fix: avoid operand evaluation as argument

Explicit end option parsing as the shell can be quite dangerous without
it.

salt/dom0/files/backup/qusal.conf.example

@@ -17,7 +17,7 @@ compression: true
 passphrase_text: my-password
 
 destination_vm: backup-ssh
-destination_path: ssh backup 'cat | tee /dir/qubes-backup-$(date +%Y-%m-%d-%H-%M-%S) >/dev/null'
+destination_path: ssh backup 'cat | tee -- /dir/qubes-backup-$(date +%Y-%m-%d-%H-%M-%S) >/dev/null'
 
 ## $ qvm-backup-find-last backup-ssh /dir/ 'ssh backup'
 ## $ qvm-backup-restore --verify-only -d backup-ssh \

salt/dom0/files/bin/qubes-kde-win-rules

@@ -25,10 +25,10 @@ writeconf(){
   key="$2"
   value="$3"
 
-  group_id="$(grep -B1 -- "^Description=${group}$" "${file}" | head -1 |
+  group_id="$(grep -B1 -e "^Description=${group}$" -- "${file}" | head -1 |
     tr -d "[" | tr -d "]")"
   if test -z "${group_id}"; then
-    highest_id="$(grep -- "\[[0-9]\+\]" "${file}" | tr -d "[" | tr -d "]" |
+    highest_id="$(grep -e "\[[0-9]\+\]" -- "${file}" | tr -d "[" | tr -d "]" |
       sort | tail -1)"
     if test -n "${highest_id}"; then
       group_id="$((highest_id+1))"

salt/dom0/files/bin/qvm-mgmt

@@ -13,8 +13,8 @@ usage(){
 get_qube_feat(){
   qube="${1}"
   qvm-features "${qube}" | \
-    grep -E "^(os-(distribution|version)|template-(release|name))" | \
-    sed "s/  / /g;s/ /: /;s/^/  /"
+    grep -E -e "^(os-(distribution|version)|template-(release|name))" | \
+    sed -e "s/  / /g;s/ /: /;s/^/  /"
 }
 
 case "${1-}" in

salt/dom0/files/bin/qvm-pci-regain

@@ -37,7 +37,7 @@ esac
 uid="$(id -u)"
 test "${uid}" = "0" || exec sudo "${0}"
 
-echo "${device}" | tee /sys/bus/pci/drivers/pciback/unbind
-modalias="$(cat "/sys/bus/pci/devices/${device}/modalias")"
+echo "${device}" | tee -- /sys/bus/pci/drivers/pciback/unbind
+modalias="$(cat -- "/sys/bus/pci/devices/${device}/modalias")"
 module="$(modprobe -R "${modalias}" | head -n 1)"
-echo "${device}" | tee "/sys/bus/pci/drivers/${module}/bind"
+echo "${device}" | tee -- "/sys/bus/pci/drivers/${module}/bind"

salt/dom0/files/bin/qvm-port-forward

@@ -21,7 +21,7 @@ run_qube(){
 
 create_net_dir(){
   qube="${1}"
-  run_qube "${qube}" mkdir -p "${hook_dir}"
+  run_qube "${qube}" mkdir -p -- "${hook_dir}"
 }
 
 validate_handle(){
@@ -78,7 +78,7 @@ get_rule_handle(){
   rule="${3}"
   run_qube "${qube}" \
     "nft --handle --stateless list chain ip qubes ${chain} |
-    tr -d '\"' | grep '^\s\+${rule} # handle ' | awk '{print \$NF}' |
+    tr -d '\"' | grep -e '^\s\+${rule} # handle ' | awk '{print \$NF}' |
     tr '\n' ' '" 2>/dev/null
 }
 
@@ -165,7 +165,7 @@ get_handle(){
   chain=\\\${1}
   rule=\\\${2}
   nft --handle --stateless list chain ip qubes \\\${chain} | \\\
-    tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | \\\
+    tr -d '\\\"' | grep -e '^\\\s\\\+\\\${rule} \\# handle ' | \\\
     awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\"
 }
 
@@ -187,8 +187,8 @@ ${full_rule}"
 
       create_net_dir "${from_qube}"
       run_qube "${from_qube}" \
-        "echo \"${full_rule}\" | tee \"${hook}\" >/dev/null"
-      run_qube "${from_qube}" "chmod +x ${hook}"
+        "echo \"${full_rule}\" | tee -- \"${hook}\" >/dev/null"
+      run_qube "${from_qube}" "chmod -- +x ${hook}"
     fi
   fi
 }
@@ -216,7 +216,7 @@ get_handle(){
   chain=\\\${1}
   rule=\\\${2}
   nft --handle --stateless list chain ip qubes \\\${chain} | \\\
-    tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | \\\
+    tr -d '\\\"' | grep -e '^\\\s\\\+\\\${rule} \\# handle ' | \\\
     awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\"
 }
 
@@ -229,8 +229,9 @@ fi
 
 ${input_rule}"
 
-      run_qube "${qube}" "echo \"${input_rule}\" | tee \"${hook}\" >/dev/null"
-      run_qube "${qube}" "chmod +x ${hook}"
+      run_qube "${qube}" \
+        "echo \"${input_rule}\" | tee -- \"${hook}\" >/dev/null"
+      run_qube "${qube}" "chmod -- +x ${hook}"
     fi
   fi
 }

salt/dom0/files/bin/qvm-screenshot

@@ -70,7 +70,7 @@ Development mode:
 ## Expand directory only in the qube.
 qube_pictures_dir="\$(xdg-user-dir PICTURES)"
 guivm_pictures_dir="$(xdg-user-dir PICTURES)"
-mkdir -p "${guivm_pictures_dir}" || exit 1
+mkdir -p -- "${guivm_pictures_dir}" || exit 1
 
 current_date="$(date +"%Y-%m-%d-%H%M%S")"
 screenshot_basename="${current_date}.png"
@@ -292,14 +292,14 @@ if test -z "${qube}"; then
   dialog_title="Select destination qube (Unix based):"
   case "${dialog_cmd}" in
     zenity)
-      qube_list="$(echo "${qube_list}" | sed "s/^/FALSE /")"
+      qube_list="$(echo "${qube_list}" | sed -e "s/^/FALSE /")"
       # shellcheck disable=SC2086
       qube="$(zenity --list  --width=200 --height=390 \
               --text "${dialog_title}" \
               --radiolist --column "Pick" --column "qube" ${qube_list})"
       ;;
     kdialog)
-      qube_list="$(echo "${qube_list}" | sed "s/\(.*\)/\1 \1 off/")"
+      qube_list="$(echo "${qube_list}" | sed -e "s/\(.*\)/\1 \1 off/")"
       # shellcheck disable=SC2086
       qube="$(kdialog --radiolist "${dialog_title}" ${qube_list})"
       ;;
@@ -328,12 +328,12 @@ if ! qvm-check -- "${qube}" >/dev/null 2>&1; then
   exit 1
 fi
 
