Am 28.02.2019 um 17:34 schrieb Jerome Leclanche:
On Thu, Feb 28, 2019 at 5:22 PM Daniel M. Capella via aur-general
<[email protected]> wrote:
On February 28, 2019 8:58:06 AM EST, Jerome Leclanche <[email protected]> wrote:
<snip>
OT: We should maybe have the AUR lint PKGBUILDs on git push (and
reject really bad ones) if we want to improve that situation.
J. Leclanche
I've been thinking enforcing the use of makechrootpkg and namcap on package
submission should be introduced, and maybe even on major (and minor?) version
bumps for packages following semver. Inb4 yes I'm aware of the number of
false-positives in namcap.
--
Best,
polyzen
Can we give namcap's outputs error codes and blacklist some of the
false positives?
I was mostly thinking about things that can be done just by static
analysis of the PKGBUILD, rather than anything requiring packages to
be built, so that they can be rejected immediately during git push.
Things such as running mksrcinfo, verifying local sources (and their
hashes), etc.
J. Leclanche
That's the issue though, how do you do static analysis of a PKGBUILD - a
random bash script which should include certain named functions and
variables - without executing it? For example, mksrcinfo simply sources
the PKGBUILD, i.e. evaluates it in bash.
The aura AUR helper has a side-project which tries to check PKGBUILDs
for "security issues" in Haskell. I'm not sure how well this approach
scales though.
https://github.com/aurapm/aura/blob/master/aura/lib/Aura/Pkgbuild/Security.hs
