18 EDT 2007
> Note of warning!! Do not use these scripts on any PKGBUILDs you don't
> trust! They source every PKGBUILD to obtain the information - if a
> single PKGBUILD has rm -rf ~ you'd lose your home directory. You've
> been warned. ;) (of course you could run it in a sandbox as well, but
> yeah.)
The new way I parse PKGBUILDs in namcap really rocks for not trusting
PKGBUILDs. Apparently bash has a --restricted mode. You have to override
the PATH variable to make sure they can't execute any commands, but that's
about it.
http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a070c2c4bc238dd13807688a12a093770adc1d;hb=04266d561625cf014a7b3c87a76e2c6063fc82d7
This script basically outputs a PKGBUILD in db format.
> find-bad-licenses:
> This one also finds all PKGBUILD files located in any subdirs of
> $(pwd), and analyses all entries in the license array. If the license
> isn't one located in /usr/share/licenses/common, and it doesn't start
> with 'custom', then the package and its invalid license are output to
> stdout. Also, if no license is defined, it outputs this info to stdout
> as well.
> At the moment, it doesn't check the validity of custom licenses, but it
> does its job well; I've also attached the list it generates when run
> against extra/community/unstable. It's a long list - almost 2k
> invalid/non-existent licenses.
This rule could be added to namcap. We could check for the validity of the
licenses in a package (at that point we can see if there are custom
licenses stored in the package).
Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/arch-dev-public/attachments/20070731/717dad75/attachment.pgp>
More information about the arch-dev-public
mailing list