-qvm-run "${qube}" -- "mkdir -p \"${qube_pictures_dir}\""
+qvm-run "${qube}" -- "mkdir -p -- \"${qube_pictures_dir}\""
 qvm-run --pass-io "${qube}" -- "cat > \"${qube_screenshot_file}\"" \
   < "${screenshot_file}"
 
 if test "${file_move}" = "1"; then
-  rm -f "${screenshot_file}"
+  rm -f -- "${screenshot_file}"
 fi
 
 if test "${file_manager}" = "1"; then

salt/dotfiles

@@ -1 +1 @@
-Subproject commit 7e2502b70a0f336ef74e31b4d9bf3e4aadd785a3
+Subproject commit b38834d66b8d7c7cf2d29726f5f7e608bd0b2e78

salt/electrum/files/client/rpc/qusal.InstallElectrum

@@ -10,13 +10,13 @@ bin_dir="/usr/bin"
 app_dir="/usr/share/applications"
 tmp_dir="/tmp/electrum-upload"
 
-rm -rf "${tmp_dir}"
-mkdir -p "${tmp_dir}"
+rm -rf -- "${tmp_dir}"
+mkdir -p -- "${tmp_dir}"
 qfile-unpacker 0 "${tmp_dir}"
 cd "${tmp_dir}"
-cp -r electrum "${python_dir}"/
-cp electrum.desktop "${app_dir}"/
-cp run_electrum "${bin_dir}"/electrum
+cp -r -- electrum "${python_dir}"/
+cp -- electrum.desktop "${app_dir}"/
+cp -- run_electrum "${bin_dir}"/electrum
 
 ## Qube needs to shutdown for the app qube to have the uploaded files.
 shutdown now

salt/mail/README.md

@@ -130,7 +130,7 @@ mails will be done in `disp-mail-fetcher`.
 Copy example configuration file to where the program can read automatically:
 
 ```sh
-cp ~/.fdm.conf.example ~/.fdm.conf
+cp -- ~/.fdm.conf.example ~/.fdm.conf
 ```
 
 Edit the configuration according to your needs:
@@ -166,7 +166,7 @@ according to your needs.
 Copy example configuration file to where the program can read automatically:
 
 ```sh
-cp ~/.mporc.example ~/.mpoprc
+cp -- ~/.mporc.example ~/.mpoprc
 ```
 
 Edit the configuration according to your needs:
@@ -249,7 +249,7 @@ mails are done in `disp-mail-sender`.
 Copy example configuration file to where the program can read automatically:
 
 ```sh
-cp ~/.msmtprc.example ~/.msmtprc
+cp -- ~/.msmtprc.example ~/.msmtprc
 ```
 
 Edit the configuration according to your needs:

salt/mail/files/reader/rpc/qusal.MailFetch

@@ -9,7 +9,7 @@ inbox_dir="${HOME}/mail/INBOX"
 uid="$(id -u user)"
 
 # shellcheck disable=SC2174
-mkdir -p "${inbox_dir}"
-chmod 0700 "${inbox_dir}"
+mkdir -p -- "${inbox_dir}"
+chmod -- 0700 "${inbox_dir}"
 
 qfile-unpacker "${uid}" "${inbox_dir}"

salt/mail/files/sender/rpc/qusal.MailEnqueue

@@ -9,7 +9,7 @@ queue_dir="${MSMTP_Q:-"${Q:-"${HOME}/.msmtp.queue"}"}"
 uid="$(id -u user)"
 
 # shellcheck disable=SC2174
-mkdir -p "${queue_dir}"
-chmod 0700 "${queue_dir}"
+mkdir -p -- "${queue_dir}"
+chmod -- 0700 "${queue_dir}"
 
 exec qfile-unpacker "${uid}" "${queue_dir}"

salt/sys-bitcoin/files/client/bin/bitcoin-rpcauth-save

@@ -11,8 +11,8 @@ fi
 auth="$(qrexec-client-vm -tT -- @default qusal.BitcoinAuthGet)"
 
 if test -n "${auth}"; then
-  mkdir -p ~/.bitcoin/.cookie
-  echo "${auth}" | tee ~/.bitcoin/.cookie >/dev/null
+  mkdir -p -- ~/.bitcoin/.cookie
+  echo "${auth}" | tee -- ~/.bitcoin/.cookie >/dev/null
 else
   echo "failed to get Bitcoin Authentication" >&2
   exit 1

salt/sys-bitcoin/files/client/bin/bitcoin-tx-notify

@@ -18,7 +18,7 @@ else
   body="TXID ${txid} is in block ${block_height} ${block_hash}"
 fi
 
-echo "${date} ${title}: ${body}" | tee ~/.bitcoin/walletnotify.log
+echo "${date} ${title}: ${body}" | tee -- ~/.bitcoin/walletnotify.log
 if command -v notify-send >/dev/null; then
   notify-send -t 10000 "${title}" "${body}"
 fi

salt/sys-bitcoin/files/server/bin/bitcoin-dbcache

@@ -6,6 +6,6 @@
 set -eu
 
 conf="${HOME}/.bitcoin/conf.d/dbcache.conf"
-cache_Mi="$(awk '/^MemTotal:/{printf "%.0f", $2/1024}' /proc/meminfo)"
+cache_Mi="$(awk -- '/^MemTotal:/{printf "%.0f", $2/1024}' /proc/meminfo)"
 cache="$((cache_Mi*75/100))"
-echo "dbcache=${cache}" | tee "${conf}" >/dev/null
+echo "dbcache=${cache}" | tee -- "${conf}" >/dev/null

salt/sys-bitcoin/files/server/bin/bitcoin-rpcwhitelist-cookie

@@ -15,4 +15,4 @@ fi
 
 rpc_list="$(bitcoin-cli help | awk '/^[a-z]/{print $1}' | tr "\n" ",")"
 
-echo "rpcwhitelist=__cookie__:${rpc_list}" | tee "${conf}" >/dev/null
+echo "rpcwhitelist=__cookie__:${rpc_list}" | tee -- "${conf}" >/dev/null

salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper

@@ -49,25 +49,25 @@ getblock(){
     | tail -c+92167 \
     | for ((o=0;o<946;++o)); do \
         read -rN420 x; \
-        echo -n "${x::130}${x:132:130}${x:264:130}"; \
+        printf '%s' "${x::130}${x:132:130}${x:264:130}"; \
       done \
     | xxd -r -p \
     | tail -c+9 \
     | head -c184292 \
-    | tee "${output_file}" >/dev/null
+    | tee -- "${output_file}" >/dev/null
 }
 
 getrawtransaction(){
   check_installed bitcoin-cli xxd
   # shellcheck disable=SC2312
   bitcoin-cli getrawtransaction "${txid}" 0 "${block_hash}" \
-    | sed 's/0100000000000000/\n/g' \
+    | sed -e 's/0100000000000000/\n/g' \
     | tail -n +2 \
     | cut -c7-136,139-268,271-400 \
     | tr -d '\n' \
     | cut -c17-368600 \
     | xxd -p -r \
-    | tee "${output_file}" >/dev/null
+    | tee -- "${output_file}" >/dev/null
 }
 
 gettxout(){

salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet

@@ -21,8 +21,8 @@ if ! systemctl is-active bitcoind >/dev/null 2>&1; then
 fi
 
 if test -r "${bitcoin_conf}"; then
-  if grep -qs "^\s*rpcauth=${user}:" "${bitcoin_conf}"; then
-    grep -m1 "^${user}:" "${bitcoin_pass}"
+  if grep -qs -e "^\s*rpcauth=${user}:" -- "${bitcoin_conf}"; then
+    grep -m1 -e "^${user}:" -- "${bitcoin_pass}"
     exit
   fi
 fi
@@ -32,13 +32,14 @@ if ! command -v bitcoin-rpcauth >/dev/null; then
   exit 127
 fi
 
