audit: remove [email protected] from unstable spec whitelist

[commitay]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

Homebrew/homebrew-core#31989
Now that TLS1.3 has landed in a stable release we probably don't need to allow for an unstable spec.

[commitay]

@MikeMcQuaid Thoughts on adding an audit to disallow unstable specs for crypto/security formulae? e.g. openssl, libressl, gnutls, gnupg.

Only gnutls has an unstable spec currently and it isn't used much.

install events in the last 180 days
=========================================================================================
1 | gnutls                                                            | 343,772 |  99.93%
2 | gnutls --with-guile --with-unbound                                |      79 |   0.02%
3 | gnutls --devel                                                    |      51 |   0.01%

Edit: libressl has a head spec, which doesn't seem like a good idea.

[MikeMcQuaid]

@commitay Makes sense to me. Honestly I think removing devel for formulae in Homebrew/homebrew-core makes sense today; I'd rather see devel use a @ formulae personally.

libressl has a head spec, which doesn't seem like a good idea.

I think head is a more useful feature than devel as it allows people to quickly test things against the master branch if e.g. reproducing issues. That said, I defer to you there and am happy to see this removed and audited. In general I'm 👍 on removing anything that mandates a build from source.

[commitay]

Honestly I think removing devel for formulae in Homebrew/homebrew-core makes sense today

Yeah, I've been tempted to do this for a while now.

Stuff like python and wine take hours just to start building the devel spec, the CI time we spend building them (sometimes multiple times) probably isn't worth it for the limited usage.

I'd rather see devel use a @ formulae personally.

I kind of like this idea as it would avoid long CI builds and we might actually see an increase in usage over the current devel spec if we bottle them.

Not sure about duplicating formulae and trying to keep them in sync against a moving target, unlike the other @ formulae which are pretty much frozen.

What would a devel @ formulae be named? A permanant formula@devel or a [email protected] / [email protected] that we delete when it is superseded?

[MikeMcQuaid]

Stuff like python and wine take hours just to start building the devel spec, the CI time we spend building them (sometimes multiple times) probably isn't worth it for the limited usage.

Yeh, I totally forgot that we rebuild this every time 😭. It's definitely not worth that CI time.

we might actually see an increase in usage over the current devel spec if we bottle them.

If people find them useful (and we don't use them as dependencies): that seems like a win to me.

What would a devel @ formulae be named? A permanant formula@devel or a [email protected] / [email protected] that we delete when it is superseded?

[email protected] that we delete, I'm thinking. There's a potential here for us to do something clever, I think. Something like boost that we regularly anticipate a painful upgrade could be a @ formula before it becomes a stable formula and we could potentially move dependencies over incrementally to save on CI time. I haven't really thought this through so please feel free to tear it to shreds.

[commitay]

Yeh, I totally forgot that we rebuild this every time 😭.

A while ago I poked around testbot to see if there was a way to only build a changed stable/devel spec but it would have needed to account for stable && devel changes and stable/devel only changes, didn't seem worth the effort.

It's definitely not worth that CI time.

Maybe kill off devel specs in formulae and add a core only audit?

[email protected] that we delete, I'm thinking.

👍 A one off formula would probably be easier than trying to maintain a permanent one. Might need to tag/audit it somehow as a "devel" formulae to make sure it isn't forgotten.

Something like boost that we regularly anticipate a painful upgrade could be a @ formula before it becomes a stable formula and we could potentially move dependencies over incrementally to save on CI time.

This might help for us internally but I think it might make it difficult for people who want to switch to the new version in taps and for local development.

[MikeMcQuaid]

A while ago I poked around testbot to see if there was a way to only build a changed stable/devel spec but it would have needed to account for stable && devel changes and stable/devel only changes, didn't seem worth the effort.

Yeh. My concern would also be that something will sneak in as a stable change which breaks only the stable build (and vice-versa).

Maybe kill off devel specs in formulae and add a core only audit?

I'd be in favour of this starting with those with (very) low or nonexistent install counts.

This might help for us internally but I think it might make it difficult for people who want to switch to the new version in taps and for local development.

I think in an ideal, from-scratch world our versioned formulae would look a bit like Debian versions:

• we have a unstable versioned formula that tracks upstream master that we try to be aware of changes coming down that might break things (in reality this isn't really practical given CI time, dependency intersections and head formulae having different build processes)
• we have a testing (devel?) versioned formula which is tracking the next version we want to be stable
• we have a stable formula (what we have now)
• we have an oldstable versioned formula for stuff to give stuff and users who haven't been able to migrate to stable yet time to upgrade

Ideally these would all just be @ formulae that we could tag as stable with e.g. a symlink.

