I will never use Homebrew again because I'm still sore that they dropped support for a Mac OS version that I was still using and couldn't upgrade because Apple didn't support my hardware anymore.
Any decent project should have a way to install without Homebrew. It's really not necessary.
> and couldn't upgrade because Apple didn't support my hardware anymore
I'd classify that as an Apple problem rather than a Homebrew problem. If Apple themselves cannot be arsed to support an OS version, why would a volunteer project take on such a challenge?
For every piece of software I've fetched using Homebrew, there's a "compile from source" option available on Github or some other source repo.
>I will never use Homebrew again because I'm still sore that they dropped support for a Mac OS version that I was still using and couldn't upgrade because Apple didn't support my hardware anymore.
How old was it? With macOS "running an old version" is not really a viable or advisable path beyond a certain point. Might be something people want to do, might it a great option to have, but it's not very workable nor supported by Apple and the general ecosystem.
>Any decent project should have a way to install without Homebrew. It's really not necessary.
We don't install homebrew because it's necessary, but because it's convenient. No way in hell I'm gonna install 50+ programs I use one by one using the projects' own installers.
Besides, if "Homebrew dropped support" is an incovenience, "manually look for dozens of individual installers or binaries, make sure dependencies work well together, build when needed, and update all that yourself again manually" is even more of an inconvenience. Not to mention many projects on their own drop support for macOS versions all the time, or offer no binaries or installers.
Why not use MacPorts, which currently supports all the way back to Leopard, has far more packages than Homebrew, has a better design, and was created by the creator of the original FreeBSD ports system who also worked on Apple's UNIX team?
The ubiquity of Homebrew continues to confound me.
Or use Homebrew on the old OS with TigerBrew (https://github.com/mistydemeo/tigerbrew), but people online suggest MacPorts, not only because it has first-party support but also because it’s apparently better designed.
I wish mac users would stop using homebrew and use a real package manager with actual dependency management.
At the very least, replace homebrew with something like devbox which has `devbox global` for globally managing packages, it uses nix under the hood, and it's probably the simplest most direct replacement for homebrew.
I don't agree this is an issue and I'll tell you why: Homebrew isn't responsible for keeping the system functional like apt or pacman, it's a supplemental thing. I've also found it's useful in this capacity on Linux specifically with LTS distros, I can get the latest fzf or zoxide or whatever without having to add some shady repo.
I use MacPorts because of older versions of Homebrew having a weird and insecure design. [1] I think some of those design issues may have been fixed, but I’m wary of Homebrew.
It's not necessary because Mac applications shouldn't have any dependencies other than the OS. (Whatever additional libraries they use should be included.) This should also be true of basic developer tools. Once you're in a particular ecosystem, tools like deno, npm, or uv can handle their own dependencies.
Alternatively, you could do development in a container and use apt-get there. That's probably safest now that we're using coding agents.
I wish the mac users would switch to a real OS, linux, so that software companies would release linux versions of stuff first.
Codex, Claude Desktop, etc etc all starting out as "macOS exclusive" feels so silly when they're targeting programmers. Linux is the only OS a programmer can actually patch and contribute to, and yet somehow we've got a huge number of developers who don't care about having a good package manager, don't care about being able to modify their kernel, don't care about their freedom to access and edit the code of the software they rely on to work...
It's depressing how much of the software industry is just people on macbooks using homebrew to install a newer version of bash and paying $5 for "magnet" to snap windows to the corners since their OS holds them in a prison where they can't simply build themselves a tiling window manager in a weekend.
The OS is core to your tools and workflows, and using macOS cedes your right to understand, edit, and improve your OS and workflows to a company that is actively hostile to open source, and more and more hostile to users (with a significant increase in ads and overly priced paid services over the years).
Anyway, yeah, homebrew sucks. At least nix works on macOS now so there's an okay package manager there, but frankly support for macOS has been a huge drag of resources on the nix ecosystem, and I wish macOS would die off in the programming ecosystem so nix could ditch it.
MacPorts was created by the creator of the original FreeBSD ports system who was also an Apple employee. It ought to be everyone's first choice for package management on macOS.
