fix: avoid operand evaluation as argument

Explicit end option parsing as the shell can be quite dangerous without it.
2024-10-01 02:35:49 -04:00 · 2024-08-06 17:04:16 +02:00 · 2024-08-06 17:04:16 +02:00 · 1b2f1ba941
commit 1b2f1ba941
parent e42950376a
52 changed files with 196 additions and 189 deletions
--- a/salt/dom0/files/backup/qusal.conf.example
+++ b/salt/dom0/files/backup/qusal.conf.example
@ -17,7 +17,7 @@ compression: true
 passphrase_text: my-password
 destination_vm: backup-ssh
-destination_path: ssh backup 'cat | tee /dir/qubes-backup-$(date +%Y-%m-%d-%H-%M-%S) >/dev/null'
+destination_path: ssh backup 'cat | tee -- /dir/qubes-backup-$(date +%Y-%m-%d-%H-%M-%S) >/dev/null'
 ## $ qvm-backup-find-last backup-ssh /dir/ 'ssh backup'
 ## $ qvm-backup-restore --verify-only -d backup-ssh \
--- a/salt/dom0/files/bin/qubes-kde-win-rules
+++ b/salt/dom0/files/bin/qubes-kde-win-rules
@ -25,10 +25,10 @@ writeconf(){
  key="$2"
  value="$3"
-  group_id="$(grep -B1 -- "^Description=${group}$" "${file}" | head -1 |
+  group_id="$(grep -B1 -e "^Description=${group}$" -- "${file}" | head -1 |
    tr -d "[" | tr -d "]")"
  if test -z "${group_id}"; then
-    highest_id="$(grep -- "\[[0-9]\+\]" "${file}" | tr -d "[" | tr -d "]" |
+    highest_id="$(grep -e "\[[0-9]\+\]" -- "${file}" | tr -d "[" | tr -d "]" |
      sort | tail -1)"
    if test -n "${highest_id}"; then
      group_id="$((highest_id+1))"
--- a/salt/dom0/files/bin/qvm-mgmt
+++ b/salt/dom0/files/bin/qvm-mgmt
@ -13,8 +13,8 @@ usage(){
 get_qube_feat(){
  qube="${1}"
  qvm-features "${qube}" | \
-    grep -E "^(os-(distribution|version)|template-(release|name))" | \
+    grep -E -e "^(os-(distribution|version)|template-(release|name))" | \
-    sed "s/  / /g;s/ /: /;s/^/  /"
+    sed -e "s/  / /g;s/ /: /;s/^/  /"
 }
 case "${1-}" in
--- a/salt/dom0/files/bin/qvm-pci-regain
+++ b/salt/dom0/files/bin/qvm-pci-regain
@ -37,7 +37,7 @@ esac
 uid="$(id -u)"
 test "${uid}" = "0" || exec sudo "${0}"
-echo "${device}" | tee /sys/bus/pci/drivers/pciback/unbind
+echo "${device}" | tee -- /sys/bus/pci/drivers/pciback/unbind
-modalias="$(cat "/sys/bus/pci/devices/${device}/modalias")"
+modalias="$(cat -- "/sys/bus/pci/devices/${device}/modalias")"
 module="$(modprobe -R "${modalias}" | head -n 1)"
-echo "${device}" | tee "/sys/bus/pci/drivers/${module}/bind"
+echo "${device}" | tee -- "/sys/bus/pci/drivers/${module}/bind"
--- a/salt/dom0/files/bin/qvm-port-forward
+++ b/salt/dom0/files/bin/qvm-port-forward
@ -21,7 +21,7 @@ run_qube(){
 create_net_dir(){
  qube="${1}"
-  run_qube "${qube}" mkdir -p "${hook_dir}"
+  run_qube "${qube}" mkdir -p -- "${hook_dir}"
 }
 validate_handle(){
@ -78,7 +78,7 @@ get_rule_handle(){
  rule="${3}"
  run_qube "${qube}" \
    "nft --handle --stateless list chain ip qubes ${chain} |
-    tr -d '\"' | grep '^\s\+${rule} # handle ' | awk '{print \$NF}' |
+    tr -d '\"' | grep -e '^\s\+${rule} # handle ' | awk '{print \$NF}' |
    tr '\n' ' '" 2>/dev/null
 }
@ -165,7 +165,7 @@ get_handle(){
  chain=\\\${1}
  rule=\\\${2}
  nft --handle --stateless list chain ip qubes \\\${chain} | \\\
-    tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | \\\
+    tr -d '\\\"' | grep -e '^\\\s\\\+\\\${rule} \\# handle ' | \\\
    awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\"
 }
@ -187,8 +187,8 @@ ${full_rule}"
      create_net_dir "${from_qube}"
      run_qube "${from_qube}" \
-        "echo \"${full_rule}\" | tee \"${hook}\" >/dev/null"
+        "echo \"${full_rule}\" | tee -- \"${hook}\" >/dev/null"
-      run_qube "${from_qube}" "chmod +x ${hook}"
+      run_qube "${from_qube}" "chmod -- +x ${hook}"
    fi
  fi
 }
@ -216,7 +216,7 @@ get_handle(){
  chain=\\\${1}
  rule=\\\${2}
  nft --handle --stateless list chain ip qubes \\\${chain} | \\\
-    tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | \\\
+    tr -d '\\\"' | grep -e '^\\\s\\\+\\\${rule} \\# handle ' | \\\
    awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\"
 }
@ -229,8 +229,9 @@ fi
 ${input_rule}"
-      run_qube "${qube}" "echo \"${input_rule}\" | tee \"${hook}\" >/dev/null"
+      run_qube "${qube}" \
-      run_qube "${qube}" "chmod +x ${hook}"
+        "echo \"${input_rule}\" | tee -- \"${hook}\" >/dev/null"
      run_qube "${qube}" "chmod -- +x ${hook}"
    fi
  fi
 }
--- a/salt/dom0/files/bin/qvm-screenshot
+++ b/salt/dom0/files/bin/qvm-screenshot
@ -70,7 +70,7 @@ Development mode:
 ## Expand directory only in the qube.
 qube_pictures_dir="\$(xdg-user-dir PICTURES)"
 guivm_pictures_dir="$(xdg-user-dir PICTURES)"
-mkdir -p "${guivm_pictures_dir}" || exit 1
+mkdir -p -- "${guivm_pictures_dir}" || exit 1
 current_date="$(date +"%Y-%m-%d-%H%M%S")"
 screenshot_basename="${current_date}.png"
@ -292,14 +292,14 @@ if test -z "${qube}"; then
  dialog_title="Select destination qube (Unix based):"
  case "${dialog_cmd}" in
    zenity)
-      qube_list="$(echo "${qube_list}" | sed "s/^/FALSE /")"
+      qube_list="$(echo "${qube_list}" | sed -e "s/^/FALSE /")"
      # shellcheck disable=SC2086
      qube="$(zenity --list  --width=200 --height=390 \
              --text "${dialog_title}" \
              --radiolist --column "Pick" --column "qube" ${qube_list})"
      ;;
    kdialog)
-      qube_list="$(echo "${qube_list}" | sed "s/\(.*\)/\1 \1 off/")"
+      qube_list="$(echo "${qube_list}" | sed -e "s/\(.*\)/\1 \1 off/")"
      # shellcheck disable=SC2086
      qube="$(kdialog --radiolist "${dialog_title}" ${qube_list})"
      ;;
@ -328,12 +328,12 @@ if ! qvm-check -- "${qube}" >/dev/null 2>&1; then
  exit 1
 fi
-qvm-run "${qube}" -- "mkdir -p \"${qube_pictures_dir}\""
+qvm-run "${qube}" -- "mkdir -p -- \"${qube_pictures_dir}\""
 qvm-run --pass-io "${qube}" -- "cat > \"${qube_screenshot_file}\"" \
  < "${screenshot_file}"
 if test "${file_move}" = "1"; then
-  rm -f "${screenshot_file}"
+  rm -f -- "${screenshot_file}"
 fi
 if test "${file_manager}" = "1"; then
--- a/salt/dotfiles
+++ b/salt/dotfiles
@ -1 +1 @@
-Subproject commit 7e2502b70a0f336ef74e31b4d9bf3e4aadd785a3
+Subproject commit b38834d66b8d7c7cf2d29726f5f7e608bd0b2e78
--- a/salt/electrum/files/client/rpc/qusal.InstallElectrum
+++ b/salt/electrum/files/client/rpc/qusal.InstallElectrum
@ -10,13 +10,13 @@ bin_dir="/usr/bin"
 app_dir="/usr/share/applications"
 tmp_dir="/tmp/electrum-upload"
-rm -rf "${tmp_dir}"
+rm -rf -- "${tmp_dir}"
-mkdir -p "${tmp_dir}"
+mkdir -p -- "${tmp_dir}"
 qfile-unpacker 0 "${tmp_dir}"
 cd "${tmp_dir}"
