| > not answering a simple yes or no question Here you go: > Do you have published security reviews of your infrastructure? Beyond https://hackerone.com/homebrew/hacktivity, https://brew.sh/2018/08/05/security-incident-disclosure/: no. > Otherwise you're asking us to just trust you. Yes. > it's not clear who has access to it A subset of the documented Homebrew maintainers who manage our ops/infrastructure. > such as who reviews the commits The maintainers and additional trusted users. > the precautions taken by bintray to prevent and detect tampering with packages packages require a manual publishing step, are checksummed and frozen on their CDN a while after publishing. > most formula pull requests need to be reviewer but does not go over what this entails This is part of the on boarding and training of new maintainers. > Is there a set of maintainers who handle security sensitive formula, like openssl, gnupg, and tor? Not a specific set but they receive extra time, review and attention to their source URLs. --- I expect some of that will not be good enough for you in which case: please either get involved to help us make it better (we are unpaid volunteers) or use another tool. This is how open source works. |