From 1ce7f1fb7b6ccc360ebecc72fefa2ae6bc850b4d Mon Sep 17 00:00:00 2001 From: Michka Popoff Date: Mon, 15 Nov 2021 19:34:19 +0100 Subject: [PATCH] disable: allow to disable due to checksum mismatch The rationale is that a checksum mismatch is a huge security issue. This means that the current source file, but maybe the initial one, might have been compromised. In the case upstream does not respond quickly to clarify what happened, or fails to respond, we can now rev-bump the formula, disable and unbottle it, making sure we stop delivering the potentially malicious code Further improvements: - Add the url of the project in the error message to redirect users to the closed pull request where we disabled this, to centralize the discussion and avoid the opening of multiple new issues - Add a warning on brew-update that something is fishy upstream --- Library/Homebrew/deprecate_disable.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Library/Homebrew/deprecate_disable.rb b/Library/Homebrew/deprecate_disable.rb index f815f3fa5b..bcdb501a11 100644 --- a/Library/Homebrew/deprecate_disable.rb +++ b/Library/Homebrew/deprecate_disable.rb @@ -16,6 +16,10 @@ module DeprecateDisable unsupported: "is not supported upstream", deprecated_upstream: "is deprecated upstream", versioned_formula: "is a versioned formula", + checksum_mismatch: "was built with an initially released source file that had "\ + "a different checksum than the current one. " \ + "Upstream's repository might have been compromised. " \ + "We can re-package this once upstream has confirmed that they retagged their release", }.freeze def deprecate_disable_info(formula)