Refactor the specfile library to support swappable parsing backends, enabling secure remote spec parsing without changing the public API.
Scope
- Define a ParsingBackend protocol with parse() and expand() methods — the two entry points where RPM executes arbitrary code (rpm.spec() and rpm.expandMacro())
- Implement LocalParsingBackend (default) — wraps existing Specfile._parse() and Specfile.expand() calls, preserving current behavior
- Implement RemoteParsingBackend — HTTP client that posts spec content alongside sourcedir files to the parser service. Sourcedir content must be sent (Option B from the research) because dummy files for
%include/%{load:...} are unreliable — if included content defines macros or affects syntax, parsing fails with RPMException. See the research for trade-offs between JSON+base64 and multipart+tarball for
source file transfer.
- Configuration via a class-level attribute (Specfile._backend) — consumers set the backend programmatically (e.g. Specfile._backend = RemoteParsingBackend(url)). Defaults to LocalParsingBackend (CLI,
local dev).
- Tests verifying all specfile operations produce identical results through both backends
Context
See packit/research#229. All dangerous RPM calls flow through Specfile._parse() and Specfile.expand() — the backend intercepts at exactly these two points.
Refactor the specfile library to support swappable parsing backends, enabling secure remote spec parsing without changing the public API.
Scope
%include/%{load:...} are unreliable — if included content defines macros or affects syntax, parsing fails with RPMException. See the research for trade-offs between JSON+base64 and multipart+tarball for
source file transfer.
local dev).
Context
See packit/research#229. All dangerous RPM calls flow through Specfile._parse() and Specfile.expand() — the backend intercepts at exactly these two points.