- Previously I thought that comments were fine to discourage people from
wasting their time trying to bump things that used `undef` that Sorbet
didn't support. But RuboCop is better at this since it'll complain if
the comments are unnecessary.
- Suggested in https://github.com/Homebrew/brew/pull/18018#issuecomment-2283369501.
- I've gone for a mixture of `rubocop:disable` for the files that can't
be `typed: strict` (use of undef, required before everything else, etc)
and `rubocop:todo` for everything else that should be tried to make
strictly typed. There's no functional difference between the two as
`rubocop:todo` is `rubocop:disable` with a different name.
- And I entirely disabled the cop for the docs/ directory since
`typed: strict` isn't going to gain us anything for some Markdown
linting config files.
- This means that now it's easier to track what needs to be done rather
than relying on checklists of files in our big Sorbet issue:
```shell
$ git grep 'typed: true # rubocop:todo Sorbet/StrictSigil' | wc -l
268
```
- And this is confirmed working for new files:
```shell
$ git status
On branch use-rubocop-for-sorbet-strict-sigils
Untracked files:
(use "git add <file>..." to include in what will be committed)
Library/Homebrew/bad.rb
Library/Homebrew/good.rb
nothing added to commit but untracked files present (use "git add" to track)
$ brew style
Offenses:
bad.rb:1:1: C: Sorbet/StrictSigil: Sorbet sigil should be at least strict got true.
^^^^^^^^^^^^^
1340 files inspected, 1 offense detected
```
Let's use the disable date, if provided, and use 1 year after the
deprecation date otherwise, to display a better message for the
various outputs of deprecated package messages.
Also, provide an internal API for this that can be used by
Homebrew/actions.
The rationale is that a checksum mismatch is a huge security issue.
This means that the current source file, but maybe the initial one,
might have been compromised.
In the case upstream does not respond quickly to clarify what happened,
or fails to respond, we can now rev-bump the formula, disable and unbottle it,
making sure we stop delivering the potentially malicious code
Further improvements:
- Add the url of the project in the error message to redirect users to
the closed pull request where we disabled this, to centralize the discussion
and avoid the opening of multiple new issues
- Add a warning on brew-update that something is fishy upstream
