[heavyset_go]

Linux distributions don't depend on running random code from GitHub repositories like Homebrew does, it has package repositories. If those package repositories are compromised, Homebrew isn't going to save you, because you won't be able to trust your system at all at that point.

If you can't trust the software you're installing, it makes much more sense to run it in unprivileged containers or VMs than relying on account-level security. If a malicious package is distributed via Homebrew, it can still do a lot of damage running as your current user, as any data or resource accessible to your user can be exploited or exfiltrated.

I tend to agree with what another HN member wrote about sudo/root and Homebrew: https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-pack...

[rsa25519]

> Linux distributions don't depend on running random code from GitHub repositories like Homebrew does, it has package repositories.

Is the Homebrew github repo not a package repository?

[heavyset_go]

Anyone can upload a Homebrew formula to Github that installs a malicious binary via brew.

Debian, for example, has trusted build systems that compile packages for their package repositories, and some packages already have reproducible builds[1].

Package repositories on Linux tend to provide the sources and binaries needed to install software. Homebrew just supplies formulas on GitHub, which only contain instructions on how to fetch and install externally hosted binaries, or instructions on how to fetch and install via externally hosted source code.

[1] https://wiki.debian.org/ReproducibleBuilds

[reshlo]

Homebrew has build servers that compile pre-built binaries.[1] Most of the common software that people install with it (not considering Casks) comes in this form.

It’s not the case that anyone can upload a malicious formula, either. They do review requests to update formulas.

[1] https://docs.brew.sh/Bottles

[iudqnolq]

There was a post today about their auto version upgrade PR bot. I don't think any distro does that.