[tucosan]

The main attack vector IMHO is the simple fact that one can sneak in new packages with malicious intent by simply contributing a new formula. The team of maintainers is too small to audit all of the newly contributed formulae. I'm suprised that this attack vector wasn't part of the audit.

[woodruffw]

I don’t think the current Homebrew core formulae reviewers consider their team too small to sufficiently review all new incoming formula requests. But even if it was: this is one of the vagaries of packaging that’s explicitly called out in the post: the boundary between first- and third-party execution is inherently murky, and there’s IMO relatively more security “value” in determining where third-party execution can surprisingly happen than pointing out all of the unsurprising things that happen when you intentionally run third-party code.

(With that being said, I think packagaging ecosystems in general should be reviewed for those kinds of acceptance processes. But that would be closer to a “red team” style audit than a software audit, since it’s about human processes.)

[j16sdiz]

They noted that and just assume formulae are trustworthy.

> ... These avenues do not necessarily violate Homebrew’s core security assumptions (which assume trustworthy formulae),...

[Bluecobra]

Yeah, I just had a scare the other day with someone downloading a console emulator called "Cmder" which is a collection of a bunch of FOSS tools. It literally had ~1,000 files that could be malicious including powershell scripts, perl scripts, python scripts, shell scripts, DLLs, EXEs, etc. It turned out it was benign, but it's really scary that people just clone these Git repos and hope for the best.