[aur-dev] [PATCH] Use bash script to parse pkgbuilds

[Callan Barrett]

On Wed, Jun 11, 2008 at 2:25 AM, Cilyan Olowen <gaknar at gmail.com> wrote:
> Is it really such a hard work to parse PKGBUILD and simulate a bash
> behaviour only on variables preceding the build() function ?
> The parser needs to be able to :
> - affect and replace variables
> - support arrays
> - support the simple ${x//find/replace} syntax
> - what else ?
>
> If this can be tedious with PHP, is it that difficult to realize in python ?

It's not that it's tedious in PHP, it would be equally tedious and
difficult in any other language to write something to parse bash as
nicely as bash does.

At this point although the bash parser works and there's no way for
any really malicious stuff to happen this is really only a good
solution on a local machine, that's why namcap is fine with it.
There's nothing stopping a user from, say, embedding an infinite loop
which would be evaluated by the server or at very least listing any
files in the FS (thanks to the globbing). It's not bad but it's more
than enough to stop its use on a server.

I think at this point we'll just have to write a better parser for
pkgbuilds than what we have now (we really need to, the current one is
pretty wishy washy and it amazes me how long it's stood up).

-- 
Callan Barrett