feat: add audit for wayback machine URLs

[SMillerDev]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

[MikeMcQuaid]

Great idea, thanks @SMillerDev!

[cho-m]

How do we want to deal with formulae with dependents?

For example, libelf (although it isn't caught by audit as run on Linux) is still actively used by various projects because there isn't a good alternative on macOS (elfutils being Linux-only and elftoolchain having issues in current release).

---

Some options being:

1. Add another allowlist if we want to keep dependents
2. Deprecate dependents and formula right away
3. Allow setting a deferred deprecation and reporting upstream to give some time (X months?) before deprecating.
4. Or some combination of above based on popularity

EDIT: This may depend on upcoming discussion for updating/formalizing how to consistently handle deprecation.

[MikeMcQuaid]

@cho-m Good questions! I think it's worth talking about this at the AGM. I think libelf is a particularly good example because upstream isn't "moved" or "temporarily down" but is "entirely gone" and there's not even e.g. a GitHub fork with meaningful traction.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[SMillerDev]

We did not talk about this at the AGM, but I think if we depend on something we have no other way than to adopt maintenance of it.

There are also a bunch of formula that use Debian as a source now as an alternative, since they cache all the source code of their packages.

[MikeMcQuaid]

1. Add another allowlist if we want to keep dependents

I don't think so. It doesn't make sense to me to deprecate a formula but not the dependents.

[SMillerDev]

I'll move forward with this, switching sources to a "maintained" version whenever I can. Deprecating otherwise.

[MikeMcQuaid]

Looks good once CI

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[SMillerDev]

Right, still have to finish the list of deprecations in core.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[SMillerDev]

Core depreciations are still ongoing, it's taking some effort

[MikeMcQuaid]

@SMillerDev How about making this strict and/or for new formulae only so it can get merged before homebrew/core is all fixed?

[SMillerDev]

Not sure if it'll catch anything that way, but it's certainly a way to get this merged now

[MikeMcQuaid]

Not sure if it'll catch anything that way, but it's certainly a way to get this merged now

Yeh, I think getting it merged/runnable sooner would be better.

[MikeMcQuaid]

Thanks again @SMillerDev!