On Sun 09 May 2010 16:21 +0200, Xavier Chantry wrote: > On Sun, May 9, 2010 at 2:44 PM, Allan McRae <allan@xxxxxxxxxxxxx> wrote: > > Sourcing is dangerous if the PKGBUILD is from an untrusted source. It also > > fails with package splitting... > But I just had an idea now, if we're thinking about AUR use case : > makepkg --source could generate a suitable and parsable file providing > all information that AUR needs, and ships that next to the PKGBUILD in > the source tarball. Does that sound crazy ? > This would not fix the problem now, but it could fix it eventually, > when most pkgbuilds are re-submitted. Or this parsable file could be > generated for all pkgbuilds in a row, just for the conversion, in a > chroot/jail on a machine not in production. Yeah I've thought about this as well. Source packages could have a similar format as binary packages with a .PKGINFO file to present the metadata in an easily parsable format. You can read some of my incomplete brainstormings here: http://louipc.mine.nu/arch/%5BRFC%5D-PKGINFO-in-srctargz