[arch-dev-public] Useful scripts

Jason Chu jason at archlinux.org
Tue Jul 31 10:16:18 EDT 2007


> Note of warning!!  Do not use these scripts on any PKGBUILDs you don't
> trust!  They source every PKGBUILD to obtain the information - if a
> single PKGBUILD has rm -rf ~ you'd lose your home directory.  You've
> been warned. ;)  (of course you could run it in a sandbox as well, but
> yeah.)

The new way I parse PKGBUILDs in namcap really rocks for not trusting
PKGBUILDs.  Apparently bash has a --restricted mode.  You have to override
the PATH variable to make sure they can't execute any commands, but that's
about it.

http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a070c2c4bc238dd13807688a12a093770adc1d;hb=04266d561625cf014a7b3c87a76e2c6063fc82d7

This script basically outputs a PKGBUILD in db format.

> find-bad-licenses:
> This one also finds all PKGBUILD files located in any subdirs of
> $(pwd), and analyses all entries in the license array.  If the license
> isn't one located in /usr/share/licenses/common, and it doesn't start
> with 'custom', then the package and its invalid license are output to
> stdout.  Also, if no license is defined, it outputs this info to stdout
> as well.
> At the moment, it doesn't check the validity of custom licenses, but it
> does its job well; I've also attached the list it generates when run
> against extra/community/unstable.  It's a long list - almost 2k
> invalid/non-existent licenses.

This rule could be added to namcap.  We could check for the validity of the
licenses in a package (at that point we can see if there are custom
licenses stored in the package).

Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://archlinux.org/pipermail/arch-dev-public/attachments/20070731/717dad75/attachment.pgp>


More information about the arch-dev-public mailing list