[aur-dev] Safe and relatively reliable PKGBUILD parser.

[Xyne]

> If you're willing to trust the variable declaration part of the
> PKGBUILD, then yeah it'd be easy to execute just that part. You don't
> even need to cut out the build() function, since executing the whole
> thing would only declare and not run that function. All you'd need to do
> is to add some "echo"s at the end of the wrapper function you've
> constructed, and execute the wrapper function.


That doesnt work for overridden variables in split packages because they
are set inside the packaging function(s). Anything which could
selectively execute blocks of code inside of functions to get the
values of the variables would be far more complicated than this
approach and probably far more exploitable.

Even without that to consider, you cannot blindly trust the variable
declaration section of PKGBUILDs uploaded to the AUR.