-cp -r electrum "${python_dir}"/
+cp -r -- electrum "${python_dir}"/
-cp electrum.desktop "${app_dir}"/
+cp -- electrum.desktop "${app_dir}"/
-cp run_electrum "${bin_dir}"/electrum
+cp -- run_electrum "${bin_dir}"/electrum
 ## Qube needs to shutdown for the app qube to have the uploaded files.
 shutdown now
--- a/salt/mail/README.md
+++ b/salt/mail/README.md
@ -130,7 +130,7 @@ mails will be done in `disp-mail-fetcher`.
 Copy example configuration file to where the program can read automatically:
 ```sh
-cp ~/.fdm.conf.example ~/.fdm.conf
+cp -- ~/.fdm.conf.example ~/.fdm.conf
 ```
 Edit the configuration according to your needs:
@ -166,7 +166,7 @@ according to your needs.
 Copy example configuration file to where the program can read automatically:
 ```sh
-cp ~/.mporc.example ~/.mpoprc
+cp -- ~/.mporc.example ~/.mpoprc
 ```
 Edit the configuration according to your needs:
@ -249,7 +249,7 @@ mails are done in `disp-mail-sender`.
 Copy example configuration file to where the program can read automatically:
 ```sh
-cp ~/.msmtprc.example ~/.msmtprc
+cp -- ~/.msmtprc.example ~/.msmtprc
 ```
 Edit the configuration according to your needs:
--- a/salt/mail/files/reader/rpc/qusal.MailFetch
+++ b/salt/mail/files/reader/rpc/qusal.MailFetch
@ -9,7 +9,7 @@ inbox_dir="${HOME}/mail/INBOX"
 uid="$(id -u user)"
 # shellcheck disable=SC2174
-mkdir -p "${inbox_dir}"
+mkdir -p -- "${inbox_dir}"
-chmod 0700 "${inbox_dir}"
+chmod -- 0700 "${inbox_dir}"
 qfile-unpacker "${uid}" "${inbox_dir}"
--- a/salt/mail/files/sender/rpc/qusal.MailEnqueue
+++ b/salt/mail/files/sender/rpc/qusal.MailEnqueue
@ -9,7 +9,7 @@ queue_dir="${MSMTP_Q:-"${Q:-"${HOME}/.msmtp.queue"}"}"
 uid="$(id -u user)"
 # shellcheck disable=SC2174
-mkdir -p "${queue_dir}"
+mkdir -p -- "${queue_dir}"
-chmod 0700 "${queue_dir}"
+chmod -- 0700 "${queue_dir}"
 exec qfile-unpacker "${uid}" "${queue_dir}"
--- a/salt/sys-bitcoin/files/client/bin/bitcoin-rpcauth-save
+++ b/salt/sys-bitcoin/files/client/bin/bitcoin-rpcauth-save
@ -11,8 +11,8 @@ fi
 auth="$(qrexec-client-vm -tT -- @default qusal.BitcoinAuthGet)"
 if test -n "${auth}"; then
-  mkdir -p ~/.bitcoin/.cookie
+  mkdir -p -- ~/.bitcoin/.cookie
-  echo "${auth}" | tee ~/.bitcoin/.cookie >/dev/null
+  echo "${auth}" | tee -- ~/.bitcoin/.cookie >/dev/null
 else
  echo "failed to get Bitcoin Authentication" >&2
  exit 1
--- a/salt/sys-bitcoin/files/client/bin/bitcoin-tx-notify
+++ b/salt/sys-bitcoin/files/client/bin/bitcoin-tx-notify
@ -18,7 +18,7 @@ else
  body="TXID ${txid} is in block ${block_height} ${block_hash}"
 fi
-echo "${date} ${title}: ${body}" | tee ~/.bitcoin/walletnotify.log
+echo "${date} ${title}: ${body}" | tee -- ~/.bitcoin/walletnotify.log
 if command -v notify-send >/dev/null; then
  notify-send -t 10000 "${title}" "${body}"
 fi
--- a/salt/sys-bitcoin/files/server/bin/bitcoin-dbcache
+++ b/salt/sys-bitcoin/files/server/bin/bitcoin-dbcache
@ -6,6 +6,6 @@
 set -eu
 conf="${HOME}/.bitcoin/conf.d/dbcache.conf"
-cache_Mi="$(awk '/^MemTotal:/{printf "%.0f", $2/1024}' /proc/meminfo)"
+cache_Mi="$(awk -- '/^MemTotal:/{printf "%.0f", $2/1024}' /proc/meminfo)"
 cache="$((cache_Mi*75/100))"
-echo "dbcache=${cache}" | tee "${conf}" >/dev/null
+echo "dbcache=${cache}" | tee -- "${conf}" >/dev/null
--- a/salt/sys-bitcoin/files/server/bin/bitcoin-rpcwhitelist-cookie
+++ b/salt/sys-bitcoin/files/server/bin/bitcoin-rpcwhitelist-cookie
@ -15,4 +15,4 @@ fi
 rpc_list="$(bitcoin-cli help | awk '/^[a-z]/{print $1}' | tr "\n" ",")"
-echo "rpcwhitelist=__cookie__:${rpc_list}" | tee "${conf}" >/dev/null
+echo "rpcwhitelist=__cookie__:${rpc_list}" | tee -- "${conf}" >/dev/null
--- a/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper
+++ b/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper
@ -49,25 +49,25 @@ getblock(){
    | tail -c+92167 \
    | for ((o=0;o<946;++o)); do \
        read -rN420 x; \
-        echo -n "${x::130}${x:132:130}${x:264:130}"; \
+        printf '%s' "${x::130}${x:132:130}${x:264:130}"; \
      done \
    | xxd -r -p \
    | tail -c+9 \
    | head -c184292 \
-    | tee "${output_file}" >/dev/null
+    | tee -- "${output_file}" >/dev/null
 }
 getrawtransaction(){
  check_installed bitcoin-cli xxd
  # shellcheck disable=SC2312
  bitcoin-cli getrawtransaction "${txid}" 0 "${block_hash}" \
-    | sed 's/0100000000000000/\n/g' \
+    | sed -e 's/0100000000000000/\n/g' \
    | tail -n +2 \
    | cut -c7-136,139-268,271-400 \
    | tr -d '\n' \
    | cut -c17-368600 \
    | xxd -p -r \
-    | tee "${output_file}" >/dev/null
+    | tee -- "${output_file}" >/dev/null
 }
 gettxout(){
--- a/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet
+++ b/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet
