From 4422bd1f341e57038a8852ca9f8c46c31dbdbcad Mon Sep 17 00:00:00 2001
From: Dominyk Tiller <dominyktiller@gmail.com>
Date: Sat, 27 Aug 2016 03:07:10 +0100
Subject: [PATCH 1/2] audit: enforce https for Debian's anonscm

---
 Library/Homebrew/cmd/audit.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Library/Homebrew/cmd/audit.rb b/Library/Homebrew/cmd/audit.rb
index 3c26eeb974..b237ede0d7 100644
--- a/Library/Homebrew/cmd/audit.rb
+++ b/Library/Homebrew/cmd/audit.rb
@@ -1192,6 +1192,7 @@ class ResourceAuditor
            %r{^http://tools\.ietf\.org/},
            %r{^http://launchpad\.net/},
            %r{^http://bitbucket\.org/},
+           %r{^http://anonscm\.debian\.org/},
            %r{^http://cpan\.metacpan\.org/},
            %r{^http://hackage\.haskell\.org/},
            %r{^http://(?:[^/]*\.)?archive\.org},
@@ -1202,6 +1203,8 @@ class ResourceAuditor
         problem "#{p} should be `https://cpan.metacpan.org/#{$1}`"
       when %r{^(http|ftp)://ftp\.gnome\.org/pub/gnome/(.*)}i
         problem "#{p} should be `https://download.gnome.org/#{$2}`"
+      when %r{^git://anonscm\.debian\.org/users/(.*)}i
+        problem "#{p} should be `https://anonscm.debian.org/git/users/#{$1}`"
       end
     end
 

From 8a3a4b83fd28df2acf4dbd65eab53ec8dc2a59fa Mon Sep 17 00:00:00 2001
From: Dominyk Tiller <dominyktiller@gmail.com>
Date: Tue, 30 Aug 2016 04:47:26 +0100
Subject: [PATCH 2/2] audit: banish http://http.debian.net for secure mirrors

---
 Library/Homebrew/cmd/audit.rb | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Library/Homebrew/cmd/audit.rb b/Library/Homebrew/cmd/audit.rb
index b237ede0d7..c4e0fb619e 100644
--- a/Library/Homebrew/cmd/audit.rb
+++ b/Library/Homebrew/cmd/audit.rb
@@ -1253,6 +1253,17 @@ class ResourceAuditor
       end
     end
 
+    # Debian has an abundance of secure mirrors. Let's not pluck the insecure
+    # one out of the grab bag.
+    urls.each do |u|
+      next unless u =~ %r{^http://http\.debian\.net/debian/(.*)}i
+      problem <<-EOS.undent
+        Please use a secure mirror for Debian URLs.
+        We recommend:
+          https://mirrors.ocf.berkeley.edu/debian/#{$1}
+      EOS
+    end
+
     # Check for Google Code download urls, https:// is preferred
     # Intentionally not extending this to SVN repositories due to certificate
     # issues.