audit: only flag if checksum changes when version and full url stay the same

2020-11-11 10:38:14 -05:00 · 2020-11-11 10:38:14 -05:00 · ba0699a8d7
commit ba0699a8d7
parent f2d46efc14
2 changed files with 7 additions and 3 deletions
--- a/Library/Homebrew/dev-cmd/audit.rb
+++ b/Library/Homebrew/dev-cmd/audit.rb
@ -903,6 +903,7 @@ module Homebrew
      current_checksum = formula.stable.checksum
      current_version_scheme = formula.version_scheme
      current_revision = formula.revision
+      current_url = formula.stable.url

      previous_version = nil
      previous_version_scheme = nil
@ -911,6 +912,7 @@ module Homebrew
      newest_committed_version = nil
      newest_committed_checksum = nil
      newest_committed_revision = nil
+      newest_committed_url = nil

      fv.rev_list("origin/master") do |rev|
        fv.formula_at_revision(rev) do |f|
@ -925,6 +927,7 @@ module Homebrew
          newest_committed_version ||= previous_version
          newest_committed_checksum ||= previous_checksum
          newest_committed_revision ||= previous_revision
+          newest_committed_url ||= stable.url
        end

        break if previous_version && current_version != previous_version
@ -932,9 +935,10 @@ module Homebrew
      end

      if current_version == newest_committed_version &&
+         current_url == newest_committed_url &&
         current_checksum != newest_committed_checksum
        problem(
-          "stable sha256 changed without the version also changing; " \
+          "stable sha256 changed without the url/version also changing; " \
          "please create an issue upstream to rule out malicious " \
          "circumstances and to find out why the file changed.",
        )
--- a/Library/Homebrew/test/dev-cmd/audit_spec.rb
+++ b/Library/Homebrew/test/dev-cmd/audit_spec.rb
@ -682,7 +682,7 @@ module Homebrew
            )
          end

-          it { is_expected.to match("stable sha256 changed without the version also changing") }
+          it { is_expected.to match("stable sha256 changed without the url/version also changing") }
        end

        context "should not change with the same version when not the first commit" do
@ -699,7 +699,7 @@ module Homebrew
            )
          end

-          it { is_expected.to match("stable sha256 changed without the version also changing") }
+          it { is_expected.to match("stable sha256 changed without the url/version also changing") }
        end

        context "can change with the different version" do