@ -21,8 +21,8 @@ if ! systemctl is-active bitcoind >/dev/null 2>&1; then
 fi
 if test -r "${bitcoin_conf}"; then
-  if grep -qs "^\s*rpcauth=${user}:" "${bitcoin_conf}"; then
+  if grep -qs -e "^\s*rpcauth=${user}:" -- "${bitcoin_conf}"; then
-    grep -m1 "^${user}:" "${bitcoin_pass}"
+    grep -m1 -e "^${user}:" -- "${bitcoin_pass}"
    exit
  fi
 fi
@ -32,13 +32,14 @@ if ! command -v bitcoin-rpcauth >/dev/null; then
  exit 127
 fi
-full_auth="$(bitcoin-rpcauth "${user}" | sed -n '2p;4p')"
+full_auth="$(bitcoin-rpcauth "${user}" | sed -n -e '2p;4p')"
 rpcauth="$(echo "${full_auth}" | head -1)"
 user="$(echo "${rpcauth}" | cut -d "=" -f2 | cut -d ":" -f1)"
 password="$(echo "${full_auth}" | tail -1)"
-echo "${rpcauth}" | sudo -u user tee -a "${bitcoin_conf}" >/dev/null
+echo "${rpcauth}" | sudo -u user -- tee -a -- "${bitcoin_conf}" >/dev/null
-echo "${user}:${password}" | sudo -u user tee -a "${bitcoin_pass}" >/dev/null
+echo "${user}:${password}" | \
  sudo -u user -- tee -a -- "${bitcoin_pass}" >/dev/null
 echo "${user}:${password}"
 ## Restart bitcoind to apply the configuration changes. Currently, there is no
--- a/salt/sys-bitcoin/files/server/rpc/qusal.InstallBitcoin
+++ b/salt/sys-bitcoin/files/server/rpc/qusal.InstallBitcoin
@ -11,21 +11,21 @@ share_dir="${prefix_dir}/share/bitcoin"
 share_examples_dir="${share_dir}/examples"
 tmp_dir="/tmp/bitcoin-upload"
-rm -rf "${tmp_dir}"
+rm -rf -- "${tmp_dir}"
-mkdir -p "${tmp_dir}"
+mkdir -p -- "${tmp_dir}"
-mkdir -p "${share_dir}"
+mkdir -p -- "${share_dir}"
-mkdir -p "${share_examples_dir}"
+mkdir -p -- "${share_examples_dir}"
 qfile-unpacker 0 "${tmp_dir}"
 cd "${tmp_dir}"
-cp -r bin share "${prefix_dir}"/
+cp -r -- bin share "${prefix_dir}"/
 if test -f README.md; then
-  cp -r README.md "${share_dir}"/
+  cp -r -- README.md "${share_dir}"/
 fi
 if test -f bitcoin.conf; then
-  cp -r bitcoin.conf "${share_examples_dir}"/
+  cp -r -- bitcoin.conf "${share_examples_dir}"/
 fi
-cp share/rpcauth/rpcauth.py "${bin_dir}"/bitcoin-rpcauth
+cp -- share/rpcauth/rpcauth.py "${bin_dir}"/bitcoin-rpcauth
 ## Qube needs to shutdown for the app qube to have the uploaded files.
 shutdown now
--- a/salt/sys-cacher/README.md
+++ b/salt/sys-cacher/README.md
@ -102,7 +102,7 @@ administrative access to the cacher qube.  You should add the following to the
 end of `sys-cacher` rc.local:
 ```sh
-echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf
+echo "AdminAuth: username:password" | tee -- /etc/qusal-apt-cacher-ng/zzz_security.conf
 ```
 Where username and password are HTTP Auth strings.
@ -158,7 +158,7 @@ qvm-tags QUBE add updatevm-sys-cacher
 qvm-features QUBE service.updates-proxy-setup 1
 sudo qubesctl --skip-dom0 --targets=QUBE state.apply sys-cacher.install-client
 qvm-run --user=root QUBE -- "
-touch /var/run/qubes-service/updates-proxy-setup
+touch -- /var/run/qubes-service/updates-proxy-setup
 /usr/bin/apt-cacher-ng-repo
 systemctl restart qubes-updates-proxy-forwarder.socket"
 ```
--- a/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc
+++ b/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc
@ -4,7 +4,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-cp -r /rw/config/systemd/qusal-acng-browser-forwarder* \
+cp -r -- /rw/config/systemd/qusal-acng-browser-forwarder* \
  /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qusal-acng-browser-forwarder.socket
--- a/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo
+++ b/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo
@ -28,18 +28,18 @@ set_proxy_marker(){
  proxy_file="${1}"
  proxy_options="${2}"
-  if ! grep -q "^${marker_begin}$" "${proxy_file}"; then
+  if ! grep -q -e "^${marker_begin}$" -- "${proxy_file}"; then
-    if grep -q "^${marker_end}$" "${proxy_file}"; then
+    if grep -q -e "^${marker_end}$" -- "${proxy_file}"; then
      msg="found marker ${marker_end_text} but not ${marker_begin_text}"
      msg="${msg} in ${proxy_file}."
      msg="${msg} fix it by removing markers or adding missing ones and retry"
      echo "Error: ${msg}" >&2
      exit 1
    fi
-    cp "${proxy_file}" "${proxy_file}.qubes-orig"
+    cp -- "${proxy_file}" "${proxy_file}.qubes-orig"
-    echo "${marker_begin}" | tee -a "${proxy_file}" >/dev/null
+    echo "${marker_begin}" | tee -a -- "${proxy_file}" >/dev/null
-    echo "${marker_end}" | tee -a "${proxy_file}" >/dev/null
+    echo "${marker_end}" | tee -a -- "${proxy_file}" >/dev/null
-  elif ! grep -q "^${marker_end}$" "${proxy_file}"; then
+  elif ! grep -q -e "^${marker_end}$" -- "${proxy_file}"; then
    msg="found marker ${marker_begin_text} but not ${marker_end_text}"
    msg="${msg} in ${proxy_file}."
    msg="${msg} fix it by removing markers or adding missing ones and retry"
