[arch-general] PKGBUILD parser
Kaiting Chen
kaitocracy at gmail.com
Sun May 9 10:57:48 EDT 2010
Just to let you know dude, you can't parse that with a regular expression. A
regular expression is modeled / parsed by a finite automaton = a state
machine with a finite number of states. Braces allow nesting which creates a
source with potentially an infinite number of states consider,
a() { echo 1; b() { echo 2; }; }
Potentially I could next expressions like that endlessly. A regular
expression will never be able to parse that.because it can never decide
which brace is the final one. This might be better explained here.
http://stackoverflow.com/questions/133601/can-regular-expressions-be-used-to-match-nested-patterns
Kaiting.
On Sun, May 9, 2010 at 10:21 AM, Xavier Chantry <chantry.xavier at gmail.com>wrote:
> On Sun, May 9, 2010 at 2:44 PM, Allan McRae <allan at archlinux.org> wrote:
> >
> > Sourcing is dangerous if the PKGBUILD is from an untrusted source. It
> also
> > fails with package splitting...
> >
>
> Makes me wonder why pkgbuilds are written in bash. Sounds like a big
> design flaw.
>
> But it depends on what our needs are :
> 1) we don't care about untrusted source or security, we always trust
> the source, then bash sourcing is very convenient (original idea
> behind that design)
> 2) we care about security and dealing with untrusted source in a
> secure way : the existing format sucks
>
> Currently we are neither in 1), nor in 2), we are somewhere in the
> middle with the inconvenient of both sides. We lost the convenience of
> 1) bash sourcing with package splitting. (I've been meaning to fix
> this for one year or so, just never got to it).
>
> And we don't have any ideas about how we could ever suit 2).
> Changing pkgbuild format doesn't sound really doable and realistic, it
> might be the most important characterization of what Arch is, changing
> it would make a new distrib.
> But I just had an idea now, if we're thinking about AUR use case :
> makepkg --source could generate a suitable and parsable file providing
> all information that AUR needs, and ships that next to the PKGBUILD in
> the source tarball. Does that sound crazy ?
> This would not fix the problem now, but it could fix it eventually,
> when most pkgbuilds are re-submitted. Or this parsable file could be
> generated for all pkgbuilds in a row, just for the conversion, in a
> chroot/jail on a machine not in production.
>
> To re-iterate : PKGBUILD format was meant to be easy to parse by using
> bash source. The moment you stop using bash source, it's just all
> wrong, and it's the format you have to change.
>
--
Kiwis and Limes: http://kaitocracy.blogspot.com/
More information about the arch-general
mailing list