-full_auth="$(bitcoin-rpcauth "${user}" | sed -n '2p;4p')"
+full_auth="$(bitcoin-rpcauth "${user}" | sed -n -e '2p;4p')"
 rpcauth="$(echo "${full_auth}" | head -1)"
 user="$(echo "${rpcauth}" | cut -d "=" -f2 | cut -d ":" -f1)"
 password="$(echo "${full_auth}" | tail -1)"
 
-echo "${rpcauth}" | sudo -u user tee -a "${bitcoin_conf}" >/dev/null
-echo "${user}:${password}" | sudo -u user tee -a "${bitcoin_pass}" >/dev/null
+echo "${rpcauth}" | sudo -u user -- tee -a -- "${bitcoin_conf}" >/dev/null
+echo "${user}:${password}" | \
+  sudo -u user -- tee -a -- "${bitcoin_pass}" >/dev/null
 echo "${user}:${password}"
 
 ## Restart bitcoind to apply the configuration changes. Currently, there is no

salt/sys-bitcoin/files/server/rpc/qusal.InstallBitcoin

@@ -11,21 +11,21 @@ share_dir="${prefix_dir}/share/bitcoin"
 share_examples_dir="${share_dir}/examples"
 tmp_dir="/tmp/bitcoin-upload"
 
-rm -rf "${tmp_dir}"
-mkdir -p "${tmp_dir}"
-mkdir -p "${share_dir}"
-mkdir -p "${share_examples_dir}"
+rm -rf -- "${tmp_dir}"
+mkdir -p -- "${tmp_dir}"
+mkdir -p -- "${share_dir}"
+mkdir -p -- "${share_examples_dir}"
 qfile-unpacker 0 "${tmp_dir}"
 cd "${tmp_dir}"
 
-cp -r bin share "${prefix_dir}"/
+cp -r -- bin share "${prefix_dir}"/
 if test -f README.md; then
-  cp -r README.md "${share_dir}"/
+  cp -r -- README.md "${share_dir}"/
 fi
 if test -f bitcoin.conf; then
-  cp -r bitcoin.conf "${share_examples_dir}"/
+  cp -r -- bitcoin.conf "${share_examples_dir}"/
 fi
-cp share/rpcauth/rpcauth.py "${bin_dir}"/bitcoin-rpcauth
+cp -- share/rpcauth/rpcauth.py "${bin_dir}"/bitcoin-rpcauth
 
 ## Qube needs to shutdown for the app qube to have the uploaded files.
 shutdown now

salt/sys-cacher/README.md

@@ -102,7 +102,7 @@ administrative access to the cacher qube.  You should add the following to the
 end of `sys-cacher` rc.local:
 
 ```sh
-echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf
+echo "AdminAuth: username:password" | tee -- /etc/qusal-apt-cacher-ng/zzz_security.conf
 ```
 
