use posixpath.join() for paths on the buildserver

This fixes bandit misdetection of hardcoded /tmp dir.  posixpath.join() is
good to use anyway, it highlights what is on the remote server, vs what is
local.  Local paths should use os.path.join() to support Windows, etc.
posixpath is built in since Python 3.4, maybe earlier

fdroidserver/build.py

@@ -21,6 +21,7 @@ import os
 import shutil
 import glob
 import subprocess
+import posixpath
 import re
 import resource
 import sys
@@ -92,7 +93,7 @@ def build_server(app, build, vcs, build_dir, output_dir, log_dir, force):
                      port=sshinfo['port'], timeout=300,
                      look_for_keys=False, key_filename=sshinfo['idfile'])
 
-        homedir = '/home/' + sshinfo['user']
+        homedir = posixpath.join('/home', sshinfo['user'])
 
         # Get an SFTP connection...
         ftp = sshs.open_sftp()
@@ -159,7 +160,7 @@ def build_server(app, build, vcs, build_dir, output_dir, log_dir, force):
         ftp.mkdir('srclib')
         # Copy any extlibs that are required...
         if build.extlibs:
-            ftp.chdir(homedir + '/build/extlib')
+            ftp.chdir(posixpath.join(homedir, 'build', 'extlib'))
             for lib in build.extlibs:
                 lib = lib.strip()
                 libsrc = os.path.join('build/extlib', lib)
@@ -186,20 +187,20 @@ def build_server(app, build, vcs, build_dir, output_dir, log_dir, force):
             srclibpaths.append(basesrclib)
         for name, number, lib in srclibpaths:
             logging.info("Sending srclib '%s'" % lib)
-            ftp.chdir(homedir + '/build/srclib')
+            ftp.chdir(posixpath.join(homedir, 'build', 'srclib'))
             if not os.path.exists(lib):
                 raise BuildException("Missing srclib directory '" + lib + "'")
             fv = '.fdroidvcs-' + name
             ftp.put(os.path.join('build/srclib', fv), fv)
             send_dir(lib)
             # Copy the metadata file too...
-            ftp.chdir(homedir + '/srclibs')
+            ftp.chdir(posixpath.join(homedir, 'srclibs'))
             ftp.put(os.path.join('srclibs', name + '.txt'),
                     name + '.txt')
         # Copy the main app source code
         # (no need if it's a srclib)
         if (not basesrclib) and os.path.exists(build_dir):
-            ftp.chdir(homedir + '/build')
+            ftp.chdir(posixpath.join(homedir, 'build'))
             fv = '.fdroidvcs-' + app.id
             ftp.put(os.path.join('build', fv), fv)
             send_dir(build_dir)
@@ -208,7 +209,7 @@ def build_server(app, build, vcs, build_dir, output_dir, log_dir, force):
         logging.info("Starting build...")
         chan = sshs.get_transport().open_session()
         chan.get_pty()
-        cmdline = os.path.join(homedir, 'fdroidserver', 'fdroid')
+        cmdline = posixpath.join(homedir, 'fdroidserver', 'fdroid')
         cmdline += ' build --on-server'
         if force:
             cmdline += ' --force --test'
@@ -255,7 +256,7 @@ def build_server(app, build, vcs, build_dir, output_dir, log_dir, force):
         # Retreive logs...
         toolsversion_log = common.get_toolsversion_logname(app, build)
         try:
-            ftp.chdir(os.path.join(homedir, log_dir))
+            ftp.chdir(posixpath.join(homedir, log_dir))
             ftp.get(toolsversion_log, os.path.join(log_dir, toolsversion_log))
             logging.debug('retrieved %s', toolsversion_log)
         except Exception as e:
@@ -264,9 +265,9 @@ def build_server(app, build, vcs, build_dir, output_dir, log_dir, force):
         # Retrieve the built files...
         logging.info("Retrieving build output...")
         if force:
-            ftp.chdir(homedir + '/tmp')
+            ftp.chdir(posixpath.join(homedir, 'tmp'))
         else:
-            ftp.chdir(homedir + '/unsigned')
+            ftp.chdir(posixpath.join(homedir, 'unsigned'))
         apkfile = common.get_release_filename(app, build)
         tarball = common.getsrcname(app, build)
         try: