[pacman-dev] [RFC] Package parser in python

[Allan McRae]

Laszlo Papp wrote:
> On Sat, Dec 12, 2009 at 3:11 PM, Allan McRae <allan at archlinux.org> wrote:
>> Sebastian Nowicki wrote:
>>> As you may have heard, I started a proper PKGBUILD parser[1], which parses
>>> according to shell semantics and does a little interpreting. I just released
>>> the first version, which doesn't handle errors, or multi-line values (like
>>> arrays or escaped newlines) very well. It does however support split
>>> packages. I'm in the process of modifying parched to essentially turn it
>>> into python bindings[2] for pkgparse.
>>>
>>> You probably already have a parser at this point, so I'm not sure how
>>> useful this would be to you (it might be overkill anyway), I just though I'd
>>> let you know.
>>>
>>> [1]: http://github.com/sebnow/pkgparse
>>> [2]: http://github.com/sebnow/parched/tree/pkgparse_pyrex
>> Looks interesting.  I will take it for a spin later. I assume this is going
>> towards AUR2?
> 
> Yes.
> 
>> I had not done any further work on my parser as I was uncertain what was the
>> best way to go in developing a makepkg test suite.  Given the makepkg test
>> suite will use a safe set of PGKBUILDs, I was thinking of just using bash to
>> parse them.
> 
> http://wiki.archlinux.org/index.php/AUR_2#High_priority
> "Parsing of pkgbuilds, we can no longer use bash to do it because bash
> sucks and is riddled with security flaws. This is really important."
> 
> It was discussed with Louipc too on #archlinux-aur earlier, and on the
> forum too, I don't find the log at this momment :( It's not best
> solution to do it in bash, lex/yacc seems a better solution for it in
> this case.
> 
> Some documentation from Sebastian with that I'm dealing at this momment:
> http://github.com/sebnow/pkgparse/tree/gh-pages

Sure, but did you actually read what I wrote? Because everything you 
point out does not apply to the situation I was describing and I 
explained why...

Allan