lint: use regexs for more reliable branch name detection

Hans-Christoph Steinerrequested to merge
eighthave/fdroidserver:lint-flag-any-branch into master

fdroid lint currently flags branches from a blocklist. Using branches means that a build might not be reproducible, since a branch is not stable (by definition). So these cases should be flagged. Using branches also breaks the strong link between git commit and the buildserver. A commit could be pushed to a branch until the app it published on f-droid.org, then removed to hide its contents. This could be used in supply chain attacks or to slip in bits that violate our inclusion policy. GNU/Linux distros generally require source tarballs, which are static. In order to use Git repos and provide something static like source tarballs, we will need to enforce using commit IDs since they are a cryptographically-sound method to point to static source.

This will generate Branch 'stable' used as commit in srclib 'flutter@stable' for about 50 apps. I was thinking that specific lint error could be ignored by default. !1749 Or each app could have:

LintIgnore:
  - Branch 'stable' used as commit in srclib 'flutter@stable'
Edited by Hans-Christoph Steiner

Merge request reports