How to deal with formulae/casks that have abandoned/hijacked homepage URLs?

[AlternateRT]

Output of brew config

N/A

Output of brew doctor

N/A

Description of issue

While looking through some casks, I noticed that the homepage URL for the freesmug-chromium cask appears to have been abandoned and taken over by scammers; it now seems to lead to some sort of online casino scam. This made me wonder how one should go about dealing with the homepage URLs of unmaintained/discontinued formulae/casks; as far as I could tell, there doesn't seem to be anything in the docs on how this specific type of situation should be dealt with.

In this particular case, the freesmug-chromium has already been disabled, so no one will be able to install it anyways. However, despite this, it is still very much possible to run:

brew home freesmug-chromium

or click the link as seen at the corresponding page in formulae.brew.sh and be unwittingly sent to the hijacked URL.

---

First things first, I hope we can all agree that this cask should now be removed immediately (Homebrew/homebrew-cask#217057). All formulae/casks are required to have a homepage stanza, so I see little reason to keep around one if said homepage was abandoned by the upstream developers.

Secondly, I think that the Deprecating Disabling and Removing Formulae docs should be updated to state that any formula/cask found to have an abandoned homepage URL should qualify for immediate removal.

And finally, perhaps some guardrails should be added to prevent phishing/scam attacks caused by abandoned/hijacked homepages that could potentially go unnoticed. What I propose is the following:

1. If a formula/cask is deprecated with :unmaintained or :discontinued as the reason, then treat the homepage URL as potentially dangerous. This means showing a warning message when you attempt to run brew home ..., or at the corresponding page in formulae.brew.sh. Otherwise treat the deprecated formula/cask like you already would.
2. Once a formula/cask that was deprecated with either of those reasons is disabled, completely hide the homepage URL at the corresponding page in formulae.brew.sh, and if someone attempts to run brew home ..., refuse to open the URL and show an error message.

[Bo98]

For formulae at least (but the same can/should apply to casks), we usually find an alternative homepage. This can often just be a GitHub page or similar or in rarer cases, we sometimes link to web.archive.org. In FreeSMUG's case, the website was hosted on wikidot so you can find the alternative homepage at: http://freesmug.wikidot.com/chromium.

In the end, 0.01% of users use brew home so if more needs to be done here I'd probably lean on doing things like preventing brew home from working on disabled packages rather than revamping processes because of that one command. brew install refuses to download the source URL on disabled packages so a change to make brew home refuse to open the homepage on disabled packages would make sense.

[AlternateRT]

For formulae at least (but the same can/should apply to casks), we usually find an alternative homepage. This can often just be a GitHub page or similar or in rarer cases, we sometimes link to web.archive.org.

If a GitHub page is available, and a package is only deprecated, I think that would make sense. I'm not so sure about using a link to web.archive.org though. Maybe it makes sense for formulae, since Homebrew can still offer bottles that can be installed even when the formula has been disabled. For casks on the other hand, that seems like a bad idea to me; the docs for Acceptable Casks in particular says that a cask can be rejected if it has no public presence; I don't think a web.archive.org link should be considered as though a package still has a public presence (but that's just my personal opinion).

But is it really worth it to keep updating a package if the homepage was abandoned? My thinking was that if a software has been so neglected that even its homepage was abandoned and no one noticed earlier, then that means the package should have actually been deprecated/disabled as :unmaintined/:discontinued a long time ago, and because this was not caught, it's best to simply remove the entire package to prevent bad actors from benefiting from the exposure Homebrew gives to the hijacked URL.

In the end, 0.01% of users use brew home ...

My biggest concern is linking to the hijacked site from formulae.brew.sh. Do you have statistics of how many people click a formula's/cask's homepage URL from here? Nevertheless, this "legitimises" the hijacked site, which is why I think it should be hidden from disabled packages, and shown with a warning for deprecated ones if their deprecation/disabling reason is that it was abandoned/discontinued.

---

To circle back to FreeSMUG's case, I wasn't aware there was an alternative link, but don't think it would have been a good idea to use it. For starters, it doesn't have SSL/TLS security like the original link did - I know links without it are technically allowed, but it seems ill-advised to go from a more secure homepage to a lesser one.

My second concern with the alternative homepage is that it seems to be abandoned as well, so who's to say that this page would not meet the same fate and be hijacked by a bad actor - if the alternative were not abandoned too, then perhaps it would be fine.

And my final concern is that the warning in the front page appears to have an absolute link to the old, hijacked URL too, so the benefits are at most very minimal.