[theGimp]

The real problem is that you're trusting binaries you find on disparate websites.

If you want to avoid these sorts of compromises, use a package manager or check the hash of the downloaded file against one that you trust.

[galad87]

HomeBrew Cask updated the hash to the infected one, so in this case it has been useless.

[0x0]

If you look at the history for handbrake in cask, it looks like it was first updated to 1.0.7 with the correct hash, then later the hash was changed with no version bump, and then reverted. That's crazy! Why didn't alarm bells go off when the hash changed? https://github.com/caskroom/homebrew-cask/commits/master/Cas...

[adriancooney]

What the absolute heck. Literally just the hash was updated yet the version stayed the same: https://github.com/caskroom/homebrew-cask/commit/461af7672fa...

[zalmoxes]

Which package manager? :P

[petepete]

What OS are you using?

[sotojuan]

Just to let people know, Handbrake is on Homebrew Cask in macOS.

[sondr3]

Sadly Homebrew is terrible for this, the developer guide for how to get the hash for the files you're downloading is literally to just test run the download with an empty hash in the brew file, and it will calculate the hash from the file on the website. In this case Homebrew would not help, as galad87 mentions here https://news.ycombinator.com/reply?id=14282116&goto=item%3Fi....

[oefrha]

And, what's your proposed alternative for calculating a hash?

Btw, we treat hash changes very seriously in homebrew-core; they are never merged without a confirmation from the upstream. Unfortunately Cask apparently doesn't live up to the same standard, but Homebrew Cask is not really Homebrew.

[microtonal]

...which used the hash of the compromised version for ~3 days.