 Where username and password are HTTP Auth strings.
@@ -158,7 +158,7 @@ qvm-tags QUBE add updatevm-sys-cacher
 qvm-features QUBE service.updates-proxy-setup 1
 sudo qubesctl --skip-dom0 --targets=QUBE state.apply sys-cacher.install-client
 qvm-run --user=root QUBE -- "
-touch /var/run/qubes-service/updates-proxy-setup
+touch -- /var/run/qubes-service/updates-proxy-setup
 /usr/bin/apt-cacher-ng-repo
 systemctl restart qubes-updates-proxy-forwarder.socket"
 ```

salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc

@@ -4,7 +4,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-cp -r /rw/config/systemd/qusal-acng-browser-forwarder* \
+cp -r -- /rw/config/systemd/qusal-acng-browser-forwarder* \
   /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qusal-acng-browser-forwarder.socket

salt/sys-cacher/files/client/bin/apt-cacher-ng-repo

@@ -28,18 +28,18 @@ set_proxy_marker(){
   proxy_file="${1}"
   proxy_options="${2}"
 
-  if ! grep -q "^${marker_begin}$" "${proxy_file}"; then
-    if grep -q "^${marker_end}$" "${proxy_file}"; then
+  if ! grep -q -e "^${marker_begin}$" -- "${proxy_file}"; then
+    if grep -q -e "^${marker_end}$" -- "${proxy_file}"; then
       msg="found marker ${marker_end_text} but not ${marker_begin_text}"
       msg="${msg} in ${proxy_file}."
       msg="${msg} fix it by removing markers or adding missing ones and retry"
       echo "Error: ${msg}" >&2
       exit 1
     fi
-    cp "${proxy_file}" "${proxy_file}.qubes-orig"
-    echo "${marker_begin}" | tee -a "${proxy_file}" >/dev/null
-    echo "${marker_end}" | tee -a "${proxy_file}" >/dev/null
-  elif ! grep -q "^${marker_end}$" "${proxy_file}"; then
+    cp -- "${proxy_file}" "${proxy_file}.qubes-orig"
+    echo "${marker_begin}" | tee -a -- "${proxy_file}" >/dev/null
+    echo "${marker_end}" | tee -a -- "${proxy_file}" >/dev/null
+  elif ! grep -q -e "^${marker_end}$" -- "${proxy_file}"; then
     msg="found marker ${marker_begin_text} but not ${marker_end_text}"
     msg="${msg} in ${proxy_file}."
     msg="${msg} fix it by removing markers or adding missing ones and retry"
@@ -56,16 +56,16 @@ ${proxy_options}
 EOF
 
   ## Couldn't figure out how to write only changes on the next sed.
-  if ! grep -q "${proxy_options}" "${proxy_file}"; then
-    tee -a "${changes_file}" <"${proxy_tmp_file}" >/dev/null
+  if ! grep -q -e "${proxy_options}" -- "${proxy_file}"; then
+    tee -a -- "${changes_file}" <"${proxy_tmp_file}" >/dev/null
   fi
   ## GNU Sed, only reliable while we don't support BSD.
   sed -i -e "/^${marker_begin}$/,/^${marker_end}$/{
     /^${marker_end}$/b
     /^${marker_begin}$/!d
     r ${proxy_tmp_file}
-    }" "${proxy_file}"
-  rm -f "${proxy_tmp_file}"
+    }" -- "${proxy_file}"
+  rm -f -- "${proxy_tmp_file}"
 }
 
 check_netvm_cacher(){
@@ -108,7 +108,7 @@ ${proxy_conf}"
 ${proxy_conf}
 EOF
     else
-      rm -f /etc/yum.conf.d/qubes-proxy.conf
+      rm -f -- /etc/yum.conf.d/qubes-proxy.conf
     fi
 
     set --
@@ -132,7 +132,7 @@ EOF
         meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
           -e "${baseurl_expr}" -e "${meta_expr}" \
-        {} \+
+        -- {} \+
 
         set --
         for repo in \
@@ -153,7 +153,7 @@ EOF
         meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
           -e "${baseurl_expr}" -e "${meta_expr}" \
-        {} \+
+        -- {} \+
         ;;
 
       uninstall)
@@ -165,7 +165,7 @@ EOF
         meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
           -e "${baseurl_expr}" -e "${meta_expr}" \
-        {} \+
+        -- {} \+
 
         set --
         for repo in \
@@ -181,7 +181,7 @@ EOF
         find "${@}" -type f -exec sed -i \
           -e "s|^\s*baseurl|#baseurl|w ${changes_file}" \
           -e "s|^\s*#.*metalink\s*=|metalink=|w ${changes_file}" \
-        {} \+ 2>/dev/null || true
+        -- {} \+ 2>/dev/null || true
         ;;
       *) echo "Unsupported action" >&2; exit 1
     esac
@@ -196,7 +196,7 @@ Acquire::http::Proxy "${proxy_url}";
 Acquire::tor::proxy "${proxy_url}";
 EOF
     else
-      rm -f /etc/apt/apt.conf.d/50cacher-proxy
+      rm -f -- /etc/apt/apt.conf.d/50cacher-proxy
     fi
 
     set --
@@ -222,7 +222,7 @@ EOF
         list_expr="s|${list_search}|${list_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
           -e "${list_expr}" -e "${sources_expr}" \
-        {} \+
+        -- {} \+
         ;;
 
       uninstall)
@@ -234,7 +234,7 @@ EOF
         list_expr="s|${list_search}|${list_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
           -e "${list_expr}" -e "${sources_expr}" \
-        {} \+
+        -- {} \+
         ;;
       *) echo "Unsupported action" >&2; exit 1
     esac
@@ -244,18 +244,18 @@ EOF
 
     if test -n "${proxy_addr}"; then
       if ! test -d /run/qubes/bin; then
-        mkdir -p /run/qubes/bin
+        mkdir -p -- /run/qubes/bin
       fi
       cat >/run/qubes/bin/pacman <<EOF
 #!/bin/sh
 exec env ALL_PROXY="${proxy_url}" /usr/bin/pacman "\${@}"
 EOF
-      chmod +x /run/qubes/bin/pacman
+      chmod -- +x /run/qubes/bin/pacman
       cat >/etc/profile.d/qubes-proxy.sh << EOF
 export PATH=/run/qubes/bin:\${PATH}
 EOF
     else
-      rm -f /run/qubes/bin/pacman /etc/profile.d/qubes-proxy.sh
+      rm -f -- /run/qubes/bin/pacman /etc/profile.d/qubes-proxy.sh
     fi
 
     set --
@@ -278,7 +278,7 @@ EOF
         repo_regex="s|${repo_search}|${repo_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
           -e "${repo_regex}" \
-        {} \+
+        -- {} \+
         ;;
 
       uninstall)
