Okay, pushed a commit to warn when a Bintray URL is unreachable. Example:
```
$ brew pull https://github.com/Homebrew/homebrew-core/commit/af44c4ba3c
Warning: Current branch is pull-test: do you need to pull inside master?
==> Fetching patch
Patch: https://github.com/Homebrew/homebrew-core/commit/af44c4ba3c.patch
/usr/bin/curl --remote-time --location --user-agent Homebrew/1.1.10-439-g475cade1a3-dirty (Macintosh; Intel macOS 10.12.3) curl/7.51.0 --fail https://github.com/Homebrew/homebrew-core/commit/af44c4ba3c.patch -s -o /Users/zmwang/Library/Caches/Homebrew/af44c4ba3c.patch
==> Applying patch
git am --whitespace=fix -3 /Users/zmwang/Library/Caches/Homebrew/af44c4ba3c.patch
Applying: imagemagick: bump homebrew mirror url for testing
Warning: The Bintray mirror https://dl.bintray.com/homebrew/mirror/imagemagick-7.0.5-404.tar.xz is not reachable (HTTP status code 404).
Warning: Do you need to upload it with `brew mirror imagemagick`?
Warning: imagemagick has a bottle: do you need to update it with --bottle?
Warning: Nonstandard bump subject: imagemagick: bump homebrew mirror url for testing
Warning: Subject should be: imagemagick 7.0.5-404
==> Patch changed:
git diff-tree -r --stat 61d247c893 HEAD
Formula/imagemagick.rb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
```
The relevant part:
```
Warning: The Bintray mirror https://dl.bintray.com/homebrew/mirror/imagemagick-7.0.5-404.tar.xz is not reachable (HTTP status code 404).
Warning: Do you need to upload it with `brew mirror imagemagick`?
```
Upgrade OpenSSL to 1.0.2k
=========================
OpenSSL hasn't been upgraded in a while, and according to https://www.openssl.org/news/vulnerabilities.html 1.0.2g suffers from 25 vulnerabilities at the moment, two of which labeled high severity.
This PR should help improve the security of the three macOS users out there who don't use Homebrew.
Okay, in `pull.rb`, for each changed formula, we should be able to
1. Read the formula and find its list of URLs;
2. For each `https://dl.bintray.com/homebrew/mirror/` URL, check whether it was added by the patch by searching the patch for `/^\+.*"#{Regexp.quote(url)}"`;
3. For each such URL verify whether it has a valid basename (what to do when there are multiple other URLs with different basenames?), and run `brew mirror`;
4. A `--verify` flag should probably be added to `brew mirror` to make sure the file is successfully mirrored; can be modeled on `verify_bintray_published` in `pull.rb`.
All of this should be guarded by a `--mirror` flag to `brew pull`, so maintainers still have to opt in to this, which will probably shave off much of its value.
Feels like a lot of work and a lot of added code complexity with very little return.
> I think that's better than not flagging this.
Fair enough, is this the final verdict? If so, I'll close the PR.
> Or furthermore: just automatically do the upload.
Probably not a good idea. Too easy to submit bogus PRs to hijack a bunch of URLs.