New allow list: mismatched_binary_allowlist

[AkihiroSuda]

This is needed by Lima, which installs non-native binaries for supporting ARM-on-Intel / Intel-on-ARM emulation.

See Homebrew/homebrew-core#82723 (comment)

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

[carlocab]

Instead of creating another allowlist, why don't we just remove from the mismatches hash the keys whose prefixes match the share directory?

[AkihiroSuda]

@carlocab I'm not familiar with the code base, but the comment in the existing code says There is no binary_executable_or_library_files method for the generic OS, that's probably the reason

[carlocab]

I'm not sure I follow. The reason for what?

[AkihiroSuda]

The reason for "why don't we just remove from the mismatches hash the keys whose prefixes match the share directory".

[carlocab]

I... still don't follow.

There's no reason why my suggestion is technically infeasible. At least, if it were, it would certainly not be due to the generic OS. I'm pretty sure you can implement it with something like

diff --git a/Library/Homebrew/formula_cellar_checks.rb b/Library/Homebrew/formula_cellar_checks.rb
index 1ba4a41a7..03dfbc451 100644
--- a/Library/Homebrew/formula_cellar_checks.rb
+++ b/Library/Homebrew/formula_cellar_checks.rb
@@ -325,6 +325,7 @@ module FormulaCellarChecks
       farch = file.arch
       mismatches[file] = farch unless farch == Hardware::CPU.arch
     end
+    mismatches.reject! { |f| f.first.to_s.start_with? formula.share }
     return if mismatches.empty?
 
     compatible_universal_binaries, mismatches = mismatches.partition do |file, arch|

[AkihiroSuda]

@carlocab Updated to use your code.

I thought we may want to exclude more directories, but we can revisit them later.

[carlocab]

I did not test my suggestion, so please test it first with brew audit --strict to make sure it does what we expect it to.

[carlocab]

Let's also add a comment here that we ignore share because some formulae (e.g. lima) intentionally install non-native binaries into share.

That said, share is typically used for architecture-independent data so I'm now wondering if this is indeed the right approach here...

[AkihiroSuda]

Updated and tested on Ubuntu.

[MikeMcQuaid]

I'm fine with this but it seems a little weird to make a global exception based on a single formula. I'd probably favour and allowlist but don't feel strongly either way.

[carlocab]

Yes, in retrospect, an allowlist is better. Apologies for my going back and forth on this!

Let's try something like this instead:

diff --git a/Library/Homebrew/formula_cellar_checks.rb b/Library/Homebrew/formula_cellar_checks.rb
index 1ba4a41a7..721baa069 100644
--- a/Library/Homebrew/formula_cellar_checks.rb
+++ b/Library/Homebrew/formula_cellar_checks.rb
@@ -338,9 +338,12 @@ module FormulaCellarChecks
     end
     return if mismatches.empty? && universal_binaries_expected
 
+    mismatches_expected = formula.tap.blank? || tap_audit_exception(:mismatched_binary_allowlist, formula.name)
+    return if compatible_universal_binaries.empty? && mismatches_expected
+
     s = ""
 
-    if mismatches.present?
+    if mismatches.present? && !mismatches_expected
       s += <<~EOS
         Binaries built for a non-native architecture were installed into #{formula}'s prefix.
         The offending files are:

I think we want to be able to be a bit more selective about what we're allowing formulae to do, rather than just remove this audit entirely.

As before, please test this first, as I haven't tested this patch.

[AkihiroSuda]

Updated. Tested on Ubuntu 21.04.

[carlocab]

Thanks, @AkihiroSuda!