Comments (8)
This is coming up a lot. I have theories. Aura
uses a custom (and very simple) parser for PKGBUILDs. Take a look at shutter's dep field:
depends=(
xdg-utils libxml-perl imagemagick bc procps librsvg gconf-perl
perl-{gnome2-wnck,gtk2-{imageview,unique},x11-protocol,image-exiftool}
perl-{proc-{simple,processtable},net-{dbus,dropbox-api},goo-canvas}
perl-{sort-naturally,json,json-xs,xml-simple,www-mechanize,locale-gettext}
perl-{file-{which,basedir,copy-recursive},pathtools,path-class}
I know for a fact my mini-parser wouldn't make sense of those extrapolated perl deps. Why this would result in an empty list error is beyond me, but I'll look into it.
from aura.
In PKGBUILDer, I give the dependency parsing job to bash itself. It is much easier and nicer. For example, my cheaty pyparsing solution required total magic, an AUR dependency for PB itself (and that is evil, and is currently limited to 2 for yours truly’s sanity, i.e. requests and certifi [requests dep], HTTP for Humans™) and broke when there were some problems, eg. ''
(empty string) deps or a reverse order of depends-makedepends. Bash is too messy to attempt to parse it by hand. Hint:
source PKGBUILD; for i in ${depends[*]}; do echo $i; done; for i in ${makedepends[*]}; do echo $i; done
(bash requires such fancy brac{e, ket} magic. In zsh, you can just do $depends
, but zsh is not on every system [it should be!])
from aura.
I use fish shell.
Do you know how packer
does this? I originally thought it was a good idea then realize what a security risk it was.
Packer runs the PKGBUILD once. Like . PKGBUILD
. Sure this brings the depends
field into packer's scope (as it is written in bash), but a malicious PKGBUILD could have anything in there. There's no telling what could happen if you just "ran" the PKGBUILD.
Does your solution there guarantee that the only things being read are the depends
and makedepends
fields? Would nothing else be read or executed?
from aura.
Nope. My method also sources the PKGBUILD (.
is an alias for source
), and prints out all the dependencies. But I think that most packages can be trusted not to have anything malicious.
from aura.
And the day that the AUR gets hacked?
from aura.
Just a note, shutter goes even more apeshit now.
aura: readProcess: curl "-L" "--fail" "--silent" "https://aur.archlinux.org/rpc.php?type=multiinfo&arg\\[\\]=xdg-utils&arg\\[\\]=libxml-perl&arg\\[\\]=imagemagick&arg\\[\\]=bc&arg\\[\\]=procps&arg\\[\\]=librsvg&arg\\[\\]=gconf-perl&arg\\[\\]=perl-{gnome2-wnck,gtk2-{imageview,unique},x11-protocol,image-exiftool}&arg\\[\\]=perl-{proc-{simple,processtable},net-{dbus,dropbox-api},goo-canvas}&arg\\[\\]=perl-{sort-naturally,json,json-xs,xml-simple,www-mechanize,locale-gettext}&arg\\[\\]=perl-{file-{which,basedir,copy-recursive},pathtools,path-class}" (exit 3): failed
It might not like the fancy {}
’s or \\
’s. You are doing some very, VERY evil magic here due to the \\
’s.
from aura.
Nono, those \ are totally necessary. It's the {}. Bash would expand those, but aura isn't yet. This is the current biggest issue with aura. I'm debating on whether I should implement more manually hackish Bash parsing, or try and find a tool to do it that won't acutally RUN the script.
from aura.
Wrote a mini-parser to deal with bash expansions. Shutter builds now!
from aura.
Related Issues (20)
- Option parsing issues with `--` delimiter (double dash, two dashes) HOT 2
- Feature Request: makeopts for faster compiling HOT 9
- rust aura -A hyprland grabs from the Standart repo HOT 3
- Cyclic Dependencies with `mangohud`? HOT 1
- Error building a package due to unset variable
- Config template link in documentation leads to 404 error HOT 1
- Aura.conf option for always showing makepkg output HOT 5
- -A: offer multiple install options based on "provides"
- "command not found" when tab-completing aura -D HOT 5
- aura seems not respecting proxy setting of curl? HOT 5
- Force package to be used from a specific repo? HOT 5
- Improve handling of git packages HOT 3
- aura >>= As of makepkg v4.2, building as root is no longer possible. HOT 3
- Aura 4 config parsing HOT 5
- `aura` returns `Permission denied (publickey)` when fetching packages from AUR HOT 2
- Regression? "Failed to 'git pull' the latest updates" HOT 7
- 4.0 config file location not following XDG recommendations HOT 1
- 4.0: Improvement: "Unknown Packager" in package metadata HOT 3
- aura rust - fails on every AUR package it doesn't recognize HOT 3
- Unhandled exception when vcsPath is not (yet) created HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aura.