@ -56,16 +56,16 @@ ${proxy_options}
 EOF
  ## Couldn't figure out how to write only changes on the next sed.
-  if ! grep -q "${proxy_options}" "${proxy_file}"; then
+  if ! grep -q -e "${proxy_options}" -- "${proxy_file}"; then
-    tee -a "${changes_file}" <"${proxy_tmp_file}" >/dev/null
+    tee -a -- "${changes_file}" <"${proxy_tmp_file}" >/dev/null
  fi
  ## GNU Sed, only reliable while we don't support BSD.
  sed -i -e "/^${marker_begin}$/,/^${marker_end}$/{
    /^${marker_end}$/b
    /^${marker_begin}$/!d
    r ${proxy_tmp_file}
-    }" "${proxy_file}"
+    }" -- "${proxy_file}"
-  rm -f "${proxy_tmp_file}"
+  rm -f -- "${proxy_tmp_file}"
 }
 check_netvm_cacher(){
@ -108,7 +108,7 @@ ${proxy_conf}"
 ${proxy_conf}
 EOF
    else
-      rm -f /etc/yum.conf.d/qubes-proxy.conf
+      rm -f -- /etc/yum.conf.d/qubes-proxy.conf
    fi
    set --
@ -132,7 +132,7 @@ EOF
        meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}"
        find "${@}" -type f -exec sed -i \
          -e "${baseurl_expr}" -e "${meta_expr}" \
-        {} \+
+        -- {} \+
        set --
        for repo in \
@ -153,7 +153,7 @@ EOF
        meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}"
        find "${@}" -type f -exec sed -i \
          -e "${baseurl_expr}" -e "${meta_expr}" \
-        {} \+
+        -- {} \+
        ;;
      uninstall)
@ -165,7 +165,7 @@ EOF
        meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}"
        find "${@}" -type f -exec sed -i \
          -e "${baseurl_expr}" -e "${meta_expr}" \
-        {} \+
+        -- {} \+
        set --
        for repo in \
@ -181,7 +181,7 @@ EOF
        find "${@}" -type f -exec sed -i \
          -e "s|^\s*baseurl|#baseurl|w ${changes_file}" \
          -e "s|^\s*#.*metalink\s*=|metalink=|w ${changes_file}" \
-        {} \+ 2>/dev/null || true
+        -- {} \+ 2>/dev/null || true
        ;;
      *) echo "Unsupported action" >&2; exit 1
    esac
@ -196,7 +196,7 @@ Acquire::http::Proxy "${proxy_url}";
 Acquire::tor::proxy "${proxy_url}";
 EOF
    else
-      rm -f /etc/apt/apt.conf.d/50cacher-proxy
+      rm -f -- /etc/apt/apt.conf.d/50cacher-proxy
    fi
    set --
@ -222,7 +222,7 @@ EOF
        list_expr="s|${list_search}|${list_repl}|w ${changes_file}"
        find "${@}" -type f -exec sed -i \
          -e "${list_expr}" -e "${sources_expr}" \
-        {} \+
+        -- {} \+
        ;;
      uninstall)
@ -234,7 +234,7 @@ EOF
        list_expr="s|${list_search}|${list_repl}|w ${changes_file}"
        find "${@}" -type f -exec sed -i \
          -e "${list_expr}" -e "${sources_expr}" \
-        {} \+
+        -- {} \+
        ;;
      *) echo "Unsupported action" >&2; exit 1
    esac
@ -244,18 +244,18 @@ EOF
    if test -n "${proxy_addr}"; then
      if ! test -d /run/qubes/bin; then
-        mkdir -p /run/qubes/bin
+        mkdir -p -- /run/qubes/bin
      fi
      cat >/run/qubes/bin/pacman <<EOF
 #!/bin/sh
 exec env ALL_PROXY="${proxy_url}" /usr/bin/pacman "\${@}"
 EOF
-      chmod +x /run/qubes/bin/pacman
+      chmod -- +x /run/qubes/bin/pacman
      cat >/etc/profile.d/qubes-proxy.sh << EOF
 export PATH=/run/qubes/bin:\${PATH}
 EOF
    else
-      rm -f /run/qubes/bin/pacman /etc/profile.d/qubes-proxy.sh
+      rm -f -- /run/qubes/bin/pacman /etc/profile.d/qubes-proxy.sh
    fi
    set --
@ -278,7 +278,7 @@ EOF
        repo_regex="s|${repo_search}|${repo_repl}|w ${changes_file}"
        find "${@}" -type f -exec sed -i \
          -e "${repo_regex}" \
-        {} \+
+        -- {} \+
        ;;
      uninstall)
@ -287,7 +287,7 @@ EOF
        repo_regex="s|${repo_search}|${repo_repl}|w ${changes_file}"
        find "${@}" -type f -exec sed -i \
          -e "${repo_regex}" \
-        {} \+
+        -- {} \+
        ;;
      *) echo "Unsupported action" >&2; exit 1
    esac
@ -312,7 +312,7 @@ usage(){
 }
 changes_file="$(mktemp)"
-trap 'rm -f "${changes_file}"' HUP INT QUIT ABRT EXIT
+trap 'rm -f -- "${changes_file}"' HUP INT QUIT ABRT EXIT
 if test -f /var/run/qubes-service/updates-proxy-setup ||
  test -f /var/run/qubes-service/netvm-cacher
--- a/salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf
+++ b/salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf
@ -8,6 +8,6 @@ After=qubes-sysinit.service
 Before=qubes-qrexec-agent.service
 [Service]
-ExecStartPre=chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng /var/cache/apt-cacher-ng
+ExecStartPre=chown -R -- apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng /var/cache/apt-cacher-ng
 ExecStart=
 ExecStart=/usr/sbin/apt-cacher-ng -c "/etc/qusal-apt-cacher-ng" ForeGround=1
--- a/salt/sys-electrs/files/server/rpc/qusal.InstallElectrs
+++ b/salt/sys-electrs/files/server/rpc/qusal.InstallElectrs
@ -9,12 +9,12 @@ bin_dir="/usr/bin"
 tmp_dir="/tmp/electrs-upload"
 man1_dir="/usr/share/man/man1"
-rm -rf "${tmp_dir}"
+rm -rf -- "${tmp_dir}"
-mkdir -p "${tmp_dir}"
+mkdir -p -- "${tmp_dir}"
 qfile-unpacker 0 "${tmp_dir}"
 cd "${tmp_dir}"
-cp electrs "${bin_dir}"/
+cp -- electrs "${bin_dir}"/
-cp electrs.1 "${man1_dir}"/
+cp -- electrs.1 "${man1_dir}"/
 ## Qube needs to shutdown for the app qube to have the uploaded files.
 shutdown now
--- a/salt/sys-electrumx/files/server/bin/electrumx-cookie-save
+++ b/salt/sys-electrumx/files/server/bin/electrumx-cookie-save
@ -18,6 +18,7 @@ if ! test -r "${cookie}"; then
  exit 1
 fi
-auth="$(cat "${cookie}")"
+auth="$(cat -- "${cookie}")"
-echo "DAEMON_URL=${auth}@127.0.0.1:8332" | tee "${electrumx_conf}" >/dev/null
+echo "DAEMON_URL=${auth}@127.0.0.1:8332" | \
  tee -- "${electrumx_conf}" >/dev/null
--- a/salt/sys-electrumx/files/server/rpc/qusal.InstallElectrumx
+++ b/salt/sys-electrumx/files/server/rpc/qusal.InstallElectrumx
@ -9,12 +9,12 @@ python_dir="/usr/lib/python3/dist-packages"
 bin_dir="/usr/bin"
 tmp_dir="/tmp/electrumx-upload"
-rm -rf "${tmp_dir}"
+rm -rf -- "${tmp_dir}"
-mkdir -p "${tmp_dir}"
+mkdir -p -- "${tmp_dir}"
 qfile-unpacker 0 "${tmp_dir}"
 cd "${tmp_dir}"
-cp -r electrumx "${python_dir}"/
+cp -r -- electrumx "${python_dir}"/
-cp electrumx_server electrumx_rpc electrumx_compact_history "${bin_dir}"/
+cp -- electrumx_server electrumx_rpc electrumx_compact_history "${bin_dir}"/
 ## Qube needs to shutdown for the app qube to have the uploaded files.
 shutdown now
--- a/salt/sys-git/files/client/git-core/git-remote-qrexec
+++ b/salt/sys-git/files/client/git-core/git-remote-qrexec
@ -34,7 +34,7 @@ log(){
 validate_url(){
  url_valid=""
  url_check="${1?}"
-  scheme_user_url="$(echo "${url_check}" | sed "s|://.*||")"
+  scheme_user_url="$(echo "${url_check}" | sed -e "s|://.*||")"
  ## Scheme must be the same as the one in the name of this script.
  ## Checks if Authority and Path exist, but not if they are valid, this is
@ -48,7 +48,7 @@ validate_url(){
  esac
  urn_pattern="[0-9A-Za-z@:_.-]+/[0-9A-Za-z_.-]+(\?[0-9A-Za-z=&_-]*)?"
