>Number:         30362
>Category:       pkg
>Synopsis:       do-sandbox-build uses 'which' and wrong quoting
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat May 28 22:22:00 +0000 2005
>Originator:     Alexander Becher
>Release:        NetBSD 2.0_STABLE
>Organization:
	
>Environment:
	
	
System: NetBSD abn 2.0_STABLE NetBSD 2.0_STABLE (kernel) #18: Sat May 21 14:41:45 CEST 2005 alex@abn:/home/alex/kernel i386
Architecture: i386
Machine: i386
>Description:
        pkgsrc/mk/bulk/do-sandbox-build uses sh=`which sh`. 'which' should
	not be used, however, in a /bin/sh script. For the Bourne shell,
	that's `command -v sh`, or maybe `type -p`.

	Also, its way of passing the command line arguments is wrong.
	For "$@" = foo bar baz (3 args), sh -c "cd ... && sh ... $@"
	expands to sh -c "cd ... && sh ... foo" bar baz, which is not
	what is wanted. You can easily watch this by replacing the
	second occurrence of sh by something like the following:
	perl -lwe 'print join("\n", @ARGV)'.
>How-To-Repeat:
	sudo sh /usr/pkgsrc/mk/bulk/do-sandbox-build -s -m -r
	# watch it build the packages, instead of just fetching the distfiles
	^C
	sudo sh /usr/pkgsrc/mk/bulk/do-sandbox-build -s -m -r
	# watch the pre-build script being run again
>Fix:
Index: do-sandbox-build
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bulk/do-sandbox-build,v
retrieving revision 1.10
diff -u -r1.10 do-sandbox-build
--- do-sandbox-build    7 May 2005 22:16:38 -0000       1.10
+++ do-sandbox-build    28 May 2005 22:03:57 -0000
@@ -7,5 +7,5 @@
 # See pkgsrc/doc/pkgsrc.txt for documentation!
 #
 
-sh=`which sh`
-chroot /usr/sandbox $sh -c "cd /usr/pkgsrc && $sh mk/bulk/build $@"
+sh=`command -v sh`
+chroot /usr/sandbox $sh -c "cd /usr/pkgsrc && $sh mk/bulk/build "'"$@"' -- "$@"

>Unformatted: