[pacman-dev] [PATCH] makepkg: guard against undefined git pinned sources

Eli Schwartz eschwartz at archlinux.org
Tue May 26 03:52:16 UTC 2020

If something like source=(..."#commit=") is used, e.g. due to failed
variable expansion, we try to check out an empty refspec as nothing at
all, and end up just running "git checkout". This happens because we
fail at variable expansion too -- so let's quote our variables properly
and make sure git sees this as an empty refspec, so it can error out.

Also make sure it is interpreted as a ref instead of a path.

Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>

This ensures that something like https://bugs.archlinux.org/task/66729
cannot happen again.

 scripts/libmakepkg/source/git.sh.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in
index aee944f7..a29be3c5 100644
--- a/scripts/libmakepkg/source/git.sh.in
+++ b/scripts/libmakepkg/source/git.sh.in
@@ -125,7 +125,7 @@ extract_git() {
 	if [[ $ref != "origin/HEAD" ]] || (( updating )) ; then
-		if ! git checkout --force --no-track -B makepkg $ref; then
+		if ! git checkout --force --no-track -B makepkg "$ref" --; then
 			error "$(gettext "Failure while creating working copy of %s %s repo")" "${repo}" "git"
 			plain "$(gettext "Aborting...")"
 			exit 1

More information about the pacman-dev mailing list