|
|
|
|
|
|
by heavyset_go
1887 days ago
|
|
|
Anyone can upload a Homebrew formula to Github that installs a malicious binary via brew. Debian, for example, has trusted build systems that compile packages for their package repositories, and some packages already have reproducible builds[1]. Package repositories on Linux tend to provide the sources and binaries needed to install software. Homebrew just supplies formulas on GitHub, which only contain instructions on how to fetch and install externally hosted binaries, or instructions on how to fetch and install via externally hosted source code. [1] https://wiki.debian.org/ReproducibleBuilds |
|
|
It’s not the case that anyone can upload a malicious formula, either. They do review requests to update formulas.
[1] https://docs.brew.sh/Bottles