@@ -287,7 +287,7 @@ EOF
         repo_regex="s|${repo_search}|${repo_repl}|w ${changes_file}"
         find "${@}" -type f -exec sed -i \
           -e "${repo_regex}" \
-        {} \+
+        -- {} \+
         ;;
       *) echo "Unsupported action" >&2; exit 1
     esac
@@ -312,7 +312,7 @@ usage(){
 }
 
 changes_file="$(mktemp)"
-trap 'rm -f "${changes_file}"' HUP INT QUIT ABRT EXIT
+trap 'rm -f -- "${changes_file}"' HUP INT QUIT ABRT EXIT
 
 if test -f /var/run/qubes-service/updates-proxy-setup ||
   test -f /var/run/qubes-service/netvm-cacher

salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf

@@ -8,6 +8,6 @@ After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
 
 [Service]
-ExecStartPre=chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng /var/cache/apt-cacher-ng
+ExecStartPre=chown -R -- apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng /var/cache/apt-cacher-ng
 ExecStart=
 ExecStart=/usr/sbin/apt-cacher-ng -c "/etc/qusal-apt-cacher-ng" ForeGround=1

salt/sys-electrs/files/server/rpc/qusal.InstallElectrs

@@ -9,12 +9,12 @@ bin_dir="/usr/bin"
 tmp_dir="/tmp/electrs-upload"
 man1_dir="/usr/share/man/man1"
 
-rm -rf "${tmp_dir}"
-mkdir -p "${tmp_dir}"
+rm -rf -- "${tmp_dir}"
+mkdir -p -- "${tmp_dir}"
 qfile-unpacker 0 "${tmp_dir}"
 cd "${tmp_dir}"
-cp electrs "${bin_dir}"/
-cp electrs.1 "${man1_dir}"/
+cp -- electrs "${bin_dir}"/
+cp -- electrs.1 "${man1_dir}"/
 
 ## Qube needs to shutdown for the app qube to have the uploaded files.
 shutdown now

salt/sys-electrumx/files/server/bin/electrumx-cookie-save

@@ -18,6 +18,7 @@ if ! test -r "${cookie}"; then
   exit 1
 fi
 
-auth="$(cat "${cookie}")"
+auth="$(cat -- "${cookie}")"
 
-echo "DAEMON_URL=${auth}@127.0.0.1:8332" | tee "${electrumx_conf}" >/dev/null
+echo "DAEMON_URL=${auth}@127.0.0.1:8332" | \
+  tee -- "${electrumx_conf}" >/dev/null

salt/sys-electrumx/files/server/rpc/qusal.InstallElectrumx

@@ -9,12 +9,12 @@ python_dir="/usr/lib/python3/dist-packages"
 bin_dir="/usr/bin"
 tmp_dir="/tmp/electrumx-upload"
 
-rm -rf "${tmp_dir}"
-mkdir -p "${tmp_dir}"
+rm -rf -- "${tmp_dir}"
+mkdir -p -- "${tmp_dir}"
 qfile-unpacker 0 "${tmp_dir}"
 cd "${tmp_dir}"
-cp -r electrumx "${python_dir}"/
-cp electrumx_server electrumx_rpc electrumx_compact_history "${bin_dir}"/
+cp -r -- electrumx "${python_dir}"/
+cp -- electrumx_server electrumx_rpc electrumx_compact_history "${bin_dir}"/
 
 ## Qube needs to shutdown for the app qube to have the uploaded files.
 shutdown now

salt/sys-git/files/client/git-core/git-remote-qrexec

@@ -34,7 +34,7 @@ log(){
 validate_url(){
   url_valid=""
   url_check="${1?}"
-  scheme_user_url="$(echo "${url_check}" | sed "s|://.*||")"
+  scheme_user_url="$(echo "${url_check}" | sed -e "s|://.*||")"
 
   ## Scheme must be the same as the one in the name of this script.
   ## Checks if Authority and Path exist, but not if they are valid, this is
@@ -48,7 +48,7 @@ validate_url(){
   esac
 
   urn_pattern="[0-9A-Za-z@:_.-]+/[0-9A-Za-z_.-]+(\?[0-9A-Za-z=&_-]*)?"
-  if ! (echo "${url_valid}" | grep -qE "^${scheme}://${urn_pattern}$")
+  if ! (echo "${url_valid}" | grep -qE -e "^${scheme}://${urn_pattern}$")
   then
     die "URL contains forbidden characters"
   fi
@@ -86,11 +86,12 @@ find_capabilities(){
     if test -z "${cap_helpers}"; then
       cap_helpers="${f##*"${script}-"}"
     else
-      cap_helpers="${cap_helpers}\n${f##*"${script}-"}"
+      cap_helpers="${cap_helpers}
+${f##*"${script}-"}"
     fi
   done
 
-  echo "${cap_helpers}"
+  printf '%s\n' "${cap_helpers}"
 }
 
 ## Send capabilities to remote helper specific for that capability.
@@ -98,7 +99,7 @@ send_cap(){
   cap="${1}"
   shift
 
-  if ! (echo "${capabilities}" | grep -q "^${cap}$"); then
+  if ! (echo "${capabilities}" | grep -q -e "^${cap}$"); then
     die "Unsupported capability: '${cap}'"
   fi
 
@@ -169,7 +170,7 @@ while read -r cmd arg; do
   case "${cmd}" in
     capabilities)
       for c in ${capabilities}; do log "-> ${c}"; done; log "->"
-      printf %s"${capabilities}\n\n";;
+      printf '%s\n\n' "${capabilities}";;
     *) send_cap "${cmd}" "${arg}";;
   esac
 done

salt/sys-git/files/client/git-core/git-remote-qrexec-connect

@@ -26,7 +26,7 @@ log(){
 
 ## Establish capability working.
 log "->"
-printf "\n"
+printf '\n'
 
 helper="${0##*/git-}"
 parent_helper="${helper%-*}"
@@ -61,7 +61,8 @@ vendor="qusal"
 default_qube="sys-git"
 rpc_cmd="${vendor}.${rpc}+${path}"
 
-if echo "${query}" | grep -qE "(^|&)verify_signatures=(1|[tT]rue|yes|on)($|&)"
+if echo "${query}" | \
+  grep -qE -e "(^|&)verify_signatures=(1|[tT]rue|yes|on)($|&)"
 then
   die "Remote helper does not support signature verification yet"
 fi

salt/sys-git/files/server/rpc/qusal.GitInit

@@ -23,7 +23,7 @@ if test -z "${untrusted_repo}"; then
   die "Repository name is empty"
 fi
 
-if ! (echo "${untrusted_repo}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
+if ! (echo "${untrusted_repo}" | grep -q -e "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
 then
   msg="Forbidden characters in agent name."
   msg="${msg} Allowed chars: letters, numbers, hyphen, underscore and dot."
@@ -64,7 +64,7 @@ fi
 
 if ! test -d "${base_path}"; then
   # shellcheck disable=SC2174
-  mkdir -m 0700 -p "${base_path}" >/dev/null 2>&1 ||
+  mkdir -m 0700 -p -- "${base_path}" >/dev/null 2>&1 ||
     die "Cannot create directory: ${base_path}"
 fi
 

salt/sys-pgp/README.md

@@ -81,7 +81,7 @@ qvm-features dev service.split-gpg2-client 1
 On the qube `sys-pgp`, generate or import keys for the client qube `dev`:
 
