Installing shutter crashes while determining deps about aura HOT 8 CLOSED

This is coming up a lot. I have theories. Aura uses a custom (and very simple) parser for PKGBUILDs. Take a look at shutter's dep field:

depends=(
    xdg-utils libxml-perl imagemagick bc procps librsvg gconf-perl
    perl-{gnome2-wnck,gtk2-{imageview,unique},x11-protocol,image-exiftool}
    perl-{proc-{simple,processtable},net-{dbus,dropbox-api},goo-canvas}
    perl-{sort-naturally,json,json-xs,xml-simple,www-mechanize,locale-gettext}
    perl-{file-{which,basedir,copy-recursive},pathtools,path-class}

I know for a fact my mini-parser wouldn't make sense of those extrapolated perl deps. Why this would result in an empty list error is beyond me, but I'll look into it.

from aura.

In PKGBUILDer, I give the dependency parsing job to bash itself. It is much easier and nicer. For example, my cheaty pyparsing solution required total magic, an AUR dependency for PB itself (and that is evil, and is currently limited to 2 for yours truly’s sanity, i.e. requests and certifi [requests dep], HTTP for Humans™) and broke when there were some problems, eg. '' (empty string) deps or a reverse order of depends-makedepends. Bash is too messy to attempt to parse it by hand. Hint:

source PKGBUILD; for i in ${depends[*]}; do echo $i; done; for i in ${makedepends[*]}; do echo $i; done

(bash requires such fancy brac{e, ket} magic. In zsh, you can just do $depends, but zsh is not on every system [it should be!])

from aura.

I use fish shell.

Do you know how packer does this? I originally thought it was a good idea then realize what a security risk it was.
Packer runs the PKGBUILD once. Like . PKGBUILD. Sure this brings the depends field into packer's scope (as it is written in bash), but a malicious PKGBUILD could have anything in there. There's no telling what could happen if you just "ran" the PKGBUILD.

Does your solution there guarantee that the only things being read are the depends and makedepends fields? Would nothing else be read or executed?

from aura.

Nope. My method also sources the PKGBUILD (. is an alias for source), and prints out all the dependencies. But I think that most packages can be trusted not to have anything malicious.

from aura.

And the day that the AUR gets hacked?

from aura.

Just a note, shutter goes even more apeshit now.

aura: readProcess: curl "-L" "--fail" "--silent" "https://aur.archlinux.org/rpc.php?type=multiinfo&arg\\[\\]=xdg-utils&arg\\[\\]=libxml-perl&arg\\[\\]=imagemagick&arg\\[\\]=bc&arg\\[\\]=procps&arg\\[\\]=librsvg&arg\\[\\]=gconf-perl&arg\\[\\]=perl-{gnome2-wnck,gtk2-{imageview,unique},x11-protocol,image-exiftool}&arg\\[\\]=perl-{proc-{simple,processtable},net-{dbus,dropbox-api},goo-canvas}&arg\\[\\]=perl-{sort-naturally,json,json-xs,xml-simple,www-mechanize,locale-gettext}&arg\\[\\]=perl-{file-{which,basedir,copy-recursive},pathtools,path-class}" (exit 3): failed

It might not like the fancy {}’s or \\’s. You are doing some very, VERY evil magic here due to the \\’s.

from aura.

Nono, those \ are totally necessary. It's the {}. Bash would expand those, but aura isn't yet. This is the current biggest issue with aura. I'm debating on whether I should implement more manually hackish Bash parsing, or try and find a tool to do it that won't acutally RUN the script.

from aura.

Wrote a mini-parser to deal with bash expansions. Shutter builds now!

from aura.