[aur-dev] Safe and relatively reliable PKGBUILD parser.
Sebastian Nowicki
sebnow at gmail.com
Mon Jan 11 18:52:54 EST 2010
On 10/01/2010, at 4:23, Xyne <xyne at archlinux.ca> wrote:
>> It is quite a clever idea. I haven't seen this approach before. I
>> haven't looked at it thoroughly, but it looks like you're simply
>> sourcing the PKGBUILD with some trickery not to execute the code. Why
>> then the need for further parsing? Does `set` produce "raw" bash,
>> e.g.
>> 'source=("https://localhost/$pkgname.tgz")'? It seems like bash
>> should
>> be able to do it itself. If that were the case, the parser would be
>> extremely reliable (definitely more so than mine). There are still
>> some "safety" issues involved, although maybe not for your purposes.
>> One major thing is infinite loops - there's no way to break them. I'm
>> sure this parser will be very useful when such things aren't an
>> issue.
> Bash simply parses the file and stores the code itself in the
> "pkgbuild" function, which itself contains other variables and
> functions (e.g. package_foo, build). Because the code has not been
> executed, the variables have not been expanded/interpolated and thus
> still contain things such s "http://example.com/$pkgname-$pkgver.tar",
> which is why it must still be intepolated by the parser.
It seems I did understand it, I just forgot assignments don't get
interpreted. I suppose there's no way to get bash to execute the
assignments but not the code? Perhaps filtering the function
definitions from set output. I havn't looked at the output of set so,
again, I'm shooting in the dark here.
>
> The advantage of this method is that "set" will print out the
> "pkgbuild" function and its contents in a canonical form, e.g. all
> assignments to a variable are on a single line, if/then/else
> statements
> follow a single format, etc.
That is very handy indeed.
> Let me repeat that my method does not run any code in the
> PKGBUILD. I've tested this by including an infinite loop at the top of
> the file and it was not executed. I actually believe that this method
> provides a perfectly safe and potentially very reliable method of
> retrieving all metadata in the PKGBUILD with very little dependencies
> and considerable portability.
Indeed. Perhaps Allan would be interested on this for his makepkg test
suite, although maybe more in the concept since the test suite us in
python.
>
>
> Regards,
> Xyne
More information about the aur-dev
mailing list