Audit invalid versions

[MikeMcQuaid]

We have a bunch of versions we've been meaning to adjust to not use invalid GitHub Packages characters for a while. Let's audit for them and plan for deprecating their use in future.

Companion to Homebrew/homebrew-core#141202

[Bo98]

A problem here is auto version parsing should be updated too, but that comes with a risk of breaking existing formulae immediately.

[Bo98]

This "bad" list is very much homebrew-core specific.

Broadly, it probably should be a whitelist like [a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}

[MikeMcQuaid]

A problem here is auto version parsing should be updated too, but that comes with a risk of breaking existing formulae immediately.

Ideally yes but I think it's fine to just have the audit require a specific version.

This "bad" list is very much homebrew-core specific.

Sure but: I don't think we need to handle more than that?

If we fix all the issues in homebrew/core and have CI in both places to prevent it regressing: that seems sufficient.

[Bo98]

Sure but: I don't think we need to handle more than that?

If we fix all the issues in homebrew/core and have CI in both places to prevent it regressing: that seems sufficient.

To be clear: the whitelist I suggested shouldn't break more things (i.e. there should be nothing not already covered by your PR that is broken - but I haven't checked). It's more to cover future things.

It's what I believe to be the correct regex based on https://github.com/opencontainers/distribution-spec/blob/main/spec.md (though GHP's implementation could vary).

Can be a separate PR though if preferred.

[MikeMcQuaid]

To be clear: the whitelist I suggested shouldn't break more things (i.e. there should be nothing not already covered by your PR that is broken - but I haven't checked). It's more to cover future things.

It's what I believe to be the correct regex based on https://github.com/opencontainers/distribution-spec/blob/main/spec.md (though GHP's implementation could vary).

Ah, I see, sorry for misunderstanding! This is great, thanks for digging it up. Having updated the regexes accordingly.

[scpeters]

we are using ~ in version strings in the osrf/simulation tap for formulae that are currently in a prerelease version:

• https://github.com/osrf/homebrew-simulation/blob/master/Formula/gz-harmonic.rb#L7

these formulae are now failing the audit. I will see if changing the ~ characters to - allows these formulae to pass this audit, while still following the same version comparison scheme (since 1.0.0~pre1 < 1.0.0, then hopefully also 1.0.0-pre1 < 1.0.0)

[scpeters]

we are using ~ in version strings in the osrf/simulation tap for formulae that are currently in a prerelease version:

• https://github.com/osrf/homebrew-simulation/blob/master/Formula/gz-harmonic.rb#L7

these formulae are now failing the audit. I will see if changing the ~ characters to - allows these formulae to pass this audit, while still following the same version comparison scheme (since 1.0.0~pre1 < 1.0.0, then hopefully also 1.0.0-pre1 < 1.0.0)

unfortunately, changing our explicit version strings will make our bottles inaccessible (since the version is encoded in the bottle filename) and possibly require them to be rebuilt.

can this be considered an audit requirement for homebrew/core only for the time being? I can work on complying with this for future pre-releases and bottles, but it's causing audit failures for a bunch of our current formulae at the moment, and I don't have a trivial way of fixing them

[scpeters]

I've proposed relaxing the new audit for 3rd-party taps in #15972