Merge pull request #12296 from EricFromCanada/svn-certificates

formula_installer: always pre-install formulae required for fetching sources

.github/workflows/tests.yml

@@ -305,10 +305,6 @@ jobs:
 
       - name: Install brew tests dependencies
         run: |
-          brew install subversion
-          brew sh -c "svn --homebrew=print-path"
-          which svn
-          which svnadmin
           brew install curl
           which curl
 

Library/Homebrew/dependency_collector.rb

@@ -45,7 +45,7 @@ class DependencyCollector
   end
 
   def cache_key(spec)
-    if spec.is_a?(Resource) && spec.download_strategy == CurlDownloadStrategy
+    if spec.is_a?(Resource) && spec.download_strategy <= CurlDownloadStrategy
       File.extname(spec.url)
     else
       spec
@@ -148,7 +148,7 @@ class DependencyCollector
     strategy = spec.download_strategy
 
     if strategy <= HomebrewCurlDownloadStrategy
-      brewed_curl_dep_if_needed(tags)
+      @deps << brewed_curl_dep_if_needed(tags)
       parse_url_spec(spec.url, tags)
     elsif strategy <= CurlDownloadStrategy
       parse_url_spec(spec.url, tags)

Library/Homebrew/download_strategy.rb

@@ -763,10 +763,7 @@ class SubversionDownloadStrategy < VCSDownloadStrategy
 
     args << "--ignore-externals" if ignore_externals
 
-    if meta[:trust_cert] == true
-      args << "--trust-server-cert"
-      args << "--non-interactive"
-    end
+    args.concat Utils::Svn.invalid_cert_flags if meta[:trust_cert] == true
 
     if target.directory?
       command! "svn", args: ["update", *args], chdir: target.to_s, timeout: timeout&.remaining

Library/Homebrew/extend/os/mac/dependency_collector.rb

@@ -8,7 +8,7 @@ class DependencyCollector
   def git_dep_if_needed(tags); end
 
   def subversion_dep_if_needed(tags)
-    Dependency.new("subversion", tags) if MacOS.version >= :catalina
+    Dependency.new("subversion", tags)
   end
 
   def cvs_dep_if_needed(tags)

Library/Homebrew/formula_installer.rb

@@ -215,6 +215,7 @@ class FormulaInstaller
     forbidden_license_check
 
     check_install_sanity
+    install_fetch_deps unless ignore_deps?
   end
 
   sig { void }
@@ -343,6 +344,19 @@ class FormulaInstaller
           "#{formula.full_name} requires the latest version of pinned dependencies"
   end
 
+  sig { void }
+  def install_fetch_deps
+    return if @compute_dependencies.blank?
+
+    compute_dependencies(use_cache: false) if @compute_dependencies.any? do |dep, options|
+      next false unless dep.tags == [:build, :test]
+
+      fetch_dependencies
+      install_dependency(dep, options)
+      true
+    end
+  end
+
   def build_bottle_preinstall
     @etc_var_dirs ||= [HOMEBREW_PREFIX/"etc", HOMEBREW_PREFIX/"var"]
     @etc_var_preinstall = Find.find(*@etc_var_dirs.select(&:directory?)).to_a

Library/Homebrew/utils/svn.rb

@@ -30,9 +30,22 @@ module Utils
       def remote_exists?(url)
         return true unless available?
 
+        args = ["ls", url, "--depth", "empty"]
+        _, stderr, status = system_command("svn", args: args, print_stderr: false)
+        return status.success? unless stderr.include?("certificate verification failed")
+
         # OK to unconditionally trust here because we're just checking if a URL exists.
-        system_command("svn", args: ["ls", url, "--depth", "empty",
-                                     "--non-interactive", "--trust-server-cert"], print_stderr: false).success?
+        system_command("svn", args: args.concat(invalid_cert_flags), print_stderr: false).success?
+      end
+
+      sig { returns(Array) }
+      def invalid_cert_flags
+        opoo "Ignoring Subversion certificate errors!"
+        args = ["--non-interactive", "--trust-server-cert"]
+        if Version.create(version || "-1") >= Version.create("1.9")
+          args << "--trust-server-cert-failures=expired,not-yet-valid"
+        end
+        args
       end
 
       def clear_version_cache