-  if ! (echo "${url_valid}" | grep -qE "^${scheme}://${urn_pattern}$")
+  if ! (echo "${url_valid}" | grep -qE -e "^${scheme}://${urn_pattern}$")
  then
    die "URL contains forbidden characters"
  fi
@ -86,11 +86,12 @@ find_capabilities(){
    if test -z "${cap_helpers}"; then
      cap_helpers="${f##*"${script}-"}"
    else
-      cap_helpers="${cap_helpers}\n${f##*"${script}-"}"
+      cap_helpers="${cap_helpers}
 ${f##*"${script}-"}"
    fi
  done
-  echo "${cap_helpers}"
+  printf '%s\n' "${cap_helpers}"
 }
 ## Send capabilities to remote helper specific for that capability.
@ -98,7 +99,7 @@ send_cap(){
  cap="${1}"
  shift
-  if ! (echo "${capabilities}" | grep -q "^${cap}$"); then
+  if ! (echo "${capabilities}" | grep -q -e "^${cap}$"); then
    die "Unsupported capability: '${cap}'"
  fi
@ -169,7 +170,7 @@ while read -r cmd arg; do
  case "${cmd}" in
    capabilities)
      for c in ${capabilities}; do log "-> ${c}"; done; log "->"
-      printf %s"${capabilities}\n\n";;
+      printf '%s\n\n' "${capabilities}";;
    *) send_cap "${cmd}" "${arg}";;
  esac
 done
--- a/salt/sys-git/files/client/git-core/git-remote-qrexec-connect
+++ b/salt/sys-git/files/client/git-core/git-remote-qrexec-connect
@ -26,7 +26,7 @@ log(){
 ## Establish capability working.
 log "->"
-printf "\n"
+printf '\n'
 helper="${0##*/git-}"
 parent_helper="${helper%-*}"
@ -61,7 +61,8 @@ vendor="qusal"
 default_qube="sys-git"
 rpc_cmd="${vendor}.${rpc}+${path}"
-if echo "${query}" | grep -qE "(^|&)verify_signatures=(1|[tT]rue|yes|on)($|&)"
+if echo "${query}" | \
  grep -qE -e "(^|&)verify_signatures=(1|[tT]rue|yes|on)($|&)"
 then
  die "Remote helper does not support signature verification yet"
 fi
--- a/salt/sys-git/files/server/rpc/qusal.GitInit
+++ b/salt/sys-git/files/server/rpc/qusal.GitInit
@ -23,7 +23,7 @@ if test -z "${untrusted_repo}"; then
  die "Repository name is empty"
 fi
-if ! (echo "${untrusted_repo}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
+if ! (echo "${untrusted_repo}" | grep -q -e "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
 then
  msg="Forbidden characters in agent name."
  msg="${msg} Allowed chars: letters, numbers, hyphen, underscore and dot."
@ -64,7 +64,7 @@ fi
 if ! test -d "${base_path}"; then
  # shellcheck disable=SC2174
-  mkdir -m 0700 -p "${base_path}" >/dev/null 2>&1 ||
+  mkdir -m 0700 -p -- "${base_path}" >/dev/null 2>&1 ||
    die "Cannot create directory: ${base_path}"
 fi
--- a/salt/sys-pgp/README.md
+++ b/salt/sys-pgp/README.md
@ -81,7 +81,7 @@ qvm-features dev service.split-gpg2-client 1
 On the qube `sys-pgp`, generate or import keys for the client qube `dev`:
 ```sh
-mkdir -p ~/.gnupg/split-gpg/dev
+mkdir -p -- ~/.gnupg/split-gpg/dev
 gpg --homedir ~/.gnupg/split-gpg/dev --import /path/to/secret.key
 gpg --homedir ~/.gnupg/split-gpg/dev --list-secret-keys
 ```
--- a/salt/sys-pihole/files/admin/prefs.sh
+++ b/salt/sys-pihole/files/admin/prefs.sh
@ -13,7 +13,7 @@ for qube in $(qvm-ls --raw-data --fields=NAME,NETVM |
 do
  ## Avoid overwriting netvm to sys-pihole when instead it should use the
  ## default_netvm, so better to prevent overwriting user choices.
-  qvm-prefs "${qube}" | grep -q "^netvm[[:space:]]\+D" && continue
+  qvm-prefs "${qube}" | grep -q -e "^netvm[[:space:]]\+D" && continue
  ## Set netvm for qubes that were using (disp-)sys-firewall to sys-pihole.
  qvm-prefs "${qube}" netvm sys-pihole
 done
--- a/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc
+++ b/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc
@ -4,6 +4,6 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-cp -r /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/
+cp -r -- /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qubes-http-forwarder.socket
--- a/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh
+++ b/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh
@ -11,9 +11,9 @@ nft -f /rw/config/qubes-firewall.d/50-sys-pihole
 for vif in /proc/sys/net/ipv4/conf/vif*/route_localnet; do
  test -w "${vif}" || continue
-  echo 1 | tee "${vif}" >/dev/null
+  echo 1 | tee -- "${vif}" >/dev/null
 done
 if test -f /var/run/qubes-service/local-dns-server; then
-  echo "nameserver 127.0.0.1" | tee /etc/resolv.conf >/dev/null
+  echo "nameserver 127.0.0.1" | tee -- /etc/resolv.conf >/dev/null
 fi
--- a/salt/sys-ssh-agent/README.md
+++ b/salt/sys-ssh-agent/README.md
@ -131,14 +131,14 @@ Import preexisting keys to the agent directory or generate keys for a specific
 agent:
 ```sh
-mkdir -m 0700 -p ~/.ssh/identities.d/<AGENT>
+mkdir -m 0700 -p -- ~/.ssh/identities.d/<AGENT>
 ssh-keygen -t ed25519 -f ~/.ssh/identities.d/<AGENT>/id_example
 ```
 You would do the following for the `work` agent:
 ```sh
-mkdir -m 0700 -p ~/.ssh/identities.d/work
+mkdir -m 0700 -p -- ~/.ssh/identities.d/work
 ssh-keygen -t ed25519 -f ~/.ssh/identities.d/work/id_example
 ```
@ -218,7 +218,7 @@ agent:
 ```sh
 echo 'export SSH_AUTH_SOCK=/tmp/qusal-ssh-agent-forwarder/work.sock;
 SSH_AGENT_PID="$(pgrep -f "/tmp/qusal-ssh-agent-forwarder/work.sock")";
-' | tee -a ~/.profile
+' | tee -a -- ~/.profile
 ```
 #### Multiple agents per client
--- a/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service
+++ b/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service
@ -10,7 +10,7 @@ User=user
 Group=user
 Type=simple
 UMask=0177
-ExecStartPre=/usr/bin/mkdir -m 700 -p %T/%p
+ExecStartPre=/usr/bin/mkdir -m 700 -p -- %T/%p
 ExecStartPre=/usr/bin/ssh-agent -a %T/%p/%i.sock
 ExecStart=/usr/bin/socat UNIX-LISTEN:"%T/%p/%i.sock,unlink-early,reuseaddr,fork" EXEC:"qrexec-client-vm -- @default qusal.SshAgent+%i"
--- a/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent
+++ b/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent
@ -23,14 +23,14 @@ Example:
 ls_agent(){
  socket="/tmp/${service}/${agent}.sock"
  test -S "${socket}" || return 1
-  agent="$(echo "${socket}" | sed "s|.*${service}/||;s/\.sock//")"
+  agent="$(echo "${socket}" | sed -e "s|.*${service}/||;s/\.sock//")"
  echo "Agent: (${agent}) ${socket}"
  SSH_AUTH_SOCK="${socket}" ssh-add -l || true
 }
 add_agent(){
  # shellcheck disable=SC2174
-  mkdir -m 0700 -p "/tmp/${service}"
+  mkdir -m 0700 -p -- "/tmp/${service}"
  dir="${HOME}/.ssh/identities.d/${agent}"
  if ! test -d "${dir}"; then
    echo "Directory not found: ${dir}" >&2
@ -45,8 +45,8 @@ add_agent(){
  if ! test "${reload_agent}" = "1"; then
    return
  fi
-  keys="$(grep -sl -- "-----BEGIN OPENSSH PRIVATE KEY-----" \
+  keys="$(grep -sl -e "-----BEGIN OPENSSH PRIVATE KEY-----" \
-          "${HOME}/.ssh/identities.d/${dir}"/* || true)"
+          -- "${HOME}/.ssh/identities.d/${dir}"/* || true)"
  if test -z "${keys}"; then
    echo "Directory has no key: ${dir}" >&2
    return 1
@ -56,7 +56,7 @@ add_agent(){
    test -f "${k}" || continue
    ssh_add_option=""
    if test -f "${k}.ssh-add-option"; then
-      ssh_add_option="$(cat "${k}.ssh-add-option")"
+      ssh_add_option="$(cat -- "${k}.ssh-add-option")"
    fi
    # shellcheck disable=SC2086
    SSH_AUTH_SOCK="${socket}" ssh-add ${ssh_add_option} "${k}"
--- a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent
+++ b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent
@ -18,7 +18,7 @@ if test -z "${untrusted_agent}"; then
  die "Agent name is empty"
 fi
-if ! (echo "${untrusted_agent}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
+if ! (echo "${untrusted_agent}" | grep -q -e "^[A-Za-z0-9][A-Za-z0-9_.-]\+$")
 then
  msg="Forbidden characters in agent name."
  msg="${msg} Allowed chars: letters, numbers, hyphen, underscore and dot."
