audit: require curl dependencies to have a working HTTP mirror#22898
Conversation
There was a problem hiding this comment.
Pull request overview
This PR strengthens brew audit for curl dependencies by adding an online check that verifies at least one http:// mirror actually serves the expected bytes (matching the formula’s checksum) over plain HTTP, preventing broken mirrors from silently passing audit.
Changes:
- Add
ResourceAuditor#audit_curl_dep_http_mirrorto verify an HTTP mirror is reachable and matches the expected checksum (stable specs only, online audit). - Refactor curl-dependency detection into a shared
curl_dep?helper. - Add
formula_auditor_speccoverage for working, unreachable, wrong-checksum, and HTTPS-redirecting HTTP mirrors.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| Library/Homebrew/resource_auditor.rb | Adds the new curl-dependency HTTP mirror audit and refactors curl-dependency detection. |
| Library/Homebrew/test/formula_auditor_spec.rb | Adds specs exercising the new audit behavior for curl dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Patrick Linnane <patrick@linnane.io>
79c2002 to
ae6d3e4
Compare
Bo98
left a comment
There was a problem hiding this comment.
Probably worth doing a run of this locally on the curl dep tree if you haven't already
|
|
For OpenSSL, it seems like Fossies doesn't keep around old patch versions. They currently have one version for each LTS. HTTP should work again as we finished version bump.
|
|
Yeah I didn't realize we were in the middle of a version bump for OpenSSL. Looks good now. |
|
|
brew auditalready checks thatcurldependencies list an HTTP mirror, since they can be fetched beforeca-certificatesis available and so need a source archive reachable over plain HTTP. It never checks that the mirror actually works, though, so a silently broken HTTP mirror still passes. Spotted by @cho-m after a recentlibpslupdate whose HTTP mirror (MacPorts) started 404ing while the audit stayed green.This adds an online
ResourceAuditor#audit_curl_dep_http_mirror, run only for stable specs ofcurldependencies. It fetches eachhttp://mirror with--proto-redir =httpso that an HTTPS redirect fails rather than masking a non-functional plain-HTTP path, then confirms the bytes match the resource checksum, reporting a problem only when no HTTP mirror works. It generalises the manual checksum check thexzformula currently performs in itstestblock.brewcommands to reproduce the bug?brew lgtm(style, typechecking and tests) locally?Drafted with Claude Code (Opus 4.8). I verified with
brew lgtmand by confirming the new specs fail against the disabled check and pass with it.