 ```sh
-mkdir -p ~/.gnupg/split-gpg/dev
+mkdir -p -- ~/.gnupg/split-gpg/dev
 gpg --homedir ~/.gnupg/split-gpg/dev --import /path/to/secret.key
 gpg --homedir ~/.gnupg/split-gpg/dev --list-secret-keys
 ```

salt/sys-pihole/files/admin/prefs.sh

@@ -13,7 +13,7 @@ for qube in $(qvm-ls --raw-data --fields=NAME,NETVM |
 do
   ## Avoid overwriting netvm to sys-pihole when instead it should use the
   ## default_netvm, so better to prevent overwriting user choices.
-  qvm-prefs "${qube}" | grep -q "^netvm[[:space:]]\+D" && continue
+  qvm-prefs "${qube}" | grep -q -e "^netvm[[:space:]]\+D" && continue
   ## Set netvm for qubes that were using (disp-)sys-firewall to sys-pihole.
   qvm-prefs "${qube}" netvm sys-pihole
 done

salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc

@@ -4,6 +4,6 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-cp -r /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/
+cp -r -- /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qubes-http-forwarder.socket

salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh

@@ -11,9 +11,9 @@ nft -f /rw/config/qubes-firewall.d/50-sys-pihole
 
 for vif in /proc/sys/net/ipv4/conf/vif*/route_localnet; do
   test -w "${vif}" || continue
-  echo 1 | tee "${vif}" >/dev/null
+  echo 1 | tee -- "${vif}" >/dev/null
 done
 
 if test -f /var/run/qubes-service/local-dns-server; then
-  echo "nameserver 127.0.0.1" | tee /etc/resolv.conf >/dev/null
+  echo "nameserver 127.0.0.1" | tee -- /etc/resolv.conf >/dev/null
 fi

salt/sys-ssh-agent/README.md

@@ -131,14 +131,14 @@ Import preexisting keys to the agent directory or generate keys for a specific
 agent:
 
 ```sh
-mkdir -m 0700 -p ~/.ssh/identities.d/<AGENT>
+mkdir -m 0700 -p -- ~/.ssh/identities.d/<AGENT>
 ssh-keygen -t ed25519 -f ~/.ssh/identities.d/<AGENT>/id_example
 ```
 
 You would do the following for the `work` agent:
 
 ```sh
-mkdir -m 0700 -p ~/.ssh/identities.d/work
+mkdir -m 0700 -p -- ~/.ssh/identities.d/work
 ssh-keygen -t ed25519 -f ~/.ssh/identities.d/work/id_example
 ```
 
@@ -218,7 +218,7 @@ agent:
 ```sh
 echo 'export SSH_AUTH_SOCK=/tmp/qusal-ssh-agent-forwarder/work.sock;
 SSH_AGENT_PID="$(pgrep -f "/tmp/qusal-ssh-agent-forwarder/work.sock")";
-' | tee -a ~/.profile
+' | tee -a -- ~/.profile
 ```
 
 #### Multiple agents per client

salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service

@@ -10,7 +10,7 @@ User=user
 Group=user
 Type=simple
 UMask=0177
-ExecStartPre=/usr/bin/mkdir -m 700 -p %T/%p
+ExecStartPre=/usr/bin/mkdir -m 700 -p -- %T/%p
 ExecStartPre=/usr/bin/ssh-agent -a %T/%p/%i.sock
 ExecStart=/usr/bin/socat UNIX-LISTEN:"%T/%p/%i.sock,unlink-early,reuseaddr,fork" EXEC:"qrexec-client-vm -- @default qusal.SshAgent+%i"
 

salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent

@@ -23,14 +23,14 @@ Example:
 ls_agent(){
   socket="/tmp/${service}/${agent}.sock"
   test -S "${socket}" || return 1
-  agent="$(echo "${socket}" | sed "s|.*${service}/||;s/\.sock//")"
+  agent="$(echo "${socket}" | sed -e "s|.*${service}/||;s/\.sock//")"
   echo "Agent: (${agent}) ${socket}"
   SSH_AUTH_SOCK="${socket}" ssh-add -l || true
 }
 
 add_agent(){
   # shellcheck disable=SC2174
-  mkdir -m 0700 -p "/tmp/${service}"
+  mkdir -m 0700 -p -- "/tmp/${service}"
   dir="${HOME}/.ssh/identities.d/${agent}"
   if ! test -d "${dir}"; then
     echo "Directory not found: ${dir}" >&2
@@ -45,8 +45,8 @@ add_agent(){
   if ! test "${reload_agent}" = "1"; then
     return
   fi
-  keys="$(grep -sl -- "-----BEGIN OPENSSH PRIVATE KEY-----" \
-          "${HOME}/.ssh/identities.d/${dir}"/* || true)"
+  keys="$(grep -sl -e "-----BEGIN OPENSSH PRIVATE KEY-----" \
+          -- "${HOME}/.ssh/identities.d/${dir}"/* || true)"
   if test -z "${keys}"; then
     echo "Directory has no key: ${dir}" >&2
     return 1
@@ -56,7 +56,7 @@ add_agent(){
     test -f "${k}" || continue
     ssh_add_option=""
     if test -f "${k}.ssh-add-option"; then
-      ssh_add_option="$(cat "${k}.ssh-add-option")"
+      ssh_add_option="$(cat -- "${k}.ssh-add-option")"
     fi
     # shellcheck disable=SC2086
     SSH_AUTH_SOCK="${socket}" ssh-add ${ssh_add_option} "${k}"

salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent

@@ -18,7 +18,7 @@ if test -z "${untrusted_agent}"; then
   die "Agent name is empty"
 fi
 
-if ! (echo "${untrusted_agent}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
+if ! (echo "${untrusted_agent}" | grep -q -e "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
 then
   msg="Forbidden characters in agent name."
   msg="${msg} Allowed chars: letters, numbers, hyphen, underscore and dot."

salt/sys-ssh/README.md

@@ -94,7 +94,7 @@ From the client, mount the server `/home/user` directory as a SSH File System
 in the client `/home/user/sshfs` directory:
 
