resource_auditor: audit PyPI resources that exist as dependencies

Some widely-used PyPI packages are available in Homebrew as dependencies
for other Python-based formulae. We encourage their use either because
they take a lot of time to build (f.e. `pydantic` or `scipy`) or we
don't want to do hundreds of revision bumps when new security updates
come out (f.e. `cryptography` or `certifi`). The problem I see with new
contributors is that they don't know it. A lot of the time, they read
the cookbook, create a Python-based formula, and it passes audit and
tests. They did nothing wrong, but a maintainer still have to point out,
"Hey, numpy takes a lot of time to build, and it exists as a formula,
let's use it instead". I'd rather add an audit for such cases and make
exceptions for formulae where it cannot be used

I'd also take a look at [Python for Formula
Authors](https://docs.brew.sh/Python-for-Formula-Authors) but it should
be revised in another PR

Signed-off-by: botantony <antonsm21@gmail.com>

Author: botantony

Library/Homebrew/formula_auditor.rb

@@ -731,6 +731,14 @@ def get_repo_data(regex)
     def audit_specs
       problem "HEAD-only (no stable download)" if head_only?(formula) && @core_tap
 
+      allowed_pypi_packages = formula.tap&.audit_exception(:pypi_resources_allowlist, formula.name)
+      allowed_pypi_packages = case allowed_pypi_packages
+      when String
+        allowed_pypi_packages.split(/\s+/i).to_set
+      else
+        Set.new
+      end
+
       %w[Stable HEAD].each do |name|
         spec_name = name.downcase.to_sym
         next unless (spec = formula.send(spec_name))
@@ -753,9 +761,15 @@ def audit_specs
         spec.resources.each_value do |resource|
           problem "Resource name should be different from the formula name" if resource.name == formula.name
 
+          except = if allowed_pypi_packages.include?(resource.name)
+            @except.to_a + ["pypi_resources"]
+          else
+            @except
+          end
+
           ra = ResourceAuditor.new(
             resource, spec_name,
-            online: @online, strict: @strict, only: @only, except: @except,
+            online: @online, strict: @strict, only: @only, except:,
             use_homebrew_curl: resource.using == :homebrew_curl
           ).audit
           ra.problems.each do |message|

Library/Homebrew/resource_auditor.rb

@@ -8,6 +8,8 @@ module Homebrew
   class ResourceAuditor
     include Utils::Curl
 
+    DEPENDENCY_PACKAGES = Set.new(%w[certifi cffi cryptography numpy pillow pydantic rpds-py scipy torch]).freeze
+
     attr_reader :name, :version, :checksum, :url, :mirrors, :using, :specs, :owner, :spec_name, :problems
 
     def initialize(resource, spec_name, options = {})
@@ -108,7 +110,7 @@ def self.curl_deps
       end
     end
 
-    def audit_resource_name_matches_pypi_package_name_in_url
+    def audit_pypi_resources
       return unless url.match?(%r{^https?://files\.pythonhosted\.org/packages/})
       return if name == owner.name # Skip the top-level package name as we only care about `resource "foo"` blocks.
 
@@ -124,9 +126,13 @@ def audit_resource_name_matches_pypi_package_name_in_url
 
       T.must(pypi_package_name).gsub!(/[_.]/, "-")
 
-      return if name.casecmp(pypi_package_name).zero?
+      if name.casecmp(pypi_package_name).nonzero?
+        problem "`resource` name should be '#{pypi_package_name}' to match the PyPI package name"
+      end
+
+      return if DEPENDENCY_PACKAGES.exclude?(pypi_package_name.downcase)
 
-      problem "`resource` name should be '#{pypi_package_name}' to match the PyPI package name"
+      problem "PyPI package should be replaced with Homebrew dependency and excluded using `pypi_package` method"
     end
 
     def audit_urls

Library/Homebrew/test/formula_auditor_spec.rb

@@ -525,7 +525,7 @@ class Foo < Formula
     end
   end
 
-  describe "#audit_resource_name_matches_pypi_package_name_in_url" do
+  describe "#audit_pypi_resources" do
     it "reports a problem if the resource name does not match the python sdist name" do
       fa = formula_auditor "foo", <<~RUBY
         class Foo < Formula
@@ -563,6 +563,68 @@ class Foo < Formula
       expect(fa.problems.first[:message])
         .to match("`resource` name should be 'FooSomething' to match the PyPI package name")
     end
+
+    it "reports a problem if the resource should be replaced with a dependency" do
+      fa = formula_auditor "foo", <<~RUBY
+        class Foo < Formula
+          url "https://brew.sh/foo-1.0.tgz"
+          sha256 "abc123"
+          homepage "https://brew.sh"
+
+          resource "cryptography" do
+            url "https://files.pythonhosted.org/packages/00/00/aaaa/cryptography-1.0.0.tar.gz"
+            sha256 "def456"
+          end
+
+          resource "pydantic" do
+            url "https://files.pythonhosted.org/packages/00/00/aaaa/pydantic-1.0.0.tar.gz"
+            sha256 "ghi789"
+          end
+        end
+      RUBY
+
+      fa.audit_specs
+      expect(fa.problems.count).to eq(2)
+      expect(fa.problems.first[:message])
+        .to match("PyPI package should be replaced with Homebrew dependency and exlcuded using `pypi_package` method")
+    end
+
+    it "doesn't report a problem if there is an exception to a PyPI resource that should be a dependency" do
+      tap_audit_exceptions = { pypi_resources_allowlist: { "foo" => "cryptography pydantic" } }
+      fa = formula_auditor("foo", <<~RUBY, tap_audit_exceptions:)
+        class Foo < Formula
+          url "https://brew.sh/foo-1.0.tgz"
+          sha256 "abc123"
+          homepage "https://brew.sh"
+
+          resource "cryptography" do
+            url "https://files.pythonhosted.org/packages/60/04/aaaa/cryptography-1.0.0.tar.gz"
+            sha256 "def456"
+          end
+
+          resource "pydantic" do
+            url "https://files.pythonhosted.org/packages/00/00/aaaa/pydantic-1.0.0.tar.gz"
+            sha256 "ghi789"
+          end
+        end
+      RUBY
+
+      fa.audit_specs
+      expect(fa.problems).to be_empty
+    end
+
+    it "doesn't audit PyPI package if it is not a resource" do
+      fa = formula_auditor "cryptography", <<~RUBY
+        class Cryptography < Formula
+          url "https://files.pythonhosted.org/packages/60/04/aaaa/cryptography-1.0.0.tar.gz"
+          sha256 "abc123"
+          homepage "https://brew.sh"
+        end
+      RUBY
+
+      fa.audit_specs
+      expect(fa.problems).to be_empty
+    end
   end
 
   describe "#check_service_command" do