Glad to see that Homebrew is taking security seriously. Still, I want to minimize the number of parties who can quickly get new code onto my machine.

Your doc says "Human review of each release." What does that actually entail?

uv had a release at 10:21am yesterday with 7,060 additions and 2,409 deletions. The new release was available in homebrew at 11:46am. What human review happened there?

I don't know of any other OS package manager that ships code this quickly to users. Arch Linux has not pushed the new release of uv yet, for example.

▲

mikemcquaid 4 hours ago | parent [-]

Our automation or a human submitted a PR, it was built and tested in our sandboxed ephemeral CI environments, a human Homebrew maintainer reviewed the CI results and PR diff and approved it for merge which happened automatically if so.

If the ask is "who reviewed the diff": yes, a human didn't do that. That's not actually happening for all packages in any meaningful large ecosystem. I'm still unconvinced a cooldown solves that until e.g. we have an open source security scanner that runs on all Homebrew packages and requires a cooldown. Even in that case, my suggestion would be that we just run it in our own CI and block package release.

	▲	broxit 4 hours ago \| parent [-]
		> Even in that case, my suggestion would be that we just run it in our own CI and block package release. I agree. > open source security scanner that runs on all Homebrew packages and requires a cooldown. I think that is where all this is going in the longterm. Until then, any upstream shenanigans are more likely to surface in hours 0-48 after a new release than hours 0-4.