Homebrew 4.0.0

I was just wondering, have they considered storing all that in an SQLite file? And then you could refresh the file every 6 hours, say, and post it on a CDN?

> no longer need to perform the slow git fetch

Nice. Rust Cargo is also trialling out something similar.

`export HOMEBREW_NO_AUTOUPDATE=1; brew install whatever`

maybe even just create an aliased sh function that just prepends that instead of typing it out each time.

I've been doing that forever. It really is incredibly annoying how it just keeps endlessly running without doing some gymnastics (yeah sure I could add that env var set to 1 in my zshrc but I mean its just a silly default behavior)

I think you’re right about the rose-colored nostalgia: it’s easy to forget how far behind people got on updates. I remember so many support emails where someone had hit a bug which had been patched a year earlier but never thought to install it. A couple of times where people reinvented something which had been added to PHP in the meantime because they didn’t know it was there.

> It’s only happened twice in more than a decade, but I still have the feeling that I was better off compiling stuff manually and cultivating a tidy /usr/local/bin like I did in early 2000s. But it’s probably rose-colored glasses and I’d definitively never take the time these days.

thats exactly what homebrew does.

How to nuke it? Just in case...

> While I use Homebrew on my Mac — it is a major risk. I am afraid that the project is not following strict security policies and will be compromised at some point. Evil package or evil version of brew can steal or modify my data.

This is a genuine question: what is your threat model, and what security policies would you like to see? It's hard to imagine a threat model that assumes an "evil version of brew" that doesn't also prevent you from installing any third-party software on your machine. Malicious packages are always possible, but Homebrew's integrity checks do an adequate (but improvable!) job of making such attacks auditable; I'm not aware of any successful supply-chain attacks mounted against Homebrew users.

I have a lot of experience with various package managers, and Homebrew is not particularly out of band with its peers (which should be read, partially, as a general indictment of packaging practices).

The Mac App Store is pretty terrible. I wouldn’t trust them to do a better job with CLI programs than they currently are with desktop ones.

I'm not a very technical person, but I think MacPorts adheres better to macOS standards and security practices. (At least it asks my admin password before any major interaction.) Been using for a few years, coming from Homebrew, and it's running smoothly.

Or just hire a few FTEs to properly support and maintain the CLI. Pull in new FreeBSD base at releases if they really want to axe their overhead. It's always just read as absolutely lazy how slowly the CLI progresses. Hire a few more and they could absolutely offer a package repo. This company dwarfs Red Hat prior acquisition.

A company like Apple could kick whatever money to an OSS project and write it off as charity for taxes, I think for that matter.

Same here.. I just want a default sandbox (no network + only file access to it's subdirectories)

The alternative is to run VMs/containers/etc for each project. But at that point, it will the beginning of the end for Apple's software, cause you're esentially running linux and using macOS as a terminal/thin client.. (Unit) devtools is how they got big with OS/X, and I think they sometimes forget this.

They have, it's called Macports. It started as a port to Darwin of the existing *BSD ports and (I believe) is subsidized by Apple.

It installs itself in /opt/local, it respects the Apple SIP.

Homebrew basically sucks, because it doesn't follow Unix conventions and it doesn't follow MacOS conventions.

Macports has both pre-compiled and build-from-source, supports current and past MacOS releases, uses xcode/clang for compilation, supports port variants and multiple versions installed in parallel (with "port select" to choose a default) etc etc.

Not sure why people use anything else.

No thank you. I don't want a walled garden where Apple has absolute authority to enforce anti-competitive policies like they do with the existing App Store (especially on iOS), and where they require you to pay an annual fee to publish anything, and where they tie everything to an AppleID.

I use a Macbook for work, and every day I go without having to create an AppleID is a good day.

What I want is a dang CLI package manager, and Homebrew is pretty alright at that. No, it's not perfect, but it's far better than anything Apple has done related to app stores.

By this logic, the ability to install arbitrary software is a major risk.

I strongly disagree with this stance, and it's a very authoritarian one at that. The common people can't be trusted with freedom so we should give up that freedom and trust in <insert authority here>. I find this stance morally repugnant and entirely at odds with where the future of technology should be going.

Tl;Dr: Hard disagree. Some of us prefer to use our computers as general computing devices, as opposed to just being desk-driven iPhones.

This, absolutely!

Apple should close this gap and I am puzzled why they have not done that yet. Because even for iOS development people need things beyond the xcode toolcahin and they resort to either of the available options. Homebrew is just one of them.

Not only cli app store but the mac app store also badly needs some love.

Yes.

If you install untrusted code, it can do nefarious things.

No platform can save you from yourself.

I feel the same way about Linux - big thanks to the Homebrew team.

I moved from Homebrew to MacPorts on a local, personal-use Intel Mac.

I chose Homebrew some years ago when I was not as experienced a programmer, because it was more popular than MacPorts. When I revisited the choice last year, I chose MacPorts.

On Homebrew:

* It has a Frankenstein permissions model; for example "brew install" writes files into /usr/local/* with your regular user account as the owner of the files.

* The permissions model means that Homebrew-managed parts of the system become a single user system, as far as I know. Multiple user accounts on the same Mac can't easily use Homebrew, as far as I know, and I dislike software with such design choices.

* Noisy messages and undesired colors in the command line output.

These issues are absent in MacPorts. Overall, MacPorts appears more mature and more Unix-like than Homebrew.

The cons of the move are that not all the packages I want are available in MacPorts. However I have sufficient experience now to package crucial missing ones into MacPorts.

