[arch-general] PKGBUILD parser

Kaiting Chen kaitocracy at gmail.com
Sun May 9 10:57:48 EDT 2010

Just to let you know dude, you can't parse that with a regular expression. A
regular expression is modeled / parsed by a finite automaton = a state
machine with a finite number of states. Braces allow nesting which creates a
source with potentially an infinite number of states consider,

a() { echo 1; b() { echo 2; }; }

Potentially I could next expressions like that endlessly. A regular
expression will never be able to parse that.because it can never decide
which brace is the final one. This might be better explained here.



On Sun, May 9, 2010 at 10:21 AM, Xavier Chantry <chantry.xavier at gmail.com>wrote:

> On Sun, May 9, 2010 at 2:44 PM, Allan McRae <allan at archlinux.org> wrote:
> >
> > Sourcing is dangerous if the PKGBUILD is from an untrusted source.  It
> also
> > fails with package splitting...
> >
> Makes me wonder why pkgbuilds are written in bash. Sounds like a big
> design flaw.
> But it depends on what our needs are :
> 1) we don't care about untrusted source or security, we always trust
> the source, then bash sourcing is very convenient (original idea
> behind that design)
> 2) we care about security and dealing with untrusted source in a
> secure way : the existing format sucks
> Currently we are neither in 1), nor in 2), we are somewhere in the
> middle with the inconvenient of both sides. We lost the convenience of
> 1) bash sourcing with package splitting. (I've been meaning to fix
> this for one year or so, just never got to it).
> And we don't have any ideas about how we could ever suit 2).
> Changing pkgbuild format doesn't sound really doable and realistic, it
> might be the most important characterization of what Arch is, changing
> it would make a new distrib.
> But I just had an idea now, if we're thinking about AUR use case :
> makepkg --source could generate a suitable and parsable file providing
> all information that AUR needs, and ships that next to the PKGBUILD in
> the source tarball. Does that sound crazy ?
> This would not fix the problem now, but it could fix it eventually,
> when most pkgbuilds are re-submitted. Or this parsable file could be
> generated for all pkgbuilds in a row, just for the conversion, in a
> chroot/jail on a machine not in production.
> To re-iterate : PKGBUILD format was meant to be easy to parse by using
> bash source. The moment you stop using bash source, it's just all
> wrong, and it's the format you have to change.

Kiwis and Limes: http://kaitocracy.blogspot.com/

More information about the arch-general mailing list