On 20/11/13 22:51, Martti Kühne wrote: > On Mon, Nov 18, 2013 at 3:09 AM, Allan McRae <[email protected]> wrote: >> >> What did you think about the proposal in an earlier reply to this thread: >> >> source=("mirror://_foo/blah/blah/foo.tar.gz") >> _foo=("http://foo.com/"; "http://bar.com/";) >> >> I think we can bet safely that "mirror://" will not become a valid >> protocol. And we are replacing the start of the URL so just using the >> initial "/" as the delimiter is fine. >> >> Allan >> >> > > > Personally, I wouldn't notice that _foo part there and go WTF if the > URL isn't valid. This is as bad as the previous suggestion, where I > thought of this: > > source=("http://looks.ok/good.tar.gz";) > [...fast-forward to bottom of PKGBUILD] > http=("http://malware.com/evil_file.tar.gz";) > > whereas with the latest suggestion, one would just > > source=("http://_it/looks.ok/good.tar.gz";) > [...fast-forward to bottom of PKGBUILD] > _it=("http://malware.com/evil_file.tar.gz";)
Ummm.... both those would be perfectly safe with the suggestion in my email above because the sources are prefixed with http:// and so the not arrays with malware.com would do nothing. Only source lines starting with mirror:// would require looking at the array of mirror sources. A
