new | show | ask | jobs Github

colesantiago 3 days ago

What's the problem with Homebrew?

> It's better to simply point at the binaries directly.

Binaries aren't at all signed and can be malicious and do dangerous things.

Especially if it's using curl | bash to install binaries.

▲

yoavm 3 days ago | parent | next [-]

Are you using Homebrew on Linux? Genuinely curious - I never met a Linux user doing that.

	▲	indigodaddy 3 days ago \| parent \| next [-]
		Brew actually works very nicely for Linux and is a useful method to enable package management of cli tools/libraries at the user level. It's also widely accepted as one of the tools of choice for package persistence on immutable distros (distrobox/toolbox is also another approach): https://docs.projectbluefin.io/bluefin-dx/ Also, for example I use it for package management for KASM workspaces: https://gist.github.com/jgbrwn/28645fcf4ac5a4176f715a6f9b170...
	▲	serpix 3 days ago \| parent \| prev \| next [-]
		Linuxbrew is absolutely fantastic. No need to mess with apt repositories and can keep custom binaries separate from the os. Almost everything is there, and it just works.
	▲	embedding-shape 3 days ago \| parent \| prev [-]
		At least one other person also does: > as long as I have a basic Linux environment, Homebrew, and Steam https://xeiaso.net/blog/2025/yotld/ (An year of the Linux Desktop) I guess some post-macOS users might bring it with them when moving. If it works :shrug:

▲

-mlv 3 days ago | parent | prev [-]

I had some issues with brew breaking up my system and pkg-config.

▲

colesantiago 3 days ago | parent [-]

It is a bit hard to know what the issue is here.

But on average brew is much more safer than downloading a binary from the ether where we don't know what it does.

I see more tools use the curl | bash install pattern as well, which is completely insecure and very vulnerable to machines.

Looks like the best way to install these tools is to build it yourself, i.e. make install, etc.

▲

garblegarble 3 days ago | parent [-]

>the best way to install these tools is to build it yourself, i.e. make install, etc.

And you're fully auditing the source code before you run make, right? I don't know anyone who does, but you're handing over just as much control as with curl|bash from the developer's site, or brew install, you're just adding more steps...

▲

colesantiago 3 days ago | parent [-]

> And you're fully auditing the source code before you run make.

I mean you can?

But that is the whole point when the source is available, it is easier to audit, rather than binaries.

Even with brew, the brew maintainers have already audited the code, and it the source to install and even install using --HEAD is hosted on brew's CDN.

	▲	garblegarble a day ago \| parent [-]
		>Even with brew, the brew maintainers have already audited the code Realistically, how much are they auditing? I absolutely agree with your sentiment that it's better than a binary, but I think the whole security model we have is far too trusting because of the historically overwhelming number of good-faith actors in our area both in industry and hobbyists