I don't say this because I think it will happen soon (or maybe ever) but just in case it influences/helps anyone's plans.

[commitay]

Currently we have 42 formulae with a devel spec + 2 open PRs, I think it would be easier to just remove them across the board and audit it as core policy rather than doing it selectively and having them creep back in/refusing PRs.

wine (the most popular by far) has problems with Xcode 10 so it's kinda useless at the moment on > 10.12, all of the others would seem to have low enough installs to justify removing them anyway.

install events in the last 30 days
=========================================================================================
 1273 | wine --devel                                              |        404 |   0.00%
 3240 | wxmac --devel                                             |         47 |   0.00%
 3394 | php --devel                                               |         42 |   0.00%
 3490 | jq --devel                                                |         39 |   0.00%
 3899 | elinks --devel                                            |         30 |   0.00%
 3986 | llvm --devel                                              |         29 |   0.00%
 4193 | tinc --devel                                              |         26 |   0.00%
 4435 | tcl-tk --devel                                            |         23 |   0.00%
 4771 | luajit --devel                                            |         19 |   0.00%
 5183 | freerdp --devel                                           |         15 |   0.00%
 5557 | scala --devel                                             |         13 |   0.00%
 5659 | gnutls --devel                                            |         12 |   0.00%
 5739 | ruby --devel                                              |         12 |   0.00%
 5934 | readline --devel                                          |         11 |   0.00%
 6005 | cairo --devel                                             |         10 |   0.00%
 6399 | premake --devel                                           |          9 |   0.00%
 6416 | rswift --devel                                            |          9 |   0.00%
 6691 | python --devel                                            |          8 |   0.00%
 6739 | tor --devel                                               |          8 |   0.00%
 6776 | ack --devel                                               |          7 |   0.00%
 7006 | mysql --devel                                             |          7 |   0.00%
 7053 | qt --devel                                                |          7 |   0.00%
 7101 | swagger-codegen --devel                                   |          7 |   0.00%
 7659 | cocoapods --devel                                         |          5 |   0.00%
 7684 | dart --devel                                              |          5 |   0.00%
 7948 | mpich --devel                                             |          5 |   0.00%
 8835 | swi-prolog --devel --with-xpce --with-libarchive          |          4 |   0.00%
 8918 | wxmac --devel --with-stl --with-static                    |          4 |   0.00%
 9061 | cmus --devel --with-ffmpeg --with-jack --with-opu         |          3 |   0.00%
 9558 | llvm --devel --with-toolchain --with-polly-gpgpu          |          3 |   0.00%
 9602 | mongodb --devel                                           |          3 |   0.00%
 9865 | swi-prolog --devel --with-jpl --with-xpce --with-         |          3 |   0.00%

install events in the last 90 days
=========================================================================================
 1080 | wine --devel                                              |      1,622 |   0.00%
 3244 | wxmac --devel                                             |        133 |   0.00%
 3674 | go --devel                                                |        100 |   0.00%
 3869 | freerdp --devel                                           |         89 |   0.00%
 3957 | elinks --devel                                            |         83 |   0.00%
 4012 | jq --devel                                                |         80 |   0.00%
 4037 | php --devel                                               |         79 |   0.00%
 4068 | kops --devel                                              |         77 |   0.00%
 4317 | tcl-tk --devel                                            |         67 |   0.00%
 4447 | [email protected] --devel                                       |         62 |   0.00%
 4602 | llvm --devel                                              |         57 |   0.00%
 4641 | tinc --devel                                              |         56 |   0.00%
 4763 | clickhouse --devel                                        |         52 |   0.00%
 5054 | ruby --devel                                              |         45 |   0.00%
 5325 | luajit --devel                                            |         39 |   0.00%
 5422 | gnutls --devel                                            |         37 |   0.00%
 5669 | dart --devel                                              |         33 |   0.00%
 5919 | swi-prolog --devel --with-xpce --with-libarchive          |         30 |   0.00%
 6173 | premake --devel                                           |         27 |   0.00%
 6179 | scala --devel                                             |         27 |   0.00%
 6693 | qemu --devel                                              |         22 |   0.00%
 6694 | readline --devel                                          |         22 |   0.00%
 7624 | swi-prolog --devel --with-jpl --with-xpce --with-         |         16 |   0.00%
 7644 | ack --devel                                               |         15 |   0.00%
 8353 | cairo --devel                                             |         12 |   0.00%
 8766 | luajit --devel --with-gc64                                |         11 |   0.00%
 8827 | qemu --devel --with-sdl2 --with-libssh2 --with-li         |         11 |   0.00%
 8870 | swagger-codegen --devel                                   |         11 |   0.00%
 8871 | swi-prolog --devel --with-xpce                            |         11 |   0.00%
 8904 | wxmac --devel --with-stl                                  |         11 |   0.00%
 8905 | wxmac --devel --with-stl --with-static                    |         11 |   0.00%
 8925 | baker --devel                                             |         10 |   0.00%
 8971 | dart --devel --with-dartium                               |         10 |   0.00%
 9111 | llvm --devel --with-toolchain                             |         10 |   0.00%
 9246 | tor --devel                                               |         10 |   0.00%
 9287 | bmx --devel                                               |          9 |   0.00%
 9325 | dbus --devel                                              |          9 |   0.00%
 9574 | python --devel                                            |          9 |   0.00%
 9594 | rswift --devel                                            |          9 |   0.00%
 9831 | git-cinnabar --devel                                      |          8 |   0.00%

