update audit error message for versioned formulae with head spec #7980
Conversation
There was a problem hiding this comment.
Looks good to me!
I do have a question about this audit (which is a little out of scope for this PR but the old one is closed so I think it makes sense to post it here):
@MikeMcQuaid said:
The only situation in which head makes sense in versioned formulae is if it points to a versioned e.g. release branch that will be used to make the next patch version in that release series. I'd agree that if we allow it a whitelist is the only sensible way.
According to the docs, however, for all versioned formulae:
Upstream should have a release branch for each formula version, and release security updates for each version when necessary.
Doesn't this mean that all versioned formulae, which must have release branched for each version, should be able to have a head block?
There's an allowlist anyway, so this probably doesn't matter much and I don't want to reopen a discussion if it's already been decided.
Technically: yes. I'm happy to see the documents updated accordingly. A previous maintainer had strong views on not having |
|
I don't have any strong opinions either, I was just curious. I see no reason to re-evaluate at this point. I think if someone wants it enough, they can bring it up and we can think about it again then. |
brew stylewith your changes locally?brew testswith your changes locally?Based on the existing code and the discussion at #5827, it appears the intention is to only disallow HEAD in versioned formulae, not all formulae. This PR updates the error message accordingly.