--- a/salt/sys-ssh/README.md
+++ b/salt/sys-ssh/README.md
@ -94,7 +94,7 @@ From the client, mount the server `/home/user` directory as a SSH File System
 in the client `/home/user/sshfs` directory:
 ```sh
-mkdir ~/sshfs
+mkdir -- ~/sshfs
 sshfs -p 1840 localhost:/home/user /home/user/sshfs
 ```
--- a/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc
+++ b/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc
@ -4,7 +4,7 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
-cp -r /rw/config/systemd/qusal-syncthing-browser-forwarder* \
+cp -r -- /rw/config/systemd/qusal-syncthing-browser-forwarder* \
  /usr/lib/systemd/system/
 systemctl daemon-reload
 systemctl --no-block restart qusal-syncthing-browser-forwarder.socket
--- a/salt/sys-wireguard/files/admin/bin/qvm-wireguard
+++ b/salt/sys-wireguard/files/admin/bin/qvm-wireguard
@ -45,13 +45,13 @@ qvm-run "${qube}" -- "test -f ${user_conf}" || {
  exit 1
 }
-qvm-run -u root "${qube}" -- "cp ${user_conf} ${system_conf}"
+qvm-run -u root "${qube}" -- "cp -- \"${user_conf}\" \"${system_conf}\""
 ## TOFU
 # shellcheck disable=SC2016
 endpoint="$(qvm-run -p -u root "${qube}" -- awk '/Endpoint/{print $3}' \
  "${system_conf}")"
-if echo "${endpoint}" | grep -qF "["; then
+if echo "${endpoint}" | grep -qF -e "["; then
  ip="${ip##[\[]}"
  ip="${ip%%\]*}"
  port="${endpoint##*:}"
--- a/salt/sys-wireguard/files/server/network-hooks.d/50-sys-wireguard
+++ b/salt/sys-wireguard/files/server/network-hooks.d/50-sys-wireguard
@ -6,6 +6,6 @@
 set -eu
-ln -sf /run/resolvconf/resolv.conf /etc/resolv.conf
+ln -sf -- /run/resolvconf/resolv.conf /etc/resolv.conf
 /rw/config/qubes-firewall.d/50-sys-wireguard-var
 nft -f /rw/config/qubes-firewall.d/60-sys-wireguard-nat
--- a/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var
+++ b/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var
@ -9,12 +9,12 @@ set -eu
 wg_conf="/etc/wireguard/wireguard.conf"
 nft_conf="/var/run/wireguard/dnat.nft"
-mkdir -p "${nft_conf%/*}"
+mkdir -p -- "${nft_conf%/*}"
-rm -f "${nft_conf}"
+rm -f -- "${nft_conf}"
-touch "${nft_conf}"
+touch -- "${nft_conf}"
 set_nft(){
-  echo "${*}" | tee -a "${nft_conf}" >/dev/null
+  echo "${*}" | tee -a -- "${nft_conf}" >/dev/null
 }
 set_nft_dnat(){
@ -26,7 +26,8 @@ set_nft_dnat(){
  set_nft "${rule_prefix} ${rule_suffix}"
 }
-dns="$(grep -s "^\s*DNS\s*=\s*\S\+" "${wg_conf}" | sed "s/.*=//;s/ //g")"
+dns="$(grep -s -e "^\s*DNS\s*=\s*\S\+" -- "${wg_conf}" |
  sed -e "s/.*=//;s/ //g")"
 if test -z "${dns}"; then
  set_nft "insert rule ip  qubes custom-dnat drop"
@ -38,22 +39,22 @@ dns_primary="$(echo "${dns}" | cut -d "," -f 1)"
 dns_secondary="$(echo "${dns}" | cut -d "," -f 2)"
 dns_primary_ipv=""
-if echo "${dns_primary}" | grep -qF ":"; then
+if echo "${dns_primary}" | grep -qF -e ":"; then
  dns_primary_ipv=6
 fi
 dns_secondary_ipv=""
-if echo "${dns_secondary}" | grep -qF ":"; then
+if echo "${dns_secondary}" | grep -qF -e ":"; then
  dns_secondary_ipv=6
 fi
 if test -n "${dns}"; then
  set_nft_dnat "${dns_primary_ipv}" udp "${dns_primary}"
  set_nft_dnat "${dns_primary_ipv}" tcp "${dns_primary}"
-  if echo "${dns}" | grep -qF ","; then
+  if echo "${dns}" | grep -qF -e ","; then
    set_nft_dnat "${dns_secondary_ipv}" udp "${dns_secondary}"
    set_nft_dnat "${dns_secondary_ipv}" tcp "${dns_secondary}"
  fi
 fi
-ln -sf /run/resolvconf/resolv.conf /etc/resolv.conf
+ln -sf -- /run/resolvconf/resolv.conf /etc/resolv.conf
--- a/scripts/pgp-lint.sh
+++ b/scripts/pgp-lint.sh
@ -12,7 +12,7 @@ test -d "${repo_toplevel}" || exit 1
 cd "${repo_toplevel}"
 unset repo_toplevel
-now="$(date +%s)"
+now="$(date -- +%s)"
 fail="0"
 find_tool="$(./scripts/best-program.sh fd fdfind find)"
@ -46,7 +46,7 @@ fi
 for key in ${files}; do
  data="$(gpg --no-keyring --no-auto-check-trustdb --no-autostart \
    --with-colons --show-keys "${key}")"
-  nr="$(echo "${data}" | grep -Ec '^(p|s)ub:')"
+  nr="$(echo "${data}" | grep -Ec -e '^(p|s)ub:')"
