Anyone can upload a Homebrew formula to Github that installs a malicious binary via brew.
Debian, for example, has trusted build systems that compile packages for their package repositories, and some packages already have reproducible builds[1].
Package repositories on Linux tend to provide the sources and binaries needed to install software. Homebrew just supplies formulas on GitHub, which only contain instructions on how to fetch and install externally hosted binaries, or instructions on how to fetch and install via externally hosted source code.
Homebrew has build servers that compile pre-built binaries.[1] Most of the common software that people install with it (not considering Casks) comes in this form.
It’s not the case that anyone can upload a malicious formula, either. They do review requests to update formulas.
heavyset_go|4 years ago
Debian, for example, has trusted build systems that compile packages for their package repositories, and some packages already have reproducible builds[1].
Package repositories on Linux tend to provide the sources and binaries needed to install software. Homebrew just supplies formulas on GitHub, which only contain instructions on how to fetch and install externally hosted binaries, or instructions on how to fetch and install via externally hosted source code.
[1] https://wiki.debian.org/ReproducibleBuilds
reshlo|4 years ago
It’s not the case that anyone can upload a malicious formula, either. They do review requests to update formulas.
[1] https://docs.brew.sh/Bottles
iudqnolq|4 years ago