|
|
|
|
|
|
by mikemcquaid
2718 days ago
|
|
|
It is not my intention to be dismissive. I admire the work Debian has done on the above but they are a project with many more maintainers and a lot more resources. We have some documentation for our process already under https://docs.brew.sh but ultimately if it's not good enough for you we need people who are willing to step up and do the work to do so. |
|
|
I have looked at the Homebrew docs page. There is a document linked that describes how bottles are built[1], but it's not clear who has access to it and what safeguards are in place to prevent a malicious maintainer from spreading malware through it (such as who reviews the commits) and it doesn't list the precautions taken by bintray to prevent and detect tampering with packages (and a user has to trust that they as in place, sufficient, and trust bintray to not tamper with them). Another page says that most formula pull requests need to be reviewer but does not go over what this entails[2].
This alarming text, however, does appear in your maintainer guidelines [3]:
>Verify the formula works if possible. If you can’t tell (e.g. if it’s a library) trust the original contributor, it worked for them, so chances are it is fine. If you aren’t an expert in the tool in question, you can’t really gauge if the formula installed the program correctly. _At some point an expert will come along, cry blue murder that it doesn’t work, and fix it. This is how open source works._ Ideally, request a test do block to test that functionality is consistently available.
Is there a set of maintainers who handle security sensitive formula, like openssl, gnupg, and tor?
[1] https://docs.brew.sh/Brew-Test-Bot
[2] https://docs.brew.sh/How-To-Open-a-Homebrew-Pull-Request
[3] https://docs.brew.sh/Maintainer-Guidelines