  ## Threshold in days.
  threshold="${PGP_LINT_THRESHOLD:-30}"
  tty_stderr=0
--- a/scripts/qubesbuilder-gen.sh
+++ b/scripts/qubesbuilder-gen.sh
@ -23,14 +23,14 @@ if test "${1-}" = "test"; then
 fi
 ignored="$(git ls-files --exclude-standard --others --ignored salt/)"
 untracked="$(git ls-files --exclude-standard --others salt/)"
-unwanted="$(printf %s"${ignored}\n${untracked}\n" |
+unwanted="$(printf '%s\n%s\n' "${ignored}" "${untracked}" |
-  grep "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)"
+  grep -e "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)"
 group="$(./scripts/spec-get.sh dom0 group)"
 projects="$(find salt/ -mindepth 1 -maxdepth 1 -type d | sort -d |
-  sed "s|^salt/\(\S\+\)|      - rpm_spec/${group}-\1.spec|")"
+  sed -e "s|^salt/\(\S\+\)|      - rpm_spec/${group}-\1.spec|")"
 for unwanted_project in ${unwanted}; do
  projects="$(echo "${projects}" |
-    sed "\@rpm_spec/${group}-${unwanted_project}.spec@d")"
+    sed -e "\@rpm_spec/${group}-${unwanted_project}.spec@d")"
 done
 if test "${1-}" = "print"; then
@ -38,10 +38,10 @@ if test "${1-}" = "print"; then
  exit 0
 fi
-sed -e "/@SPEC@/d" "${template}" | tee "${target}" >/dev/null
+sed -e "/@SPEC@/d" -- "${template}" | tee -- "${target}" >/dev/null
-echo "${projects}" | tee -a "${target}" >/dev/null
+echo "${projects}" | tee -a -- "${target}" >/dev/null
 if test "${1-}" = "test"; then
-  if ! cmp -s "${target}" "${intended_target}"; then
+  if ! cmp -s -- "${target}" "${intended_target}"; then
    echo "${0##*/}: error: File ${intended_target} is not up to date" >&2
    echo "${0##*/}: error: Update the builder file with: ${0##/*}" >&2
    exit 1
--- a/scripts/salt-fix.sh
+++ b/scripts/salt-fix.sh
@ -24,24 +24,24 @@ case "${find_tool}" in
  fd|fdfind)
    conf_files="$(${find_tool} . minion.d/ -e conf)"
    sls_files="$(${find_tool} . salt/ -d 2 -t f -e sls)"
-    files="${conf_files}\n${sls_files}"
+    set -- ${conf_files} ${sls_files}
    ;;
  find)
    conf_files="$(find minion.d/ -type f -name "*.conf")"
    sls_files="$(find salt/ -maxdepth 2 -type f -name '*.sls')"
-    files="${conf_files}\n${sls_files}"
+    set -- ${conf_files} ${sls_files}
    ;;
  *) echo "Unsupported find tool" >&2; exit 1;;
 esac
 ## 201 - Fix trailing whitespace:
-sed -i'' -e's/[[:space:]]*$//' ${files}
+sed -i'' -e 's/[[:space:]]*$//' -- "${@}"
 ## 206 - Fix spacing around {{ var_name }}, eg. {{env}} --> {{ env }}:
-sed -i'' -E "s/\{\{\s?([^}]*[^} ])\s?\}\}/\{\{ \1 \}\}/g" ${files}
+sed -i'' -E -e "s/\{\{\s?([^}]*[^} ])\s?\}\}/\{\{ \1 \}\}/g" -- "${@}"
 ## 207 - Add quotes around numeric values that start with a 0:
-sed -i'' -E "s/\b(minute|hour): (0[0-7]?)\$/\1: '\2'/" ${files}
+sed -i'' -E -e "s/\b(minute|hour): (0[0-7]?)\$/\1: '\2'/" -- "${@}"
 ## 208 - Make dir_mode, file_mode and mode arguments in the desired syntax:
-sed -i'' -E "s/\b(dir_|file_|)mode: 0?([0-7]{3})/\1mode: '0\2'/" ${files}
+sed -i'' -E -e "s/\b(dir_|file_|)mode: 0?([0-7]{3})/\1mode: '0\2'/" -- "${@}"
--- a/scripts/salt-lint.sh
+++ b/scripts/salt-lint.sh
@ -38,16 +38,16 @@ case "${find_tool}" in
    conf_files="$(${find_tool} . minion.d/ -e conf)"
    sls_files="$(${find_tool} . salt/ -d 2 -t f -e sls -e top -e jinja \
      -e j2 -e tmpl -e tst | sort -d)"
-    files="${conf_files}\n${sls_files}"
+    set -- ${conf_files} ${sls_files}
    ;;
  find)
    conf_files="$(find minion.d/ -type f -name "*.conf")"
    sls_files="$(find salt/* -maxdepth 2 -type f \
      \( -name '*.sls' -o -name '*.top' -o -name '*.jinja' \
      -o -name '*.j2' -o -name '*.tmpl' -o -name '*.tst' \) | sort -d)"
-    files="${conf_files}\n${sls_files}"
+    set -- ${conf_files} ${sls_files}
    ;;
  *) echo "Unsupported find tool" >&2; exit 1;;
 esac
-exec salt-lint ${conf} ${files}
+exec salt-lint ${conf} "${@}"
--- a/scripts/setup.sh
+++ b/scripts/setup.sh
@ -17,7 +17,7 @@ file_roots="/srv/salt/${group}"
 cd "${0%/*}"/..
 ## Avoid having extra unwanted files.
-rm -rf "${file_roots}"
+rm -rf -- "${file_roots}"
-cp -f minion.d/*.conf /etc/salt/minion.d/
+cp -f -- minion.d/*.conf /etc/salt/minion.d/
-mkdir -p "${file_roots}"
+mkdir -p -- "${file_roots}"
-cp -r salt/* "${file_roots}"
+cp -r -- salt/* "${file_roots}"
--- a/scripts/shell-lint.sh
+++ b/scripts/shell-lint.sh
@ -24,7 +24,7 @@ show_long_lines(){
  if test -t 2; then
    tty_stderr=1
  fi
-  awk -v color="${tty_stderr}" '
+  awk -v color="${tty_stderr}" -- '
    BEGIN {
      exit_code=0
      MAGENTA=""
--- a/scripts/spec-build.sh
+++ b/scripts/spec-build.sh
@ -25,17 +25,17 @@ build_rpm(){
    rpmlint "${spec}"
  fi
-  if grep -q "^BuildRequires: " "${spec}"; then
+  if grep -q -e "^BuildRequires: " -- "${spec}"; then
    sudo dnf build-dep "${spec}"
  fi
-  mkdir -p \
+  mkdir -p -- \
    "${build_dir}/BUILD/${group}-${project}/LICENSES/" \
    "${build_dir}/SOURCES/${group}-${project}/LICENSES"
  ## TODO: generate tarball to sources.
-  cp -r . "${build_dir}/BUILD/${group}-${project}/"
+  cp -r -- . "${build_dir}/BUILD/${group}-${project}/"
-  cp -r . "${build_dir}/SOURCES/${group}-${project}/"
+  cp -r -- . "${build_dir}/SOURCES/${group}-${project}/"
  ## TODO: use qubes-builderv2 with mock or qubes executor
  rpmbuild -ba --quiet --clean -- "${spec}"
@ -49,7 +49,7 @@ build_rpm(){
    dbpath="$(mktemp -d)"
    trap 'rm -rf -- "${dbpath}"' EXIT INT HUP QUIT ABRT
    tmp_file="${dbpath}/${key_id}.asc"
-    "${gpg}" --export --armor "${key_id}" | tee "${tmp_file}" >/dev/null
+    "${gpg}" --export --armor "${key_id}" | tee -- "${tmp_file}" >/dev/null
    rpmkeys --dbpath="${dbpath}" --import "${tmp_file}"
    ## TODO: target only the latest release
    rpmkeys --dbpath="${dbpath}" --checksig --verbose \
@ -73,7 +73,7 @@ build_dir="${HOME}/rpmbuild"
 if command -v rpmdev-setuptree >/dev/null; then
  rpmdev-setuptree
 else
-  mkdir -p \
+  mkdir -p -- \
    "${build_dir}/BUILD" "${build_dir}/BUILDROOT" "${build_dir}/RPMS" \
    "${build_dir}/SOURCES" "${build_dir}/SPECS" "${build_dir}/SRPMS"
 fi
--- a/scripts/spec-gen.sh
+++ b/scripts/spec-gen.sh
@ -14,9 +14,9 @@ usage(){
 escape_key(){
  key_type="${1}"
  if test "${key_type}" = "scriptlet"; then
-    echo "${2}" | sed ':a;N;$!ba;s/\n/\\n  /g' | sed 's/\$/\\$/'
+    echo "${2}" | sed -e ':a;N;$!ba;s/\n/\\n  /g' | sed -e 's/\$/\\$/'
  elif test "${key_type}" = "text"; then
-    echo "${2}" | sed ':a;N;$!ba;s/\n/\\n/g' | sed 's/\$/\\$/'
+    echo "${2}" | sed -e ':a;N;$!ba;s/\n/\\n/g' | sed -e 's/\$/\\$/'
  else
    return 1
  fi
@ -29,9 +29,9 @@ get_scriptlet(){
  scriptlet="$1"
  scriptlet_begin="-- pkg:begin:${scriptlet} --"
  scriptlet_end="-- pkg:end:${scriptlet} --"
-  scriptlet="$(sed -n \
+  scriptlet="$(sed -n -e \
    "/^<\!${scriptlet_begin}>$/,/^<\!${scriptlet_end}>$/p" \
-    "${readme}" | sed '/^```.*/d;/^\S*$/d;/^<\!-- pkg:/d;s/^sudo //')"
+    -- "${readme}" | sed -e '/^```.*/d;/^\S*$/d;/^<\!-- pkg:/d;s/^sudo //')"
  if test -z "${scriptlet}"; then
    echo true
    return 0
@ -44,13 +44,13 @@ get_spec(){
 }
 gen_spec(){
-  project="$(echo "${1}" | sed "s|salt/||;s|/.*||")"
+  project="$(echo "${1}" | sed -e "s|salt/||;s|/.*||")"
-  if echo "${projects_seen}" | grep -qF " ${project} "; then
+  if echo "${projects_seen}" | grep -qF -e " ${project} "; then
    return
  fi
  projects_seen="${projects_seen} ${project} "
-  if echo "${unwanted}" | grep -q "^${project}$"; then
+  if echo "${unwanted}" | grep -q -e "^${project}$"; then
    echo "warn: skipping spec generation of untracked formula: ${project}" >&2
    return 0
  fi
@ -74,7 +74,7 @@ gen_spec(){
  version="$(get_spec version)"
  license_csv="$(get_spec license_csv)"
