New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security enhancements to API #14733
Security enhancements to API #14733
Conversation
Review period will end on 2023-02-21 at 18:50:49 UTC. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work here so far @Bo98, really pleased to see this coming along!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work again @Bo98.
I'm fine for this to be merged first and cask/formula unification to come after if you can apply the TODO
. Everything else can be non-blocking and addressed later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that the resource
method feels a bit weird, here, but think it's worth moving forward with a TODO
comment for now
Review period ended. |
Library/Homebrew/cask/cask.rb
Outdated
def ruby_source_checksum | ||
return JSON.parse(@source)["ruby_source_checksum"] if loaded_from_api | ||
|
||
{ | ||
"sha256" => Digest::SHA256.file(sourcefile_path).hexdigest, | ||
} | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather not have to parse the source twice here.
def ruby_source_checksum | |
return JSON.parse(@source)["ruby_source_checksum"] if loaded_from_api | |
{ | |
"sha256" => Digest::SHA256.file(sourcefile_path).hexdigest, | |
} | |
end | |
def ruby_source_checksum | |
@ruby_source_checksum ||= { | |
"sha256" => Digest::SHA256.file(sourcefile_path).hexdigest, | |
} | |
end |
You could do this instead and just pass it as another parameter to the constructor when it's loaded from the API though the list of values being passed to the constructor just keeps growing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The amount of parameters we pass to the constructor is a mess but it probably is the better option for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. If you apply the few suggestions here as-is I reckon just ship it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍🏻 🚢
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again for this!
Great work here, thanks again @Bo98! |
formulae.brew.sh/api/cask-source
where it can technically be updated after the JSON was last read/cached. This problem does not exist for endpoints with the git head in their URL (i.e. raw GitHub). Given formulae.brew.sh is a "last resort", this is not too big of an issue.