New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
formula_audit: fix tag ref for pypi source #17078
formula_audit: fix tag ref for pypi source #17078
Conversation
Signed-off-by: Rui Chen <rui@chenrui.dev>
3d9c2fa
to
7c57865
Compare
Signed-off-by: Rui Chen <rui@chenrui.dev>
Co-authored-by: Dustin Rodrigues <dust.rod@gmail.com>
@@ -243,8 +243,13 @@ def audit_license | |||
user, repo = get_repo_data(%r{https?://github\.com/([^/]+)/([^/]+)/?.*}) | |||
return if user.blank? | |||
|
|||
tag = SharedAudits.github_tag_from_url(formula.stable.url) | |||
tag = if formula.stable.url.start_with?("https://files.pythonhosted.org/") | |||
formula.stable.url.match(%r{/([^/]*)\.tar\.gz$})[1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This won't work for linked PR (codelimit
) as it will result in tag = "codelimit-0.8.1"
and just skip the check, which probably isn't what we want as default behavior.
❯ brew ruby -e 'require "formula"; p Formula["codelimit"].stable.url.match(%r{/([^/]*)\.tar\.gz$})[1]'
"codelimit-0.8.1"
If we are skipping license check, it should be explicit (i.e. audit exception) in order for maintainers to manually confirm.
codelimit
would need to be run on tag = "v0.8.1"
, which isn't easy to get from the PyPI tarball (i.e. would need to try multiple attempts perhaps based on "common" formats of version).
❯ brew ruby -e '["codelimit-0.8.1", "0.8.1", "v0.8.1", nil].each { |tag| p GitHub.get_repo_license("getcodelimit", "codelimit", ref: tag) }'
nil
nil
"ISC"
"GPL-3.0"
Anyway, when we are guessing tag
from non-GitHub URL, we should always fallback on tag = nil
if GitHub.get_repo_license
returns nil
to avoid unwanted bypass.
On side note, if upstream was willing to upload license to PyPI, we could consider adding a check there and prioritize it over GitHub, but may need to transform info to match our expected SPDX format and would require sufficiently standardized output.
❯ curl -sL "https://pypi.org/pypi/codelimit/0.8.1/json" | jq '.info.license'
""
❯ curl -sL "https://pypi.org/pypi/awscli/json" | jq '.info.license'
"Apache License 2.0"
close in favor of Homebrew/homebrew-core#169470 (so far this only happens for codelimit) |
brew style
with your changes locally?brew typecheck
with your changes locally?brew tests
with your changes locally?