Skip to content

audit: require curl dependencies to have a working HTTP mirror#22898

Merged
p-linnane merged 1 commit into
mainfrom
curl-dep-http-mirror-audit
Jul 1, 2026
Merged

audit: require curl dependencies to have a working HTTP mirror#22898
p-linnane merged 1 commit into
mainfrom
curl-dep-http-mirror-audit

Conversation

@p-linnane

Copy link
Copy Markdown
Member

brew audit already checks that curl dependencies list an HTTP mirror, since they can be fetched before ca-certificates is available and so need a source archive reachable over plain HTTP. It never checks that the mirror actually works, though, so a silently broken HTTP mirror still passes. Spotted by @cho-m after a recent libpsl update whose HTTP mirror (MacPorts) started 404ing while the audit stayed green.

This adds an online ResourceAuditor#audit_curl_dep_http_mirror, run only for stable specs of curl dependencies. It fetches each http:// mirror with --proto-redir =http so that an HTTPS redirect fails rather than masking a non-functional plain-HTTP path, then confirms the bytes match the resource checksum, reporting a problem only when no HTTP mirror works. It generalises the manual checksum check the xz formula currently performs in its test block.


  • Have you followed our Contributing guidelines?
  • Have you checked for other open Pull Requests for the same change?
  • Have you explained what your changes do? Performance claims (e.g. "this is faster") must include Hyperfine benchmarks.
  • Have you explained why you'd like these changes included, not just what they do?
  • For bug fixes, have you given step-by-step brew commands to reproduce the bug?
  • Have you written new tests (excluding integration tests)? Here's an example.
  • Have you successfully run brew lgtm (style, typechecking and tests) locally?

  • AI was used to generate or assist with generating this PR.

Drafted with Claude Code (Opus 4.8). I verified with brew lgtm and by confirming the new specs fail against the disabled check and pass with it.


Copilot AI review requested due to automatic review settings June 27, 2026 23:33

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR strengthens brew audit for curl dependencies by adding an online check that verifies at least one http:// mirror actually serves the expected bytes (matching the formula’s checksum) over plain HTTP, preventing broken mirrors from silently passing audit.

Changes:

  • Add ResourceAuditor#audit_curl_dep_http_mirror to verify an HTTP mirror is reachable and matches the expected checksum (stable specs only, online audit).
  • Refactor curl-dependency detection into a shared curl_dep? helper.
  • Add formula_auditor_spec coverage for working, unreachable, wrong-checksum, and HTTPS-redirecting HTTP mirrors.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
Library/Homebrew/resource_auditor.rb Adds the new curl-dependency HTTP mirror audit and refactors curl-dependency detection.
Library/Homebrew/test/formula_auditor_spec.rb Adds specs exercising the new audit behavior for curl dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Library/Homebrew/resource_auditor.rb
Comment thread Library/Homebrew/resource_auditor.rb Outdated
Signed-off-by: Patrick Linnane <patrick@linnane.io>
@p-linnane p-linnane force-pushed the curl-dep-http-mirror-audit branch from 79c2002 to ae6d3e4 Compare June 28, 2026 01:11

@Bo98 Bo98 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably worth doing a run of this locally on the curl dep tree if you haven't already

@p-linnane

Copy link
Copy Markdown
Member Author

openssl@3 and libssh2 are currently having mirror issues that I'm working on before merging this.

@cho-m

cho-m commented Jun 30, 2026

Copy link
Copy Markdown
Member

openssl@3 and libssh2 are currently having mirror issues that I'm working on before merging this.

For OpenSSL, it seems like Fossies doesn't keep around old patch versions. They currently have one version for each LTS. HTTP should work again as we finished version bump.

libssh2 does look like an actual broken HTTP mirror. Only formula we use openpkg.org.

@p-linnane

Copy link
Copy Markdown
Member Author

Yeah I didn't realize we were in the middle of a version bump for OpenSSL. Looks good now.

@cho-m

cho-m commented Jul 1, 2026

Copy link
Copy Markdown
Member

libssh2 mirror is available again but may still want to replace OpenPKG with a more reliable option, e.g. Debian, FreeBSD, Linux from Scratch mirror, etc.

@p-linnane p-linnane added this pull request to the merge queue Jul 1, 2026
Merged via the queue into main with commit 634c959 Jul 1, 2026
41 checks passed
@p-linnane p-linnane deleted the curl-dep-http-mirror-audit branch July 1, 2026 21:45

@MikeMcQuaid MikeMcQuaid left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants