The problem here is that there's a delicate balance to be struck between safety and parsing in PKGBUILD files for arbitrary uploads from arbitrary unknown persons. Right now, the parser is overly strict.

Ideally, we could pass things off directly to bash to parse, but that would be horribly insecure. There may be some other options:

http://archlinux.spider007.net/PHPacman/

and

http://search.cpan.org/~saper/Shell-Parser-0.02/lib/Shell/Parser.pm

I'm going to set this for v2.0 because it's likely to be a lot of work to fix this properly. We might be able to special case the md5sums because of makepkg -g>>PKGBUILD.

Ok I took a peek at the parser code, and found a workaround (actually, if you take a good look at the parser code, you'll realize that an arbitrary upload can be VERY easily disguised, whether or not the data payload of the upload is encoded in the PKGBUILD or as a seperate file).

For now, those that like to use makepkg -g >> PKGBUILD can continue to do so, so long as they add "md5sums=()" somewhere before their build() function. This works because the later md5sums overwrites the empty one, but the empty one is enough to fool the [fairly dumb] parser.

Actually, looking at the parser...it's uhm...rudimentary, I'm going to research possible better ways to do this, and I suggest we find a way to secure it, this is a hole, and a big one at that.

Fixed. Parsing doesn't halt after detecting the build() function. However, anyone can continue to research a better parser.