[ohithereyou]

I understand you do not intend to be dismissive, however, not answering a simple yes or no question in your last two responses appears to be dismissive. I could not find any information about the security audits performed and a summary of their results, so I ask again; is there a summary of the security audits published publicly?

I have looked at the Homebrew docs page. There is a document linked that describes how bottles are built[1], but it's not clear who has access to it and what safeguards are in place to prevent a malicious maintainer from spreading malware through it (such as who reviews the commits) and it doesn't list the precautions taken by bintray to prevent and detect tampering with packages (and a user has to trust that they as in place, sufficient, and trust bintray to not tamper with them). Another page says that most formula pull requests need to be reviewer but does not go over what this entails[2].

This alarming text, however, does appear in your maintainer guidelines [3]:

>Verify the formula works if possible. If you can’t tell (e.g. if it’s a library) trust the original contributor, it worked for them, so chances are it is fine. If you aren’t an expert in the tool in question, you can’t really gauge if the formula installed the program correctly. _At some point an expert will come along, cry blue murder that it doesn’t work, and fix it. This is how open source works._ Ideally, request a test do block to test that functionality is consistently available.

Is there a set of maintainers who handle security sensitive formula, like openssl, gnupg, and tor?

[1] https://docs.brew.sh/Brew-Test-Bot

[2] https://docs.brew.sh/How-To-Open-a-Homebrew-Pull-Request

[3] https://docs.brew.sh/Maintainer-Guidelines

[mikemcquaid]

> not answering a simple yes or no question

Here you go:

> Do you have published security reviews of your infrastructure?

Beyond https://hackerone.com/homebrew/hacktivity, https://brew.sh/2018/08/05/security-incident-disclosure/: no.

> Otherwise you're asking us to just trust you.

Yes.

> it's not clear who has access to it

A subset of the documented Homebrew maintainers who manage our ops/infrastructure.

> such as who reviews the commits

The maintainers and additional trusted users.

> the precautions taken by bintray to prevent and detect tampering with packages

packages require a manual publishing step, are checksummed and frozen on their CDN a while after publishing.

> most formula pull requests need to be reviewer but does not go over what this entails

This is part of the on boarding and training of new maintainers.

> Is there a set of maintainers who handle security sensitive formula, like openssl, gnupg, and tor?

Not a specific set but they receive extra time, review and attention to their source URLs.

---

I expect some of that will not be good enough for you in which case: please either get involved to help us make it better (we are unpaid volunteers) or use another tool. This is how open source works.

[FullyFunctional]

I had exactly the same security concern. It seems it would be quite easy to slip in an attack via brew.

I had an experience years ago where I discovered the lack of quality control: a typo (presumably) caused a package to regress back a couple of years. My issue used wording like "Are you serious?" which was taken as offensive and I was banned, unable to even apologize or defend myself from resulting attacks.

brew is convenient and I still use it, but I have a much higher degree of trust in packages shipping with OS distributions.

[mikemcquaid]

> It seems it would be quite easy to slip in an attack via brew.

You can put your money where your mouth is and consider submitting one to our HackerOne. Otherwise: perhaps it's not "quite easy" after all.