From ade62aa1b1c3c2eb68dc6f065687fe38a8846ab0 Mon Sep 17 00:00:00 2001 From: Markus Reiter Date: Mon, 8 May 2017 17:45:00 +0200 Subject: Add the same check for Formulae. --- Library/Homebrew/dev-cmd/audit.rb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'Library/Homebrew/dev-cmd') diff --git a/Library/Homebrew/dev-cmd/audit.rb b/Library/Homebrew/dev-cmd/audit.rb index 3c42b45a1..c11c503e3 100644 --- a/Library/Homebrew/dev-cmd/audit.rb +++ b/Library/Homebrew/dev-cmd/audit.rb @@ -31,6 +31,9 @@ #: #: If `--except-cops` is passed, the given Rubocop cop(s)' checks would be skipped. #: +#: If `--commit-range` is is passed, the audited Formula will be compared to the +#: last revision before the ``. +#: #: `audit` exits with a non-zero status if any errors are found. This is useful, #: for instance, for implementing pre-commit hooks. @@ -648,9 +651,25 @@ class FormulaAuditor problem "Devel-only (no stable download)" end + previous_formula_contents = unless formula.tap.nil? + commit_range = ARGV.value("commit-range") + Git.last_revision_of_file(formula.tap.path, formula.path, before_commit: commit_range) + end + previous_formula = unless (previous_formula_contents || "").empty? + Formulary.from_contents(formula.name, formula.path, previous_formula_contents) + end + %w[Stable Devel HEAD].each do |name| next unless spec = formula.send(name.downcase) + unless previous_formula.nil? + previous_spec = previous_formula.send(name.downcase) + + if previous_spec.version == spec.version && previous_spec.checksum != spec.checksum + problem "#{name}: only sha256 changed; needs to be confirmed by the developer" + end + end + ra = ResourceAuditor.new(spec, online: @online, strict: @strict).audit problems.concat ra.problems.map { |problem| "#{name}: #{problem}" } -- cgit v1.2.3 From 330307b01a37ea514ec747ebab7a99dd47b79e7c Mon Sep 17 00:00:00 2001 From: Markus Reiter Date: Wed, 10 May 2017 20:45:34 +0200 Subject: Use `FormulaVersions` for checksum check. --- Library/Homebrew/dev-cmd/audit.rb | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) (limited to 'Library/Homebrew/dev-cmd') diff --git a/Library/Homebrew/dev-cmd/audit.rb b/Library/Homebrew/dev-cmd/audit.rb index c11c503e3..4f71189c9 100644 --- a/Library/Homebrew/dev-cmd/audit.rb +++ b/Library/Homebrew/dev-cmd/audit.rb @@ -31,9 +31,6 @@ #: #: If `--except-cops` is passed, the given Rubocop cop(s)' checks would be skipped. #: -#: If `--commit-range` is is passed, the audited Formula will be compared to the -#: last revision before the ``. -#: #: `audit` exits with a non-zero status if any errors are found. This is useful, #: for instance, for implementing pre-commit hooks. @@ -651,25 +648,9 @@ class FormulaAuditor problem "Devel-only (no stable download)" end - previous_formula_contents = unless formula.tap.nil? - commit_range = ARGV.value("commit-range") - Git.last_revision_of_file(formula.tap.path, formula.path, before_commit: commit_range) - end - previous_formula = unless (previous_formula_contents || "").empty? - Formulary.from_contents(formula.name, formula.path, previous_formula_contents) - end - %w[Stable Devel HEAD].each do |name| next unless spec = formula.send(name.downcase) - unless previous_formula.nil? - previous_spec = previous_formula.send(name.downcase) - - if previous_spec.version == spec.version && previous_spec.checksum != spec.checksum - problem "#{name}: only sha256 changed; needs to be confirmed by the developer" - end - end - ra = ResourceAuditor.new(spec, online: @online, strict: @strict).audit problems.concat ra.problems.map { |problem| "#{name}: #{problem}" } @@ -765,6 +746,15 @@ class FormulaAuditor return if @new_formula fv = FormulaVersions.new(formula) + + previous_version_and_checksum = fv.previous_version_and_checksum("origin/master") + [:stable, :devel].each do |spec_sym| + next unless spec = formula.send(spec_sym) + next unless previous_version_and_checksum[spec_sym][:version] == spec.version + next if previous_version_and_checksum[spec_sym][:checksum] == spec.checksum + problem "#{spec_sym}: only sha256 changed; needs to be confirmed by the developer" + end + attributes = [:revision, :version_scheme] attributes_map = fv.version_attributes_map(attributes, "origin/master") -- cgit v1.2.3 From 473bdadbcd0f87fdeda98f73b25bb47a14221281 Mon Sep 17 00:00:00 2001 From: Markus Reiter Date: Mon, 22 May 2017 02:04:02 +0200 Subject: Change error messages. --- Library/Homebrew/dev-cmd/audit.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Library/Homebrew/dev-cmd') diff --git a/Library/Homebrew/dev-cmd/audit.rb b/Library/Homebrew/dev-cmd/audit.rb index 4f71189c9..516388c68 100644 --- a/Library/Homebrew/dev-cmd/audit.rb +++ b/Library/Homebrew/dev-cmd/audit.rb @@ -752,7 +752,7 @@ class FormulaAuditor next unless spec = formula.send(spec_sym) next unless previous_version_and_checksum[spec_sym][:version] == spec.version next if previous_version_and_checksum[spec_sym][:checksum] == spec.checksum - problem "#{spec_sym}: only sha256 changed; needs to be confirmed by the developer" + problem "#{spec_sym}: sha256 changed without the version also changing; please create an issue upstream to rule out malicious circumstances and to find out why the file changed." end attributes = [:revision, :version_scheme] -- cgit v1.2.3