 ```sh
-mkdir ~/sshfs
+mkdir -- ~/sshfs
 sshfs -p 1840 localhost:/home/user /home/user/sshfs
 ```
 

salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc

@@ -4,7 +4,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
-cp -r /rw/config/systemd/qusal-syncthing-browser-forwarder* \
+cp -r -- /rw/config/systemd/qusal-syncthing-browser-forwarder* \
   /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qusal-syncthing-browser-forwarder.socket

salt/sys-wireguard/files/admin/bin/qvm-wireguard

@@ -45,13 +45,13 @@ qvm-run "${qube}" -- "test -f ${user_conf}" || {
   exit 1
 }
 
-qvm-run -u root "${qube}" -- "cp ${user_conf} ${system_conf}"
+qvm-run -u root "${qube}" -- "cp -- \"${user_conf}\" \"${system_conf}\""
 
 ## TOFU
 # shellcheck disable=SC2016
 endpoint="$(qvm-run -p -u root "${qube}" -- awk '/Endpoint/{print $3}' \
   "${system_conf}")"
-if echo "${endpoint}" | grep -qF "["; then
+if echo "${endpoint}" | grep -qF -e "["; then
   ip="${ip##[\[]}"
   ip="${ip%%\]*}"
   port="${endpoint##*:}"

salt/sys-wireguard/files/server/network-hooks.d/50-sys-wireguard

@@ -6,6 +6,6 @@
 
 set -eu
 
-ln -sf /run/resolvconf/resolv.conf /etc/resolv.conf
+ln -sf -- /run/resolvconf/resolv.conf /etc/resolv.conf
 /rw/config/qubes-firewall.d/50-sys-wireguard-var
 nft -f /rw/config/qubes-firewall.d/60-sys-wireguard-nat

salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var

@@ -9,12 +9,12 @@ set -eu
 wg_conf="/etc/wireguard/wireguard.conf"
 nft_conf="/var/run/wireguard/dnat.nft"
 
-mkdir -p "${nft_conf%/*}"
-rm -f "${nft_conf}"
-touch "${nft_conf}"
+mkdir -p -- "${nft_conf%/*}"
+rm -f -- "${nft_conf}"
+touch -- "${nft_conf}"
 
 set_nft(){
-  echo "${*}" | tee -a "${nft_conf}" >/dev/null
+  echo "${*}" | tee -a -- "${nft_conf}" >/dev/null
 }
 
 set_nft_dnat(){
@@ -26,7 +26,8 @@ set_nft_dnat(){
   set_nft "${rule_prefix} ${rule_suffix}"
 }
 
-dns="$(grep -s "^\s*DNS\s*=\s*\S\+" "${wg_conf}" | sed "s/.*=//;s/ //g")"
+dns="$(grep -s -e "^\s*DNS\s*=\s*\S\+" -- "${wg_conf}" |
+  sed -e "s/.*=//;s/ //g")"
 
 if test -z "${dns}"; then
   set_nft "insert rule ip  qubes custom-dnat drop"
@@ -38,22 +39,22 @@ dns_primary="$(echo "${dns}" | cut -d "," -f 1)"
 dns_secondary="$(echo "${dns}" | cut -d "," -f 2)"
 
 dns_primary_ipv=""
-if echo "${dns_primary}" | grep -qF ":"; then
+if echo "${dns_primary}" | grep -qF -e ":"; then
   dns_primary_ipv=6
 fi
 
 dns_secondary_ipv=""
-if echo "${dns_secondary}" | grep -qF ":"; then
+if echo "${dns_secondary}" | grep -qF -e ":"; then
   dns_secondary_ipv=6
 fi
 
 if test -n "${dns}"; then
   set_nft_dnat "${dns_primary_ipv}" udp "${dns_primary}"
   set_nft_dnat "${dns_primary_ipv}" tcp "${dns_primary}"
-  if echo "${dns}" | grep -qF ","; then
+  if echo "${dns}" | grep -qF -e ","; then
     set_nft_dnat "${dns_secondary_ipv}" udp "${dns_secondary}"
     set_nft_dnat "${dns_secondary_ipv}" tcp "${dns_secondary}"
   fi
 fi
 
-ln -sf /run/resolvconf/resolv.conf /etc/resolv.conf
+ln -sf -- /run/resolvconf/resolv.conf /etc/resolv.conf

scripts/pgp-lint.sh

@@ -12,7 +12,7 @@ test -d "${repo_toplevel}" || exit 1
 cd "${repo_toplevel}"
 unset repo_toplevel
 
-now="$(date +%s)"
+now="$(date -- +%s)"
 fail="0"
 find_tool="$(./scripts/best-program.sh fd fdfind find)"
 
@@ -46,7 +46,7 @@ fi
 for key in ${files}; do
   data="$(gpg --no-keyring --no-auto-check-trustdb --no-autostart \
     --with-colons --show-keys "${key}")"
-  nr="$(echo "${data}" | grep -Ec '^(p|s)ub:')"
+  nr="$(echo "${data}" | grep -Ec -e '^(p|s)ub:')"
   ## Threshold in days.
   threshold="${PGP_LINT_THRESHOLD:-30}"
   tty_stderr=0

scripts/qubesbuilder-gen.sh

@@ -23,14 +23,14 @@ if test "${1-}" = "test"; then
 fi
 ignored="$(git ls-files --exclude-standard --others --ignored salt/)"
 untracked="$(git ls-files --exclude-standard --others salt/)"
-unwanted="$(printf %s"${ignored}\n${untracked}\n" |
-  grep "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)"
+unwanted="$(printf '%s\n%s\n' "${ignored}" "${untracked}" |
+  grep -e "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)"
 group="$(./scripts/spec-get.sh dom0 group)"
 projects="$(find salt/ -mindepth 1 -maxdepth 1 -type d | sort -d |
-  sed "s|^salt/\(\S\+\)|      - rpm_spec/${group}-\1.spec|")"
+  sed -e "s|^salt/\(\S\+\)|      - rpm_spec/${group}-\1.spec|")"
 for unwanted_project in ${unwanted}; do
   projects="$(echo "${projects}" |
-    sed "\@rpm_spec/${group}-${unwanted_project}.spec@d")"
+    sed -e "\@rpm_spec/${group}-${unwanted_project}.spec@d")"
 done
 
 if test "${1-}" = "print"; then
@@ -38,10 +38,10 @@ if test "${1-}" = "print"; then
   exit 0
 fi
 
-sed -e "/@SPEC@/d" "${template}" | tee "${target}" >/dev/null
-echo "${projects}" | tee -a "${target}" >/dev/null
+sed -e "/@SPEC@/d" -- "${template}" | tee -- "${target}" >/dev/null
+echo "${projects}" | tee -a -- "${target}" >/dev/null
 if test "${1-}" = "test"; then
-  if ! cmp -s "${target}" "${intended_target}"; then
+  if ! cmp -s -- "${target}" "${intended_target}"; then
     echo "${0##*/}: error: File ${intended_target} is not up to date" >&2
     echo "${0##*/}: error: Update the builder file with: ${0##/*}" >&2
     exit 1

scripts/salt-fix.sh

@@ -24,24 +24,24 @@ case "${find_tool}" in
   fd|fdfind)
     conf_files="$(${find_tool} . minion.d/ -e conf)"
     sls_files="$(${find_tool} . salt/ -d 2 -t f -e sls)"
-    files="${conf_files}\n${sls_files}"
+    set -- ${conf_files} ${sls_files}
     ;;
   find)
     conf_files="$(find minion.d/ -type f -name "*.conf")"
     sls_files="$(find salt/ -maxdepth 2 -type f -name '*.sls')"
-    files="${conf_files}\n${sls_files}"
+    set -- ${conf_files} ${sls_files}
     ;;
   *) echo "Unsupported find tool" >&2; exit 1;;
 esac
 
 ## 201 - Fix trailing whitespace:
-sed -i'' -e's/[[:space:]]*$//' ${files}
+sed -i'' -e 's/[[:space:]]*$//' -- "${@}"
 
 ## 206 - Fix spacing around {{ var_name }}, eg. {{env}} --> {{ env }}:
-sed -i'' -E "s/\{\{\s?([^}]*[^} ])\s?\}\}/\{\{ \1 \}\}/g" ${files}
+sed -i'' -E -e "s/\{\{\s?([^}]*[^} ])\s?\}\}/\{\{ \1 \}\}/g" -- "${@}"
 
 ## 207 - Add quotes around numeric values that start with a 0:
-sed -i'' -E "s/\b(minute|hour): (0[0-7]?)\$/\1: '\2'/" ${files}
+sed -i'' -E -e "s/\b(minute|hour): (0[0-7]?)\$/\1: '\2'/" -- "${@}"
 
 ## 208 - Make dir_mode, file_mode and mode arguments in the desired syntax:
-sed -i'' -E "s/\b(dir_|file_|)mode: 0?([0-7]{3})/\1mode: '0\2'/" ${files}
+sed -i'' -E -e "s/\b(dir_|file_|)mode: 0?([0-7]{3})/\1mode: '0\2'/" -- "${@}"

scripts/salt-lint.sh

@@ -38,16 +38,16 @@ case "${find_tool}" in
     conf_files="$(${find_tool} . minion.d/ -e conf)"
     sls_files="$(${find_tool} . salt/ -d 2 -t f -e sls -e top -e jinja \
       -e j2 -e tmpl -e tst | sort -d)"
-    files="${conf_files}\n${sls_files}"
+    set -- ${conf_files} ${sls_files}
     ;;
   find)
     conf_files="$(find minion.d/ -type f -name "*.conf")"
     sls_files="$(find salt/* -maxdepth 2 -type f \
       \( -name '*.sls' -o -name '*.top' -o -name '*.jinja' \
       -o -name '*.j2' -o -name '*.tmpl' -o -name '*.tst' \) | sort -d)"
-    files="${conf_files}\n${sls_files}"
+    set -- ${conf_files} ${sls_files}
     ;;
   *) echo "Unsupported find tool" >&2; exit 1;;
 esac
 
-exec salt-lint ${conf} ${files}
+exec salt-lint ${conf} "${@}"

scripts/setup.sh

@@ -17,7 +17,7 @@ file_roots="/srv/salt/${group}"
 
 cd "${0%/*}"/..
 ## Avoid having extra unwanted files.
-rm -rf "${file_roots}"
-cp -f minion.d/*.conf /etc/salt/minion.d/
-mkdir -p "${file_roots}"
-cp -r salt/* "${file_roots}"
+rm -rf -- "${file_roots}"
+cp -f -- minion.d/*.conf /etc/salt/minion.d/
+mkdir -p -- "${file_roots}"
+cp -r -- salt/* "${file_roots}"

scripts/shell-lint.sh

