[aur-dev] PKGBUILD parsing on the AUR

Gergely Imreh imrehg at gmail.com
Sun Aug 2 19:58:44 EDT 2009 

2009/8/3 Xyne <xyne at archlinux.ca>:
>> As I worked on most of the parsing code at the moment: we don't have
>> any "if-then-else" statements. AUR can (currently) handle only static
>> assignments and bash arrays (or how are they called) and evals.
>>
>> This is because we don't evaluate the "bash" part of the script just
>> the variable assignments. Would be nice to have a whole bash
>> interpreter or similar, but I don't have an idea how to get that done
>> securely at the moment.... Any suggestions?
>> E.g. that example on the top would not get through...
>>
>> As for the linked feature request: the "depends" should be
>> straightforward (I didn't look into it much, yet, but we should have
>> all the required data). The "makedepends" is not stored for the web
>> interface, so should be added there first. Would be quite valuable, I
>> think... Even optdepends could be useful if we would add it one day,
>> the only problem is, that it does not seem to have a standard format
>> across packages.
>>
>> So, on a related note, making such upgrades: patches for the pages
>> (php or html...) are straightforward. How does someone send a patch
>> which would need a change in the SQL database in the back?
>>
>> Cheers,
>>     Greg
>
> Thanks for the replies, Greg.
>
> I suspected that it was scraping the PKGBUILDs due to discrepancies
> reported on the bug tracker (valid PKGBUILDs not being properly parsed
> on the AUR, etc).
>
> There is no fully functional solution to extracting data from bash
> PKGBUILDs. Sourcing it exposes you to malicious code and implementing a
> full interpreter would do the same (as it would have to handle command
> outputs, which in turn means running commands). Anything less will not
> be able to fully parse all valid PKGBUILDs. That's why I've been
> playing around with the idea of a non-bash PKGBUILD [1]. The AUR would
> definitely benefit from this as would any application which interacts
> with it. It would be nice to accurately resolve dependency trees using
> only the JSON-RPC interface, for example.

Checked out the non-bash PKGBUILD page a little, and it indeed would
be great. I admit the simplicity of the bash based one 100%, but don't
share the enthusiasm of most of the core people I talked to. There
were so many times, when a package could be made in more than one way
- some of them e.g. could be parsed by AUR, some of them had no chance
for that. Every single time "convenience" won, and the package was
unintelligible for AUR.

I haven't read and thought enough about that page you sent yet, but no
matter of the state of that work, Arch would benefit from a PKGBUILD
discussion, IMHO.... Too bad, that I don't have anything to add at the
moment...

>
> Where can I view the code for the web pages?
>

It's in the git-garden of all things Arch on http://projects.archlinux.org/
the web/README should have all the setup instructions, to get your
"fake AUR" running.

Cheers,
   Greg

More information about the aur-dev mailing list