sha256 and caching with unversioned formulae

[Airblader]

homebrew-core doesn't contain unversioned head-only formulae anymore, but third-party taps / formulae as far as I know are still "allowed" to do so. I have two questions for such a scenario, and I realize that this might not be exactly Homebrew's mission, so totally happy if the answer is "not possible and don't do it". 🙃

Let's assume we have some tool acme whose releases aren't versioned, and there is only a acme-latest available. Say the tool is provided under https://acme.org/releases/acme-latest.tar.gz with an accompanying https://acme.org/releases/acme-latest.sha256

1. Can the formula reference the (also) remote checksum file for checksum comparison somehow?
2. Is there a way for the formula to prevent the archive from being cached? Homebrew seems to cache it, despite no version being declared, which for an unversioned archive of course wouldn't make much sense.

[SMillerDev]

Can the formula reference the (also) remote checksum file for checksum comparison somehow?

That kinda defeats the purpose of the checksum validating the download. Since a compromised remote download would accompany a compromised remote checksum.

Is there a way for the formula to prevent the archive from being cached? Homebrew seems to cache it, despite no version being declared, which for an unversioned archive of course wouldn't make much sense.

Not if you want to build from source. But casks do support this "always latest" scenario. So if you can make prebuilt binaries you're better off with a cask.

[Airblader]

That kinda defeats the purpose of the checksum validating the download

For a malicious file, yes. But integrity checking also just verifies that the download worked correctly. Archlinux' PKGBUILD system allows this, for example.

So if you can make prebuilt binaries you're better off with a cask.

Yeah, getting the feeling you might be right here. I'll investigate whether a cask isn't just the better option here. Appreciate your time!

[Airblader]

In the end I decided not to use a hammer to turn the screw, and just use proper sha256 checksums instead with a script to update them. I'll mark this as accepted so the question is closed. Appreciate everyone's time!

[carlocab]

1. Can the formula reference the (also) remote checksum file for checksum comparison somehow?

There's no built-in feature for this, but you might be able to override the sha256 method of the Formula class in order to support this.

2. Is there a way for the formula to prevent the archive from being cached? Homebrew seems to cache it, despite no version being declared, which for an unversioned archive of course wouldn't make much sense.

I don't think so. You can probably pass --force to brew upgrade or brew install to ignore the cached download. If that doesn't work, brew fetch --force should ignore the cached download.

[Airblader]

Thanks!