Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disable: allow to disable due to checksum mismatch #12437

Merged
merged 1 commit into from
Nov 16, 2021
Merged

disable: allow to disable due to checksum mismatch #12437

merged 1 commit into from
Nov 16, 2021

Conversation

iMichka
Copy link
Member

@iMichka iMichka commented Nov 15, 2021
edited
Loading

The rationale is that a checksum mismatch is a huge security issue.
This means that the current source file, but maybe the initial one,
might have been compromised.

In the case upstream does not respond quickly to clarify what happened,
or fails to respond, we can now rev-bump the formula, disable and unbottle it,
making sure we stop delivering the potentially malicious code

Further improvements:

  • Add the url of the project in the error message to redirect users to
    the closed pull request where we disabled this, to centralize the discussion
    and avoid the opening of multiple new issues

  • Add a warning on brew-update that something is fishy upstream

  • Have you followed the guidelines in our Contributing document?

  • Have you checked to ensure there aren't other open Pull Requests for the same change?

  • Have you added an explanation of what your changes do and why you'd like us to include them?

  • Have you written new tests for your changes? Here's an example.

  • Have you successfully run brew style with your changes locally?

  • Have you successfully run brew typecheck with your changes locally?

  • Have you successfully run brew tests with your changes locally?

@iMichka
disable: allow to disable due to checksum mismatch
1ce7f1f 
The rationale is that a checksum mismatch is a huge security issue.
This means that the current source file, but maybe the initial one,
might have been compromised.

In the case upstream does not respond quickly to clarify what happened,
or fails to respond, we can now rev-bump the formula, disable and unbottle it,
making sure we stop delivering the potentially malicious code

Further improvements:
- Add the url of the project in the error message to redirect users to
the closed pull request where we disabled this, to centralize the discussion
and avoid the opening of multiple new issues
- Add a warning on brew-update that something is fishy upstream
@BrewTestBot
Copy link
Member

Review period will end on 2021-11-16 at 19:26:27 UTC.

@BrewTestBot BrewTestBot added waiting for feedback Merging is blocked until sufficient time has passed for review and removed waiting for feedback Merging is blocked until sufficient time has passed for review labels Nov 15, 2021
@MikeMcQuaid MikeMcQuaid added the critical Critical change which should be shipped as soon as possible. label Nov 16, 2021
@MikeMcQuaid
Copy link
Member

Makes sense to me 👍🏻

@BrewTestBot
Copy link
Member

Review period skipped due to critical label.

@BrewTestBot BrewTestBot removed the waiting for feedback Merging is blocked until sufficient time has passed for review label Nov 16, 2021
@MikeMcQuaid MikeMcQuaid merged commit b0360de into Homebrew:master Nov 16, 2021
@github-actions github-actions bot added the outdated PR was locked due to age label Dec 17, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 17, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

@BrewTestBot BrewTestBot BrewTestBot approved these changes

Assignees
No one assigned
Labels
critical Critical change which should be shipped as soon as possible. outdated PR was locked due to age
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@iMichka @BrewTestBot @MikeMcQuaid