As we haven't released 2.3.1 I think we can get away with sneaking this
in. I'm also prepared to back this out if it's too widely used and
there's too much backlash.
- Trying to test out a user-submitted `brew bump-formula-pr` for
`app-engine-java` gave an error locally that [hasn't shown up on
CI](https://github.com/Homebrew/homebrew-core/pull/55798/checks?check_run_id=740165542),
oddly.
```
➜ brew install app-engine-java -s && brew test app-engine-java
Error: Calling Formula#installed? is deprecated! Use Formula#latest_version_installed? (or Formula#any_version_installed? ) instead.
/usr/local/Homebrew/Library/Homebrew/compat/formula.rb:6:in `installed?'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:421:in `block (2 levels) in check_requirements'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:420:in `each'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:420:in `block in check_requirements'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:419:in `each_pair'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:419:in `check_requirements'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:392:in `compute_dependencies'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:149:in `verify_deps_exist'
/usr/local/Homebrew/Library/Homebrew/formula_installer.rb:143:in `prelude'
/usr/local/Homebrew/Library/Homebrew/cmd/install.rb:328:in `install_formula'
/usr/local/Homebrew/Library/Homebrew/cmd/install.rb:261:in `block in install'
/usr/local/Homebrew/Library/Homebrew/cmd/install.rb:259:in `each'
/usr/local/Homebrew/Library/Homebrew/cmd/install.rb:259:in `install'
/usr/local/Homebrew/Library/Homebrew/brew.rb:110:in `<main>'
```
Installation of formulae from URLs has many attack vectors and is
fundamentally insecure, unsupported, regularly recommended against and
generally a terrible idea. There's plenty of ways to take that URL,
manually verify it and put it somewhere that Homebrew does support so
let's deprecate this way of doing things.
This is useful for applications that are not signed by the developer and
require Accessibility access.
Because the app is not signed, macOS only authorizes the current binary,
and so when it is updated (and the binary changes) the new version is
unsigned, despite the app still showing as ticked in System Preferences.
The user has to manually untick and retick the app each time.
The ideal fix is for the developer to sign their app, but not all
developers are willing to pay for this, so the best we can do is to
advise users of the workaround/solution.
Refs: https://github.com/Homebrew/homebrew-cask/pull/83157
```
➜ brew audit --online --new-formula --verbose turbogit
turbogit:
* GitHub repository not notable enough (<30 forks, <30 watchers and <75 stars)
* GitHub repository too new (<30 days old)
Error: undefined local variable or method `created_pr_comment' for Homebrew:Module
/usr/local/Homebrew/Library/Homebrew/dev-cmd/audit.rb:148:in `audit'
/usr/local/Homebrew/Library/Homebrew/brew.rb:110:in `<main>'
```
- This was removed in 4f75a77b089e65ff9e03c65d192808aa4ea6842f. We can't
post PR comments from GitHub Actions CI from forks.
- [For a formula named
turbogit](https://github.com/Homebrew/homebrew-core/pull/55208), we
didn't see any of the notability checks fail CI.
- The repo name was getting truncated to `turb`, which didn't exist, so
the audit didn't return anything for this check.
- The Regexp to strip `.git` from the end of was not escaping the `.`,
so it would match anything ending in `git`, not a literal `.git`.
