Scalability of audit_exceptions/mismatched_binary_allowlist.json esp. for non-core

[kevemueller]

Output of brew config

HOMEBREW_VERSION: 4.4.14-10-geac5720
ORIGIN: https://github.com/Homebrew/brew
HEAD: eac5720d44457fcfcb24b325bde3a70fce41ac15
Last commit: 11 hours ago
Branch: master
Core tap JSON: 31 Dec 12:01 UTC
HOMEBREW_PREFIX: /home/linuxbrew/.linuxbrew
HOMEBREW_BOOTSNAP: set
HOMEBREW_CACHE: /home/runner/.cache/Homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_CLEANUP_PERIODIC_FULL_DAYS: 3650
HOMEBREW_COLOR: set
HOMEBREW_CURL_PATH: /usr/bin/curl
HOMEBREW_DEVELOPER: set
HOMEBREW_FAIL_LOG_LINES: 150
HOMEBREW_GITHUB_API_TOKEN: set
HOMEBREW_GIT_EMAIL: [email protected]
HOMEBREW_GIT_NAME: BrewTestBot
HOMEBREW_GIT_PATH: /usr/bin/git
HOMEBREW_LOGS: /home/runner/work/homebrew-ksysroot/homebrew-ksysroot/logs
HOMEBREW_MAKE_JOBS: 4
HOMEBREW_NO_AUTO_UPDATE: set
HOMEBREW_NO_EMOJI: set
HOMEBREW_NO_ENV_HINTS: set
HOMEBREW_NO_INSTALLED_DEPENDENTS_CHECK: set
HOMEBREW_SORBET_RUNTIME: set
Homebrew Ruby: 3.3.6 => /home/linuxbrew/.linuxbrew/Homebrew/Library/Homebrew/vendor/portable-ruby/3.3.6/bin/ruby
CPU: quad-core 64-bit zen3
Clang: 14.0.0
Git: 2.47.1 => /usr/bin/git
Curl: 7.81.0 => /usr/bin/curl
Kernel: Linux 6.5.0-1025-azure x86_64 GNU/Linux
OS: Ubuntu 22.04.5 LTS (jammy)
Host glibc: 2.35
/usr/bin/gcc: 11.4.0
/usr/bin/ruby: 3.0.2
glibc: N/A
gcc@11: N/A
gcc: N/A
xorg: N/A

Output of brew doctor

All steps passed!

Description of issue

I have a personal tap using the brew provided github actions. Great service of you to provide them, highly appreciated!

The tap has formulae for sysroots that are used for cross-builds.
I cannot use the brew testbot action, as it triggers Binaries built for a non-native architecture were installed when I have a cross environment under Linux targeting another Linux architecture. The files flagged with this error are the shared libraries under the sysroots/usr/lib.
None of these files are brew link-ed, so they should be considered by brew as just "data".

The test is somewhat inconsistent, it allows e.g. the said Linux binaries to be installed on a MacOS system. They are clearly non-native to MacOS.

The answer provided in #2005 is to add the formula to audit_exceptions/mismatched_binary_allowlist.json. It is unclear to me how I would do that for my personal tap.
As many formulas are affected it is unclear how I could automate any such change.

I understand the motivation of this check, but would appreciate a more scalable approach, e.g.

• disabling it for personal taps.
• creating a dedicated subfolder name that allows foreign binaries and is excempted from the test above. Would libexec work? It is declared "private" in the cookbook.
• allowing formulae to mark themselves as containing foreign/non-native arch binaries.

The only workaround right now for me is to use on_linux / disable! in the formula to trick the bot. But this is not a satisfactory long-term solution.

I appreciate any feedback and way forward on this.

[kevemueller]

By looking deeply at the brew sources I found out that audit_exceptions is a special folder in the tap, i.e. I can create it in my tap and add there mismatched_binary_allowlist.json.
The dictionary is keyed by the formula's filename, without the .rb extension and the value is a filesystem glob relative to the formula's prefix.
All files installed under the prefix are listed, and any matching the glob are excempted from the audit.
I.e. to match all files under a subdirectory called "cross" installed at prefix/cross the glob is cross/**/*, it is not enough to just excempt cross.

I also found out that any file with an architecture that is not recognized is also treated a not-native.