brew icon indicating copy to clipboard operation
brew copied to clipboard

Published 20 hours ago verified publisher icon Homebrew

Allow hooks for submitting `brew fetch` to third-parties

Open SMillerDev opened this issue 1 year ago • 1 comments

Verification

  • [X] This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

Provide a detailed description of the proposed feature

Allow a user to opt in to hooks on brew fetch usage. Something like HOMEBREW_FETCH_HOOKS=archive-org,virustotal

What is the motivation for the feature?

Issues like https://github.com/Homebrew/homebrew-core/pull/162013 would benefit from access to the tarbal from the last time the formula went through CI. That would make it much easier to see what changed and rule it problematic or not.

How will the feature be relevant to at least 90% of Homebrew users?

It would allow people to:

  • extract the last working version of formula sources
  • have brew submit casks to virustotal
  • easily compare a changed checksum

What alternatives to the feature have been considered?

None

SMillerDev avatar Feb 08 '24 14:02 SMillerDev

Issues like Homebrew/homebrew-core#162013 would benefit from access to the tarbal from the last time the formula went through CI. That would make it much easier to see what changed and rule it problematic or not. extract the last working version of formula sources

I don't think we should be using archive.org to cache every tarball we put through CI just in case this occurs again. Whether or not they explicitly forbid it, it seems like a gross misuse of resources.

  • have brew submit casks to virustotal

What would this solve? I've seen nothing but false positives from these tools interactions with Homebrew over the years. It also does nothing to catch e.g. someone who pushes a (new) bitcoin miner or personal information uploader.

  • easily compare a changed checksum

It seems we have this already with storing checksums in formulae?

To be clear: I think there may well be problems here worth addressing: I just don't think the proposed solutions are the right one or that it's best to jump to a solution without a wider understanding of the problem.

MikeMcQuaid avatar Feb 09 '24 09:02 MikeMcQuaid

Passing on this for now. Will still consider a PR but it seems that it's not widely demanded functionality.

MikeMcQuaid avatar Jul 25 '24 12:07 MikeMcQuaid