-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dev-cmd/audit: add audit for checksum #9471
Conversation
Review period will end on 2020-12-09 at 22:53:17 UTC. |
f37c962
to
81bb861
Compare
81bb861
to
8717f82
Compare
Review period ended. |
Just a thought: do we want this to be enabled only for homebrew/core or for third-party taps as well? I ask only because there have been a few instances in the past where audit/style changes have broke third-party taps in a way that isn't necessary. Pros of restricting to homebrew/core:
Cons:
I'm leaning toward not-restricting. I think this is such a fundamental part of the formula that it totally makes sense to require it for everyone (and those that don't want it for their taps can choose to ignore the audit). Just figured I'd raise the issue as we've (or, rather: I've) had a few issues with this in the past and I just want to make sure that we're being mindful of how our internal decisions can affect third-party taps. |
Good point @Rylan12, my initial thoughts about it were that since it's an audit, it shouldn't break the main use case Nevertheless, I can imagine some terribly insecure case when a third-party tap has |
Agreed, it's also a security risk not having it there so I'd say having a
👍 |
Thanks @bayandin! |
brew style
with your changes locally?brew tests
with your changes locally?brew man
locally and committed any changes?This PR make checksum mandatory for all curl downloadable resources to prevent cases like Homebrew/homebrew-core#66471 (comment) / Homebrew/homebrew-core#66481