I switched from MacPorts to Homebrew very early on because it was better contained. I had to support developers who would build with MacPorts and end up with something which would crash with a linker error when they shared it with someone off the team because it was using a MacPorts binary in a non-standard location, or whose shell scripts broke expecting a GNU CLI utility version which was in their path but not their users. MacPorts also took forever to build since it dragged in so many replacements for system libraries.

Homebrew has done a much better job of staying out of the way.

Moved from Homebrew and Nix to MacPorts for a while around the M1 transition. Came away quite liking MacPorts; it was simple, and it worked.

Moved back to Nix when it was ready for Apple Silicon, mainly for better isolation / reproducability, ephemeral environments, and parity with my other systems. But if I need something that's not in nixpkgs, I'll look at MacPorts first.

Moved a long time ago, mostly because MacPorts installed their whole own world of dependencies, while Homebrew used system libraries where possible.

You have 3 questions.

1. I have used Fink. And I have used MacPorts. Now I use Homebrew.

2. When I get super-annoyed with a system, perhaps because it has entered a state where it won't update, I do a web search to see if folks have jumped from that ship to another. If there is a consensus, I jump with crowd. If not, I try to clear the decks, e.g. reinstalling from scratch, to see if I can improve my situation.

3. I don't have a list for you on the pros and cons. There may be some merit in choosing a system that is widely used, because then others might be able to help you if you encounter problems. By that measure, I think Homebrew is the best choice at the moment. But I've no reason to think there won't be something else just around the corner. I wish Apple would get in this game, but after so many decades of Apple standing by without acting, I am not especially sanguine.

Macports to Homebrew back in uh, 2013ish, maybe?

Macports had broken multiple times in a year, under totally ordinary operation (nothing weird, just installing and uninstalling packages without doing anything that ought to be risky). A couple times I'd decided it was easier to just delete its entire directory and start over. Big rpm-hell vibes from the bad old days.

Switched to Homebrew. It's broken a couple times in a decade or so, only on OS upgrades. Easy fixes. I like the sudo-free package management. I like that it lets me manage a lot more of my software than Macports did (bigger selection, and "casks" for commercial software, which are now integrated into the main UI so that's not even some extra thing to learn anymore—it feels like being back on Gentoo with a good binary package cache)

Moved from homebrew to nix. Haven't looked back. If something is not on nix, I just build/compile it myself.

Switched to MacPorts on an older machine which Homebrew dropped support for (and deleted all prebuilt binaries)

While neither is great as a package manager, especiall with their dependency resolution, here are a few pros&cons:

Apps: ++ Brew has a much more up-to-date collection, also more non-source binaries.

App customization: + Port, Brew dropped support for custom install flags a while ago + Brew you can setup autoupdate for your personal customizations with github actions since the main repo is using them, Ports does it manually, so you can't copy&paste their action for your use (+ Brew allows you to install Mac .app bundles in a custom folder)

Security: + Ports has a slightly better security model (folder persmissions are better though I think it only matters for multi-user machines, so mostly no relevant; it also does some sandboxing on install via a specially created user), the downside is annoying sudo, but you can remove the need for sudo for some less sensitive ops like update/uninstall to cut down on the annoyance

Space: + Brew. Both waste it with their poor package repository architecture, but with Brew you can at least delete the repo after the first install and use their API to download updates. With Ports you can't do that, moreover it duplicates its registry (one for sync, uncompressed, another for local use)

Docs: + Brew, also random Google/SO answers are less likely to be outdated

UI: + Brew. Has more info (like size), better formatted

How is it hidden or hard to opt-out? From https://docs.brew.sh/Analytics you can opt out using:

  export HOMEBREW_NO_ANALYTICS=1

-or-

  brew analytics off

The installer gives a warning message before sending the first analytics, with a pointer to the above URL for how to disable analytics. From install.sh:

  ring_bell

  # Use an extra newline and bold to avoid this being missed.
  ohai "Homebrew has enabled anonymous aggregate formulae and cask analytics."
  echo "$(
    cat <<EOS
  ${tty_bold}Read the analytics documentation (and how to opt-out) here:
    ${tty_underline}https://docs.brew.sh/Analytics${tty_reset}
  No analytics data has been sent yet (nor will any be during this ${tty_bold}install${tty_reset} run).
  EOS
  )
  "

> and showed me what was being sent (instead of obfuscating it),

According to that https://docs.brew.sh/Analytics page, to see what it sends:

  You can also view all the information that is sent by Homebrew’s
  analytics by setting HOMEBREW_ANALYTICS_DEBUG=1 in your environment.
  Please note this will also stop any analytics from being sent.

I verified that using it dumps JSON analytics to the terminal, and it didn't seem that obfuscated, given the documentation in that Analytics page.

> EDIT: Thinking about it, I'm actually not averse to phoning-home, just the automatic/hidden nature of it. If brew asked me, every 5 or so times that I ran it, if I would like to participate in sending anonymized analytics to the brew devs, and showed me what was being sent (instead of obfuscating it), I'd be a lot more inclined to click "[Yes] - this one time" almost every single time ..

I'd take a minute to rip the fckng line of code bugging me every 5 installs out of the code. Thing is, if you make telemetry opt-in, it's the same as just not adding it in the first place. Only a handful of users will opt in, rendering the data pretty much useless, especially as it's install and install-fail counts.

If they included any personal data, it'd be opt-in by law (at least here in EU). As they don't, they don't have to, and I'm fine with it.

> people don't pay for things like Homebrew (can they even?)

They can and should! https://github.com/homebrew/brew#donations

> the IT guys detest it, since they don't have the wherewithal to understand it (or else they'd be higher-paid developers)

seems like an unfair characterisation (having been both!)

Isn't it illegal, under GDPR, to track users without their consent?