{"id":4398,"date":"2026-06-22T15:12:26","date_gmt":"2026-06-22T15:12:26","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/22\/homebrew-to-packages-no-id-no-service\/"},"modified":"2026-06-22T15:12:26","modified_gmt":"2026-06-22T15:12:26","slug":"homebrew-to-packages-no-id-no-service","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/06\/22\/homebrew-to-packages-no-id-no-service\/","title":{"rendered":"Homebrew to Packages: No ID, No Service"},"content":{"rendered":"
\"\"<\/div>\n

\"\"<\/p>\n

Homebrew, the unofficial but default package manager for many Apple Mac users, now has safeguards to prevent supply-chain attacks. <\/span><\/p>\n

The approach mimics how GitHub just fortified npm against attacks by establishing a set of trusted repositories to download from. <\/span><\/p>\n

\u201cThe Homebrew team is aware of the supply-side security issues with other package managers. We\u2019ve taken various steps to mitigate these risks for our users,\u201d wrote current Homebrew Project Leader Mike McQuaid in the <\/span>6.0.0 introductory post<\/span><\/a>. <\/span><\/p>\n

Check the Guestlist<\/b><\/h3>\n

When Max Howell created Homebrew in 2009, he consistently named features with terms from beer brewing and consumption. Thus, when a user needs new software on their machine, they open a \u201ctap\u201d to a third-party repository. <\/span><\/p>\n

Now, the software\u2019s maintainers have added a safety mechanism to tap, preventing execution of installation code whose source hasn\u2019t already been vetted by the user or by Homebrew itself. It debuted with the release of Homebrew 6.0.0 last week. <\/span><\/p>\n

The Homebrew core engine now performs a gate check for each download request. Homebrew will block any tap that is not on a pre-approved list. The list is based on remote fully-qualified URLs. Other taps on the Internet will be considered untrusted until the user deems otherwise. <\/span><\/p>\n

Users can still download third-party software, but only after issuing a separate command: \u2018brew trust user\/repo\u2019.<\/span><\/p>\n

Users can also add third-party taps, including their own. To install an untrusted app, the user specifies in the command the<\/span> full qualified domain path<\/span><\/a> to the installation formula. <\/span><\/p>\n

Homebrew halts dependency downloading from untrusted sources, instead of silently downloading it in the background as previous versions did. <\/span><\/p>\n

A Boolean `trusted` field is also baked into Homebrew\u2019s state management, which gives auditors information on which downloaded taps are trusted. <\/span><\/p>\n

Package maintainers may need to change their installation instructions and README files to detail how to put their repositories on their personal trust lists. Those with Homebrew baked into their CI\/CD pipelines will need to write \u2018brew trust\u2019 commands into their setup scripts at the appropriate points. <\/span><\/p>\n

New Recipe for Brewers<\/b><\/h3>\n

Every application in the Homebrew ecosystem must include a Ruby script that tells Homebrew how to download, compile and\/or install the software. This is where the trouble starts.<\/span><\/p>\n

Homebrew hasn\u2019t yet been hit with any major attempts to poison its core repositories (that we know of), though other repositories, such as npm and PyPI, have been hit hard. Attackers altered setup scripts to sneak in poisoned packages (see: <\/span>Shai-Hulud<\/span><\/a> was one recent npm attack that used this approach). <\/span><\/p>\n

In fact, the<\/span> npm maintainers<\/span><\/a> at GitHub re-engineered how npm downloads software using an approach similar to Homebrew\u2019s, namely by blocking any installation scripts that don\u2019t already have user approval. This update should come with the release of npm v12 <\/span>due next month<\/span><\/a>. <\/span><\/p>\n

Brewski Changes for Linux Users Too <\/b><\/h3>\n

In addition to serving the Mac community, Homebrew is also used quite a bit in the Linux community as well. McQuaid and his colleagues did some security work for this group as well. They incorporated <\/span>Bubblewrap<\/span><\/a> into Homebrew, so that the software sandboxes application builds, tests and post-install phases (<\/span>replicating<\/span><\/a> a functionality Macs already offer).<\/span><\/p>\n

With 6.0.0, this feature is <\/span>automatically enabled<\/span><\/a> for developers. When they test new software installations, Bubblewrap confines any actions taken by the start-up scripts to a new mount namespace. <\/span><\/p>\n

Homebrew 6.0 is the first major release since <\/span>version 5.0<\/span><\/a> last November. In addition to the security features, it also includes a new JSON API, which <\/span>should speed<\/span><\/a> downloads and reduce network chatter. <\/span><\/p>\n

Read More<\/a><\/p>\n

\u200b<\/p>","protected":false},"excerpt":{"rendered":"

Homebrew, the unofficial but default package manager for many Apple Mac users, now has safeguards to prevent supply-chain attacks. The […]<\/p>\n","protected":false},"author":1,"featured_media":4399,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-4398","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=4398"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/4398\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/4399"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=4398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=4398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=4398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}