[arch-dev-public] Useful scripts
andrew at neptune-one.net
Tue Jul 31 19:41:35 EDT 2007
Jason Chu wrote:
>> Note of warning!! Do not use these scripts on any PKGBUILDs you don't
>> trust! They source every PKGBUILD to obtain the information - if a
>> single PKGBUILD has rm -rf ~ you'd lose your home directory. You've
>> been warned. ;) (of course you could run it in a sandbox as well, but
> The new way I parse PKGBUILDs in namcap really rocks for not trusting
> PKGBUILDs. Apparently bash has a --restricted mode. You have to override
> the PATH variable to make sure they can't execute any commands, but that's
> about it.
> This script basically outputs a PKGBUILD in db format.
Are you sure 'source $1' works with --restricted mode? it doesn't for me.
If you wanted to be really paranoid you could use
TMPDIR=$(mktemp -d /tmp/parsepkgbuild.XXXXXX)
PKGBUILD=$(readlink -f "$1")
# Start a bash shell with a clean environment.
env -i \
TERM=$TERM HOME=$TMPDIR PATH=$TMPDIR \
CARCH=$CARCH PKGBUILD=$PKGBUILD \
/bin/bash --noprofile --norc << EOF
# Make PATH readonly to stop the PKGBUILD from changing it
More information about the arch-dev-public