Merge pull request #9111 from dtrodrigues/checksum-url

audit: only flag if checksum changes when full url and version stay the same
Homebrew · Nov 13, 2020 · 24c825e · 24c825e
2 parents c602090 + ba0699a
commit 24c825e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/Library/Homebrew/dev-cmd/audit.rb b/Library/Homebrew/dev-cmd/audit.rb
@@ -903,6 +903,7 @@ def audit_revision_and_version_scheme
       current_checksum = formula.stable.checksum
       current_version_scheme = formula.version_scheme
       current_revision = formula.revision
+      current_url = formula.stable.url
 
       previous_version = nil
       previous_version_scheme = nil
@@ -911,6 +912,7 @@ def audit_revision_and_version_scheme
       newest_committed_version = nil
       newest_committed_checksum = nil
       newest_committed_revision = nil
+      newest_committed_url = nil
 
       fv.rev_list("origin/master") do |rev|
         fv.formula_at_revision(rev) do |f|
@@ -925,16 +927,18 @@ def audit_revision_and_version_scheme
           newest_committed_version ||= previous_version
           newest_committed_checksum ||= previous_checksum
           newest_committed_revision ||= previous_revision
+          newest_committed_url ||= stable.url
         end
 
         break if previous_version && current_version != previous_version
         break if previous_revision && current_revision != previous_revision
       end
 
       if current_version == newest_committed_version &&
+         current_url == newest_committed_url &&
          current_checksum != newest_committed_checksum
         problem(
-          "stable sha256 changed without the version also changing; " \
+          "stable sha256 changed without the url/version also changing; " \
           "please create an issue upstream to rule out malicious " \
           "circumstances and to find out why the file changed.",
         )

diff --git a/Library/Homebrew/test/dev-cmd/audit_spec.rb b/Library/Homebrew/test/dev-cmd/audit_spec.rb
@@ -682,7 +682,7 @@ def formula_gsub_origin_commit(before, after = "")
             )
           end
 
-          it { is_expected.to match("stable sha256 changed without the version also changing") }
+          it { is_expected.to match("stable sha256 changed without the url/version also changing") }
         end
 
         context "should not change with the same version when not the first commit" do
@@ -699,7 +699,7 @@ def formula_gsub_origin_commit(before, after = "")
             )
           end
 
-          it { is_expected.to match("stable sha256 changed without the version also changing") }
+          it { is_expected.to match("stable sha256 changed without the url/version also changing") }
         end
 
         context "can change with the different version" do