install events in the last 180 days
=========================================================================================
 1123 | wine --devel                                              |      3,041 |   0.00%
 3069 | python --devel                                            |        316 |   0.00%
 3307 | wxmac --devel                                             |        263 |   0.00%
 3705 | mysql --devel                                             |        200 |   0.00%
 3923 | elinks --devel                                            |        175 |   0.00%
 3963 | hub --devel                                               |        171 |   0.00%
 4133 | clickhouse --devel                                        |        154 |   0.00%
 4288 | jq --devel                                                |        141 |   0.00%
 4349 | emacs --devel --with-cocoa --with-modules --with-         |        136 |   0.00%
 4390 | tcl-tk --devel                                            |        133 |   0.00%
 4418 | [email protected] --devel                                       |        130 |   0.00%
 4571 | freerdp --devel                                           |        119 |   0.00%
 4632 | swi-prolog --devel --with-xpce --with-libarchive          |        116 |   0.00%
 4786 | tinc --devel                                              |        106 |   0.00%
 4851 | go --devel                                                |        102 |   0.00%
 4911 | kops --devel                                              |         99 |   0.00%
 4997 | octave --devel --with-qt --with-java                      |         95 |   0.00%
 5200 | php --devel                                               |         86 |   0.00%
 5424 | ruby --devel                                              |         77 |   0.00%
 5491 | emacs --devel --with-cocoa                                |         74 |   0.00%
 5719 | mariadb --devel                                           |         67 |   0.00%
 6005 | luajit --devel                                            |         59 |   0.00%
 6059 | emacs --devel                                             |         57 |   0.00%
 6076 | llvm --devel                                              |         57 |   0.00%
 6257 | gnutls --devel                                            |         53 |   0.00%
 6341 | dart --devel                                              |         51 |   0.00%
 6500 | premake --devel                                           |         48 |   0.00%
 6502 | scala --devel                                             |         48 |   0.00%
 6556 | python --devel --with-tcl-tk                              |         47 |   0.00%
 6566 | swi-prolog --devel --with-jpl --with-xpce --with-         |         47 |   0.00%
 7244 | emacs --devel --with-cocoa --with-gnutls                  |         36 |   0.00%
 7431 | libspatialite --devel                                     |         34 |   0.00%
 7718 | qemu --devel                                              |         31 |   0.00%
 7732 | swi-prolog --devel --with-xpce                            |         31 |   0.00%
 8192 | swi-prolog --devel                                        |         27 |   0.00%
 8238 | emacs --devel --with-cocoa --with-modules --with-         |         26 |   0.00%
 8270 | luajit --devel --with-gc64                                |         26 |   0.00%
 8301 | readline --devel                                          |         26 |   0.00%
 9127 | ack --devel                                               |         20 |   0.00%
 9168 | emacs --devel --with-cocoa --with-gnutls --with-l         |         20 |   0.00%
 9282 | python@2 --devel                                          |         20 |   0.00%
 9371 | emacs --devel --with-cocoa --with-imagemagick@6           |         19 |   0.00%
 9833 | dmd --devel                                               |         17 |   0.00%

[MikeMcQuaid]

Currently we have 42 formulae with a devel spec + 2 open PRs, I think it would be easier to just remove them across the board and audit it as core policy rather than doing it selectively and having them creep back in/refusing PRs.

Fine with me 👍

[woparry]

It looks like these have now been removed. I'm still a heavy user of wine --devel. It surprised me greatly when this suddenly stopped working.

Is there some possibility of printing some message to the user when they try to install these formulae for a short time, describing what the replacement is ([email protected] etc. if I understand correctly ?)

[MikeMcQuaid]

@woparry The best bet is probably to for these to be maintained in a tap outside of Homebrew.