[arch-dev-public] Useful scripts

Andrew Fyfe andrew at neptune-one.net
Tue Jul 31 19:41:35 EDT 2007

Jason Chu wrote:
>> Note of warning!!  Do not use these scripts on any PKGBUILDs you don't
>> trust!  They source every PKGBUILD to obtain the information - if a
>> single PKGBUILD has rm -rf ~ you'd lose your home directory.  You've
>> been warned. ;)  (of course you could run it in a sandbox as well, but
>> yeah.)
> The new way I parse PKGBUILDs in namcap really rocks for not trusting
> PKGBUILDs.  Apparently bash has a --restricted mode.  You have to override
> the PATH variable to make sure they can't execute any commands, but that's
> about it.
> http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a070c2c4bc238dd13807688a12a093770adc1d;hb=04266d561625cf014a7b3c87a76e2c6063fc82d7
> This script basically outputs a PKGBUILD in db format.
Are you sure 'source $1' works with --restricted mode? it doesn't for me.

If you wanted to be really paranoid you could use

TMPDIR=$(mktemp -d /tmp/parsepkgbuild.XXXXXX)
PKGBUILD=$(readlink -f "$1")

cd "$TMPDIR"
# Start a bash shell with a clean environment.
env -i \
         /bin/bash --noprofile --norc << EOF
# Make PATH readonly to stop the PKGBUILD from changing it
readonly PATH

source "$PKGBUILD"



More information about the arch-dev-public mailing list