audit: improve ssl/tls detection

I don’t know how maintainers are going to feel about this, to be honest. If it’s too clunky, perhaps we could externalise the entire two main blocks here and then require that file into the audit instead? Basically, I’m pushing changes here to better detect a wide-array of SSL/TLS available links that either have no auto-redirect in place or is a common linking error in formulae. I haven’t spotted any false positives yet, but obviously, feel free to try and break the changes and I’ll fix as necessary ;). IMO, this would allow us gradual updates without having to mass-update everything at once and stress the bot and inform users they have hundreds of updates pending when really it’s just style/basic changes. Closes Homebrew/homebrew#35551. Signed-off-by: Mike McQuaid <mike@mikemcquaid.com>
2015-01-04 23:43:15 +00:00 · 2015-01-04 23:43:15 +00:00 · 50d64da1ec
commit 50d64da1ec
parent b459f953c4
1 changed files with 66 additions and 1 deletions
--- a/Library/Homebrew/cmd/audit.rb
+++ b/Library/Homebrew/cmd/audit.rb
@ -218,6 +218,37 @@ class FormulaAuditor
      problem "Google Code homepage should end with a slash (URL is #{homepage})."
    end

+    # Automatic redirect exists, but this is another hugely common error.
+    if homepage =~ %r[^http://code\.google\.com/]
+      problem "Google Code homepages should be https:// links (URL is #{homepage})."
+    end
+
+    # GNU has full SSL/TLS support but no auto-redirect.
+    if homepage =~ %r[^http://www\.gnu\.org/]
+      problem "GNU homepages should be https:// links (URL is #{homepage})."
+    end
+
+    # Savannah has full SSL/TLS support but no auto-redirect.
+    # Doesn't apply to the download links (boo), only the homepage.
+    if homepage =~ %r[^http://savannah\.nongnu\.org/]
+      problem "Savannah homepages should be https:// links (URL is #{homepage})."
+    end
+
+    # There's an auto-redirect here, but this mistake is incredibly common too.
+    if homepage =~ %r[^http://packages\.debian\.org]
+      problem "Debian homepage should be https:// links (URL is #{homepage})."
+    end
+
+    if homepage =~ %r[^http://((?:trac|tools|www)\.)?ietf\.org]
+      problem "ietf homepages should be https:// links (URL is #{homepage})."
+    end
+
+    # There's an auto-redirect here, but this mistake is incredibly common too.
+    # Only applies to the homepage and subdomains for now, not the FTP links.
+    if homepage =~ %r[^http://((?:build|cloud|developer|download|extensions|git|glade|help|library|live|nagios|news|people|projects|rt|static|wiki|www)\.)?gnome\.org]
+      problem "Gnome homepages should be https:// links (URL is #{homepage})."
+    end
+
    urls = @specs.map(&:url)

    # Check GNU urls; doesn't apply to mirrors
@ -225,9 +256,29 @@ class FormulaAuditor
      problem "\"ftpmirror.gnu.org\" is preferred for GNU software (url is #{u})."
    end

-    # the rest of the checks apply to mirrors as well
+    # the rest of the checks apply to mirrors as well.
    urls.concat(@specs.map(&:mirrors).flatten)

+    # Check a variety of SSL/TLS links that don't consistently auto-redirect
+    # or are overly common errors that need to be reduced & fixed over time.
+    urls.each do |p|
+      # Skip the main url link, as it can't be made SSL/TLS yet.
+      next if p =~ %r[/ftpmirror\.gnu\.org]
+
+      case p
+      when %r[^http://ftp\.gnu\.org/]
+        problem "ftp.gnu.org urls should be https://, not http:// (url is #{p})."
+      when %r[^http://code\.google\.com/]
+        problem "code.google.com urls should be https://, not http (url is #{p})."
+      when %r[^http://fossies\.org/]
+        problem "Fossies urls should be https://, not http (url is #{p})."
+      when %r[^http://mirrors\.kernel\.org/]
+        problem "mirrors.kernel urls should be https://, not http (url is #{p})."
+      when %r[^http://tools\.ietf\.org/]
+        problem "ietf urls should be https://, not http (url is #{p})."
+      end
+    end
+
    # Check SourceForge urls
    urls.each do |p|
      # Skip if the URL looks like a SVN repo
@ -268,11 +319,21 @@ class FormulaAuditor
      problem "Use https:// URLs for downloads from Google Code (url is #{u})."
    end

+    # Check for new-url Google Code download urls, https:// is preferred
+    urls.grep(%r[^http://code\.google\.com/]) do |u|
+      problem "Use https:// URLs for downloads from code.google (url is #{u})."
+    end
+
    # Check for git:// GitHub repo urls, https:// is preferred.
    urls.grep(%r[^git://[^/]*github\.com/]) do |u|
      problem "Use https:// URLs for accessing GitHub repositories (url is #{u})."
    end

+    # Check for git:// Gitorious repo urls, https:// is preferred.
+    urls.grep(%r[^git://[^/]*gitorious\.org/]) do |u|
+      problem "Use https:// URLs for accessing Gitorious repositories (url is #{u})."
+    end
+
    # Check for http:// GitHub repo urls, https:// is preferred.
    urls.grep(%r[^http://github\.com/.*\.git$]) do |u|
      problem "Use https:// URLs for accessing GitHub repositories (url is #{u})."
@ -336,6 +397,10 @@ class FormulaAuditor
      end
    when %r[macports/trunk]
      problem "MacPorts patches should specify a revision instead of trunk:\n#{patch.url}"
+    when %r[^http://trac\.macports\.org]
+      problem "Patches from MacPorts Trac should be https://, not http:\n#{patch.url}"
+    when %r[^http://bugs\.debian\.org]
+      problem "Patches from Debian should be https://, not http:\n#{patch.url}"
    when %r[^https?://github\.com/.*commit.*\.patch$]
      problem "GitHub appends a git version to patches; use .diff instead."
    end