Update the audit to prefer ftpmirror.gnu.org over ftp.gnu.org as
suggested by GNU [1]:
> We recommend using this generic ftpmirror.gnu.org address wherever
> possible in links, documentation, etc., to reduce load on the main GNU
> server.
The audit is temporarily disabled to allow migrating all homebrew/core
formulae first.
Should help to address #20456.
[1]: https://www.gnu.org/server/mirror.en.html
- Since `head` must now specify a url and branch, the `head do` block
with only these stanzas can be condensed to the single-line
`head "url", branch: "branch"` format.
- There's a TODO on the "someday" list [1] to ensure that `head` Git
URLs always specify a branch.
- So I thought I'd automate this worry by adding an audit.
- Since `resource` block URLs tend to be pinned to SHAs, if indeed
they are Git URLs, this audit only applies to `head` URLs.
[1]: https://github.com/orgs/Homebrew/projects/5?pane=issue&itemId=98789749
- I found a few occurrences of this pattern from
https://github.com/orgs/Homebrew/projects/5?pane=issue&itemId=97021840,
that is an automated style request for:
`core: use / instead of + operator in e.g. (lib+"lv").install "lv.hlp"`.
- Upon adding tests I realised that there's also the `prefix + "bin"`
case that's already handled differently, so let's combine the handling
given it's the same `+` that's wrong.
Add a new RuboCop to detect the use of 0.0.0.0 in formulae which
indicates binding to all network interfaces, internally or externally,
so is a bad default and potentially a security risk.
Co-authored-by: Issy Long <me@issylong.com>
Inspired by curl's blog post, [Detecting malicious Unicode][1], this likely captures most if not all cases and nudges the user toward supplying IDNs with punycode.
A possible improvement would be telling the user exactly what punycode domain to use instead, but that may require another library as I can't quickly find something built into the Ruby stdlib that handles punycode encoding.
[1]: https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/
Co-authored-by: Štefan Baebler <319826+stefanb@users.noreply.github.com>
We were selectively requiring the tap.rb file in a few places for
performance reasons. The main method we were referencing was the
`Tap.cmd_directories` method which uses `Pathname` and the `TAP_DIRECTORY`
constant internally. `Tap.cmd_directories` is mostly used in the `Commands`
module and that is loaded very early on in the program so it made sense
to move that command to that module. To facilitate that I moved the
`TAP_DIRECTORY` constant to the top-level and renamed it to
`HOMEBREW_TAP_DIRECTORY`. It now lies in the tap_constants.rb file.
A nice bonus of this refactor is that it speeds up loading external
commands since the tap.rb file is no longer required by default in
those cases.
- We discovered that the following syntax in the formula `sqlsmith`
should actually be OK because the `\n` is like whitespace.
```ruby
cmd = %W[
#{bin}/sqlsmith
--threads=4
--timeout=10
]
shell_output(cmd)
```
- I got bored doing them manually.
- Also now more people can help with letters of the alphabet using `brew style --only=FormulaAuditStrict/Text --fix homebrew/core`.
- This cop checks for the use of `FileUtils.rm_rf` and suggests using
`FileUtils.rm_r` because we should know if we couldn't delete a
thing for some reason, not just force it.
- Previously this only included the formula name.
- But, for example in tests, we have "#{bin}/ansible-test",
not just "#{bin}/ansible". So handle that too.
- I decided to make the error message better by extracting the
binary name from the interpolation, but I'm not sure it was worth it.
```
$ brew audit --strict ansible
ansible
* line 580, col 29: Use `bin/"ansible-test"` instead of `"#{bin}/ansible-test"`
Error: 1 problem in 1 formula detected.
```
