For the time being, please use a fully qualified address for sources, not a variable-based one. Currently, it only knows about pkgname and pkgver, because they are very commonly used.

The biggest hurdle here is that we don't want to acutally use bash to evaluate the pkgbuilds, because it just becomes too much of a security hazard, so all the evaluation is taking place in php.

Off the top of my head I think there might be an easy way to fix this, but I'm not all too fond of it. Basically I'm thinking parse through the sources array replacing anything that matches $[key] from earlier with it's value. hmm....

I've marked this for 2.0 . I'm thinking that the entire bash-wannabe parser is going to get overhauled for that series, and this should be one of the things in it.

One of my packages require the use of string replacement to get the $pkgver to match up with the developer's weird way of naming their tarballs on sourceforge. Do you think it'd be feasible to add support for string replacement?

The package I'm talking about is eclipse-pydev

As we've found out, actually using bash to interpret pkgbuilds is impossible to secure so perhaps we need to write a more advanced parser than what's currently used.

There's a patch in git which satisfies this bug report.