Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

formula_audit: fix tag ref for pypi source #17078

Closed
wants to merge 3 commits into from
Closed

formula_audit: fix tag ref for pypi source #17078

wants to merge 3 commits into from

Conversation

chenrui333
Copy link
Member

@chenrui333 chenrui333 commented Apr 12, 2024
edited

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

@chenrui333 chenrui333 force-pushed the fix-license-audit-failure-for-pypi-source branch from 3d9c2fa to 7c57865 Compare April 12, 2024 14:06
cho-m
cho-m reviewed Apr 13, 2024
View reviewed changes
Library/Homebrew/formula_auditor.rb
@@ -243,8 +243,13 @@ def audit_license
user, repo = get_repo_data(%r{https?://github\.com/([^/]+)/([^/]+)/?.*})
return if user.blank?

tag = SharedAudits.github_tag_from_url(formula.stable.url)
tag = if formula.stable.url.start_with?("https://files.pythonhosted.org/")
formula.stable.url.match(%r{/([^/]*)\.tar\.gz$})[1]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't work for linked PR (codelimit) as it will result in tag = "codelimit-0.8.1" and just skip the check, which probably isn't what we want as default behavior.

brew ruby -e 'require "formula"; p Formula["codelimit"].stable.url.match(%r{/([^/]*)\.tar\.gz$})[1]'
"codelimit-0.8.1"

If we are skipping license check, it should be explicit (i.e. audit exception) in order for maintainers to manually confirm.

codelimit would need to be run on tag = "v0.8.1", which isn't easy to get from the PyPI tarball (i.e. would need to try multiple attempts perhaps based on "common" formats of version).

brew ruby -e '["codelimit-0.8.1", "0.8.1", "v0.8.1", nil].each { |tag| p GitHub.get_repo_license("getcodelimit", "codelimit", ref: tag) }'
nil
nil
"ISC"
"GPL-3.0"

Anyway, when we are guessing tag from non-GitHub URL, we should always fallback on tag = nil if GitHub.get_repo_license returns nil to avoid unwanted bypass.

On side note, if upstream was willing to upload license to PyPI, we could consider adding a check there and prioritize it over GitHub, but may need to transform info to match our expected SPDX format and would require sufficiently standardized output.

curl -sL "https://pypi.org/pypi/codelimit/0.8.1/json" | jq '.info.license'
""curl -sL "https://pypi.org/pypi/awscli/json" | jq '.info.license'
"Apache License 2.0"

@chenrui333
Copy link
Member Author

close in favor of Homebrew/homebrew-core#169470 (so far this only happens for codelimit)

@chenrui333 chenrui333 closed this Apr 27, 2024
@chenrui333 chenrui333 deleted the fix-license-audit-failure-for-pypi-source branch April 27, 2024 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dtrodrigues dtrodrigues dtrodrigues left review comments

@cho-m cho-m cho-m left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@chenrui333 @dtrodrigues @cho-m