[arch-projects] AUR 1.4.0

Roman Kyrylych roman.kyrylych at gmail.com
Thu Oct 4 12:09:49 EDT 2007

2007/10/4, Paul Mattal <paul at mattal.com>:
> Roman Kyrylych wrote:
> > 2007/10/3, Paul Mattal <paul at mattal.com>:
> >> As usual, report all problems here.
> >
> > Found a bug in parser.
> > See http://aur.archlinux.org/packages/cheese/cheese/PKGBUILD
> > and how depends are parsed on
> > http://aur.archlinux.org/packages.php?do_Details=1&ID=11879
> >
> > Can't we use parsepkgbuild from namcap2?
> > See http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a070c2c4bc238dd13807688a12a093770adc1d;hb=HEAD
> > This way PKGBUILD is parsed by bash and resulting output is much
> > easier to parse with PHP or Python.
> >
> At least the last time we looked into parsing PKGBUILDs with bash, we
> decided we couldn't do this for unsupported, since the provenance of the
> bash script is completely unknown. An attacker could write evil bash,
> simply create an account, upload it, and he's run arbitrary bash on the
> server.
> This is why we intentionally did not parse PKGBUILDs using bash, though
> I really really wanted to. I do, in fact, parse them with bash in the
> tupkgupdate script, but those are only trusted PKGBUILDs checked into cvs.

hmm, probably, you're right, but doesn't " --noprofile --norc -r" avoids this?

Roman Kyrylych (Роман Кирилич)

More information about the arch-projects mailing list