[pacman-dev] RFC: Really running package_* functions in rbash during printsrcinfo
Charles Duffy
charles at dyfis.net
Sun Jan 6 18:58:29 UTC 2019
Howdy --
I recently had need to dig into the implementation of makepkg
--printsrcinfo, and ran into the "running regular expressions against
source code" operations in the backend.
Obviously, this is not ideal. Indeed, I've previously written packages
(doing unusual and typically-undesirable things, granted) with conditional
logic *assuming* that actual execution would be taking place.
I fully appreciate the decision not to try to go with more expansive
attempts at emulating bash parsing/execution in the future, but do folks
have any thoughts on **really** executing PKGBUILDs in a restricted
environment, including execution of the package_* functions?
See a simple sandboxed parser for config files implemented as bash code in
code I've written for NixOS at
https://github.com/charles-dyfis-net/nixpkgs/blob/f50bfe267a312515d88e86c12ae002c4feefcc1f/pkgs/tools/filesystems/bees/bees-service-wrapper#L59-L65.
We might need a little more complexity here -- using DEBUG traps to avoid
"|| exit" logic from aborting, f/e -- but my initial impression is that
"more accurate than the current implementation" (and maybe a fair bit
faster, if we extract all variables in one subshell per function) is not a
hard goal to achieve.
Thoughts?
More information about the pacman-dev
mailing list