  ## Ideally we would query the license, but it is a heavy call.
-  license="$(echo "${license_csv}" | sed "s/\,/ AND /g")"
+  license="$(echo "${license_csv}" | sed -e "s/\,/ AND /g")"
  vendor="$(get_spec vendor)"
  packager="$(get_spec packager)"
  url="$(get_spec url)"
@ -118,22 +118,23 @@ gen_spec(){
    -e "s|@URL@|${url}|" \
    -e "s|@DESCRIPTION@|${description}|" \
    -e "/@CHANGELOG@/d" \
-    "${template}" | tee "${target}" >/dev/null
+    -- "${template}" | tee -- "${target}" >/dev/null
  requires_key=""
-  for r in $(printf %s"${requires}" | tr " " "\n" | sort -u); do
+  for r in $(printf '%s' "${requires}" | tr " " "\n" | sort -u); do
    requires_key="${requires_key:-}Requires:       ${group}-${r}\n"
  done
-  sed -i "s/@REQUIRES@/${requires_key}/" "${target}" >/dev/null
+  sed -i -e "s/@REQUIRES@/${requires_key}/" -- "${target}" >/dev/null
-  echo "${changelog}" | tee -a "${target}" >/dev/null
+  echo "${changelog}" | tee -a -- "${target}" >/dev/null
  if test "${2-}" = "test"; then
-    if ! cmp -s "${target}" "${intended_target}"; then
+    if ! cmp -s -- "${target}" "${intended_target}"; then
      echo "error: ${intended_target} is not up to date" >&2
-      diff --color=auto "${intended_target}" "${target}" || true
+      diff --color=auto -- "${intended_target}" "${target}" || true
      fail=1
    else
-      unstaged_target="$(git diff --name-only "${intended_target}")" || true
+      unstaged_target="$(git diff --name-only -- "${intended_target}")" ||
        true
      if test -n "${unstaged_target}"; then
        echo "warn: ${intended_target} is up to date but it is not staged" >&2
      fi
@ -155,8 +156,8 @@ unset repo_toplevel
 spec_get="./scripts/spec-get.sh"
 ignored="$(git ls-files --exclude-standard --others --ignored salt/)"
 untracked="$(git ls-files --exclude-standard --others salt/)"
-unwanted="$(printf %s"${ignored}\n${untracked}\n" \
+unwanted="$(printf '%s\n%s\n' "${ignored}" "${untracked}" \
-            | grep "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)"
+            | grep -e "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)"
 fail=""
 gen_mode=""
@ -166,7 +167,7 @@ if test "${1-}" = "test"; then
  shift
 fi
-if echo "${@}" | grep -qE "(^scripts/| scripts/|/template.spec)" ||
+if echo "${@}" | grep -qE -e "(^scripts/| scripts/|/template.spec)" ||
  test -z "${1-}"
 then
  # shellcheck disable=SC2046,SC2312
--- a/scripts/spec-get.sh
+++ b/scripts/spec-get.sh
@ -142,10 +142,10 @@ if test "${key}" = "saltfiles" || test "${key}" = "requires"; then
  saltfiles="$(find "${project_dir}" -maxdepth 1 -name "*.sls")"
  # shellcheck disable=SC2086
  if test -n "${saltfiles}"; then
-    requires="$(sed -n '/^include:$/,/^\s*$/p' -- ${saltfiles} |
+    requires="$(sed -n -e '/^include:$/,/^\s*$/p' -- ${saltfiles} |
-      sed "/^\s*- \./d;/{/d" | grep "^\s*- " | cut -d "." -f1 | sort -u |
+      sed -e "/^\s*- \./d;/{/d" | grep -e "^\s*- " | cut -d "." -f1 |
-      sed "s/- //")"
+      sort -u | sed -e "s/- //")"
-    if grep -qrn "{%-\? from \('\|\"\)utils" ${saltfiles}; then
+    if grep -qrn -e "{%-\? from \('\|\"\)utils" ${saltfiles}; then
      if test -n "${requires}"; then
        requires="${requires} utils"
      else
@ -156,7 +156,7 @@ if test "${key}" = "saltfiles" || test "${key}" = "requires"; then
    requires=""
  fi
  requires_valid=""
-  for r in $(printf %s"${requires}" | tr " " "\n"); do
+  for r in $(printf '%s' "${requires}" | tr " " "\n"); do
    if ! test -d "salt/${r}"; then
      continue
    fi
--- a/scripts/toc-gen.sh
+++ b/scripts/toc-gen.sh
@ -31,7 +31,7 @@ for f in "${@}"; do
    echo "Error: Not a regular file: ${f}" >&2
    exit 1
  fi
-  if ! grep -q "^## Table of Contents$" "${f}"; then
+  if ! grep -q -e "^## Table of Contents$" -- "${f}"; then
    echo "Could not find table of contents in file: ${f}, skipping" >&2
    continue
  fi
--- a/scripts/yumrepo-gen.sh
+++ b/scripts/yumrepo-gen.sh
@ -21,9 +21,9 @@ dist="fc37"
 yum_repo_root="${HOME}/rpmrepo"
 yum_repo="${yum_repo_root}/${qubes_release}/${repo}/host/${dist}"
-mkdir -p "${yum_repo}/rpm"
+mkdir -p -- "${yum_repo}/rpm"
 find "${build_dir}/RPMS/" -type f -name "*.rpm" \
-  -exec cp {} "${yum_repo}/rpm/" \;
+  -exec cp -- {} "${yum_repo}/rpm/" \;
 createrepo_args=""
 if test -d "${yum_repo}/repodata"; then
		`@ -1 +1 @@`
			`Subproject commit 7e2502b70a0f336ef74e31b4d9bf3e4aadd785a3`				`Subproject commit b38834d66b8d7c7cf2d29726f5f7e608bd0b2e78`
`@ -15,4 +15,4 @@ fi`

	`rpc_list="$(bitcoin-cli help \| awk '/^[a-z]/{print $1}' \| tr "\n" ",")"`	`rpc_list="$(bitcoin-cli help \| awk '/^[a-z]/{print $1}' \| tr "\n" ",")"`

	`echo "rpcwhitelist=__cookie__:${rpc_list}" \| tee "${conf}" >/dev/null`	`echo "rpcwhitelist=__cookie__:${rpc_list}" \| tee -- "${conf}" >/dev/null`