@@ -24,7 +24,7 @@ show_long_lines(){
   if test -t 2; then
     tty_stderr=1
   fi
-  awk -v color="${tty_stderr}" '
+  awk -v color="${tty_stderr}" -- '
     BEGIN {
       exit_code=0
       MAGENTA=""

scripts/spec-build.sh

@@ -25,17 +25,17 @@ build_rpm(){
     rpmlint "${spec}"
   fi
 
-  if grep -q "^BuildRequires: " "${spec}"; then
+  if grep -q -e "^BuildRequires: " -- "${spec}"; then
     sudo dnf build-dep "${spec}"
   fi
 
-  mkdir -p \
+  mkdir -p -- \
     "${build_dir}/BUILD/${group}-${project}/LICENSES/" \
     "${build_dir}/SOURCES/${group}-${project}/LICENSES"
 
   ## TODO: generate tarball to sources.
-  cp -r . "${build_dir}/BUILD/${group}-${project}/"
-  cp -r . "${build_dir}/SOURCES/${group}-${project}/"
+  cp -r -- . "${build_dir}/BUILD/${group}-${project}/"
+  cp -r -- . "${build_dir}/SOURCES/${group}-${project}/"
 
   ## TODO: use qubes-builderv2 with mock or qubes executor
   rpmbuild -ba --quiet --clean -- "${spec}"
@@ -49,7 +49,7 @@ build_rpm(){
     dbpath="$(mktemp -d)"
     trap 'rm -rf -- "${dbpath}"' EXIT INT HUP QUIT ABRT
     tmp_file="${dbpath}/${key_id}.asc"
-    "${gpg}" --export --armor "${key_id}" | tee "${tmp_file}" >/dev/null
+    "${gpg}" --export --armor "${key_id}" | tee -- "${tmp_file}" >/dev/null
     rpmkeys --dbpath="${dbpath}" --import "${tmp_file}"
     ## TODO: target only the latest release
     rpmkeys --dbpath="${dbpath}" --checksig --verbose \
@@ -73,7 +73,7 @@ build_dir="${HOME}/rpmbuild"
 if command -v rpmdev-setuptree >/dev/null; then
   rpmdev-setuptree
 else
-  mkdir -p \
+  mkdir -p -- \
     "${build_dir}/BUILD" "${build_dir}/BUILDROOT" "${build_dir}/RPMS" \
     "${build_dir}/SOURCES" "${build_dir}/SPECS" "${build_dir}/SRPMS"
 fi

scripts/spec-gen.sh

@@ -14,9 +14,9 @@ usage(){
 escape_key(){
   key_type="${1}"
   if test "${key_type}" = "scriptlet"; then
-    echo "${2}" | sed ':a;N;$!ba;s/\n/\\n  /g' | sed 's/\$/\\$/'
+    echo "${2}" | sed -e ':a;N;$!ba;s/\n/\\n  /g' | sed -e 's/\$/\\$/'
   elif test "${key_type}" = "text"; then
-    echo "${2}" | sed ':a;N;$!ba;s/\n/\\n/g' | sed 's/\$/\\$/'
+    echo "${2}" | sed -e ':a;N;$!ba;s/\n/\\n/g' | sed -e 's/\$/\\$/'
   else
     return 1
   fi
@@ -29,9 +29,9 @@ get_scriptlet(){
   scriptlet="$1"
   scriptlet_begin="-- pkg:begin:${scriptlet} --"
   scriptlet_end="-- pkg:end:${scriptlet} --"
-  scriptlet="$(sed -n \
+  scriptlet="$(sed -n -e \
     "/^<\!${scriptlet_begin}>$/,/^<\!${scriptlet_end}>$/p" \
-    "${readme}" | sed '/^```.*/d;/^\S*$/d;/^<\!-- pkg:/d;s/^sudo //')"
+    -- "${readme}" | sed -e '/^```.*/d;/^\S*$/d;/^<\!-- pkg:/d;s/^sudo //')"
   if test -z "${scriptlet}"; then
     echo true
     return 0
@@ -44,13 +44,13 @@ get_spec(){
 }
 
 gen_spec(){
-  project="$(echo "${1}" | sed "s|salt/||;s|/.*||")"
-  if echo "${projects_seen}" | grep -qF " ${project} "; then
+  project="$(echo "${1}" | sed -e "s|salt/||;s|/.*||")"
+  if echo "${projects_seen}" | grep -qF -e " ${project} "; then
     return
   fi
   projects_seen="${projects_seen} ${project} "
 
-  if echo "${unwanted}" | grep -q "^${project}$"; then
+  if echo "${unwanted}" | grep -q -e "^${project}$"; then
     echo "warn: skipping spec generation of untracked formula: ${project}" >&2
     return 0
   fi
@@ -74,7 +74,7 @@ gen_spec(){
   version="$(get_spec version)"
   license_csv="$(get_spec license_csv)"
   ## Ideally we would query the license, but it is a heavy call.
-  license="$(echo "${license_csv}" | sed "s/\,/ AND /g")"
+  license="$(echo "${license_csv}" | sed -e "s/\,/ AND /g")"
   vendor="$(get_spec vendor)"
   packager="$(get_spec packager)"
   url="$(get_spec url)"
@@ -118,22 +118,23 @@ gen_spec(){
     -e "s|@URL@|${url}|" \
     -e "s|@DESCRIPTION@|${description}|" \
     -e "/@CHANGELOG@/d" \
-    "${template}" | tee "${target}" >/dev/null
+    -- "${template}" | tee -- "${target}" >/dev/null
 
   requires_key=""
-  for r in $(printf %s"${requires}" | tr " " "\n" | sort -u); do
+  for r in $(printf '%s' "${requires}" | tr " " "\n" | sort -u); do
     requires_key="${requires_key:-}Requires:       ${group}-${r}\n"
   done
-  sed -i "s/@REQUIRES@/${requires_key}/" "${target}" >/dev/null
-  echo "${changelog}" | tee -a "${target}" >/dev/null
+  sed -i -e "s/@REQUIRES@/${requires_key}/" -- "${target}" >/dev/null
+  echo "${changelog}" | tee -a -- "${target}" >/dev/null
 
   if test "${2-}" = "test"; then
-    if ! cmp -s "${target}" "${intended_target}"; then
+    if ! cmp -s -- "${target}" "${intended_target}"; then
       echo "error: ${intended_target} is not up to date" >&2
-      diff --color=auto "${intended_target}" "${target}" || true
+      diff --color=auto -- "${intended_target}" "${target}" || true
       fail=1
     else
-      unstaged_target="$(git diff --name-only "${intended_target}")" || true
+      unstaged_target="$(git diff --name-only -- "${intended_target}")" ||
+        true
       if test -n "${unstaged_target}"; then
         echo "warn: ${intended_target} is up to date but it is not staged" >&2
       fi
@@ -155,8 +156,8 @@ unset repo_toplevel
 spec_get="./scripts/spec-get.sh"
 ignored="$(git ls-files --exclude-standard --others --ignored salt/)"
 untracked="$(git ls-files --exclude-standard --others salt/)"
-unwanted="$(printf %s"${ignored}\n${untracked}\n" \
-            | grep "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)"
+unwanted="$(printf '%s\n%s\n' "${ignored}" "${untracked}" \
+            | grep -e "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)"
 
 fail=""
 gen_mode=""
@@ -166,7 +167,7 @@ if test "${1-}" = "test"; then
   shift
 fi
 
-if echo "${@}" | grep -qE "(^scripts/| scripts/|/template.spec)" ||
+if echo "${@}" | grep -qE -e "(^scripts/| scripts/|/template.spec)" ||
   test -z "${1-}"
 then
   # shellcheck disable=SC2046,SC2312

scripts/spec-get.sh

@@ -142,10 +142,10 @@ if test "${key}" = "saltfiles" || test "${key}" = "requires"; then
   saltfiles="$(find "${project_dir}" -maxdepth 1 -name "*.sls")"
   # shellcheck disable=SC2086
   if test -n "${saltfiles}"; then
-    requires="$(sed -n '/^include:$/,/^\s*$/p' -- ${saltfiles} |
-      sed "/^\s*- \./d;/{/d" | grep "^\s*- " | cut -d "." -f1 | sort -u |
-      sed "s/- //")"
-    if grep -qrn "{%-\? from \('\|\"\)utils" ${saltfiles}; then
+    requires="$(sed -n -e '/^include:$/,/^\s*$/p' -- ${saltfiles} |
+      sed -e "/^\s*- \./d;/{/d" | grep -e "^\s*- " | cut -d "." -f1 |
+      sort -u | sed -e "s/- //")"
+    if grep -qrn -e "{%-\? from \('\|\"\)utils" ${saltfiles}; then
       if test -n "${requires}"; then
         requires="${requires} utils"
       else
@@ -156,7 +156,7 @@ if test "${key}" = "saltfiles" || test "${key}" = "requires"; then
     requires=""
   fi
   requires_valid=""
-  for r in $(printf %s"${requires}" | tr " " "\n"); do
+  for r in $(printf '%s' "${requires}" | tr " " "\n"); do
     if ! test -d "salt/${r}"; then
       continue
     fi

scripts/toc-gen.sh

@@ -31,7 +31,7 @@ for f in "${@}"; do
     echo "Error: Not a regular file: ${f}" >&2
     exit 1
   fi
-  if ! grep -q "^## Table of Contents$" "${f}"; then
+  if ! grep -q -e "^## Table of Contents$" -- "${f}"; then
     echo "Could not find table of contents in file: ${f}, skipping" >&2
     continue
   fi

scripts/yumrepo-gen.sh

@@ -21,9 +21,9 @@ dist="fc37"
 yum_repo_root="${HOME}/rpmrepo"
 yum_repo="${yum_repo_root}/${qubes_release}/${repo}/host/${dist}"
 
-mkdir -p "${yum_repo}/rpm"
+mkdir -p -- "${yum_repo}/rpm"
 find "${build_dir}/RPMS/" -type f -name "*.rpm" \
-  -exec cp {} "${yum_repo}/rpm/" \;
+  -exec cp -- {} "${yum_repo}/rpm/" \;
 
 createrepo_args=""
 if test -d "${yum_repo}/repodata"; then