Huh? Homebrew supports and frequently uses dependencies between formulae. It’s a bit janky around upgrades in my experience, but you’re going to have to clarify what you mean.
That wouldn't really help, it could be more naughty and use pastejacking so you don't even realize what's happening. That might end up catching a lot of people because as far as i know by default bash doesn't use bracketed paste, so you think you're copying a real command and it ends up sending your secrets before you know what happened.
Disabling JS + bracketed paste seems to be the only good solution.
Btw OP article uses a weird setup, why would they use `bash -c "$(curl $(echo qux | base64))"` instead of just "curl | bash"
It's not really any different than downloading a binary from a website, which we've been doing for 30 years. Ultimately, it all comes down to trusting the source.
>> Attacks like this are not helped by the increasingly-common "curl | bash" installation instructions ...
> It's not really any different than downloading a binary from a website, which we've been doing for 30 years.
The two are very different, even though some ecosystems (such as PHP) have used the "curl | bash" idiom for about the same amount of time. Specifically, binary downloads from reputable sites have separately published hashes (MD5, SHA, etc.) to confirm what is being retrieved along with other mechanisms to certify the source of the binaries.
Which is why package managers with well-maintained repositories are the civilized solution to software disruption. Unfortunately the Linux world has been dedicating a lot of energy to making Windows-style "download and run the exe" possible on Linux.
On Mac binaries need to be signed and notarized and Apple could stop the spread of the malware once it's identified or even detect it before notarizing it.
All the homebrew packages have checksums and are versioned in git, so if the upstream website is compromised and a malware installer is put in place of the package, `curl | bash` will just install the malware, while `brew` would start erroring out and refuse to install after downloading something with a different checksum.
You also get an audit log in the form of the git repo, and you also ensure everyone's downloading the same file, since `curl | bash` could serve different scripts to different IPs or user-agents.
I don't think brew does proper build sandboxing, so like `./configure.sh` could still download some random thing from the internet that could change, so it's only a bit better.
If you want proper sandboxing and thus even more security, consider nix.
Maybe tools like https://github.com/vet-run/vet could help with these projects that would rather you use their custom install script instead of complying to distro-specific supply chains.
Civilization is about cooperating with your fellow man to build great things, not bowing to the feudal lord Apple Inc.
A truly civilized person would use Linux, OpenBSD, etc, a free operating system where they may contribute fixes for their fellow man without having to beg at the boots of the single richest company on the planet with radar numbers asking for fixes from on high.
MacPorts, of course, features an actual .pkg installer, as well as doing pretty much everything else better, and having more packages, and existing first.
skybrian|22 days ago
Any decent project should have a way to install without Homebrew. It's really not necessary.
jeroenhd|21 days ago
I'd classify that as an Apple problem rather than a Homebrew problem. If Apple themselves cannot be arsed to support an OS version, why would a volunteer project take on such a challenge?
For every piece of software I've fetched using Homebrew, there's a "compile from source" option available on Github or some other source repo.
coldtea|21 days ago
How old was it? With macOS "running an old version" is not really a viable or advisable path beyond a certain point. Might be something people want to do, might it a great option to have, but it's not very workable nor supported by Apple and the general ecosystem.
>Any decent project should have a way to install without Homebrew. It's really not necessary.
We don't install homebrew because it's necessary, but because it's convenient. No way in hell I'm gonna install 50+ programs I use one by one using the projects' own installers.
Besides, if "Homebrew dropped support" is an incovenience, "manually look for dozens of individual installers or binaries, make sure dependencies work well together, build when needed, and update all that yourself again manually" is even more of an inconvenience. Not to mention many projects on their own drop support for macOS versions all the time, or offer no binaries or installers.
marxisttemp|21 days ago
The ubiquity of Homebrew continues to confound me.
armchairhacker|21 days ago
If you really want, you may be able to upgrade the OS anyways with https://github.com/dortania/OpenCore-Legacy-Patcher.
Or use Homebrew on the old OS with TigerBrew (https://github.com/mistydemeo/tigerbrew), but people online suggest MacPorts, not only because it has first-party support but also because it’s apparently better designed.
wookmaster|22 days ago
nonethewiser|22 days ago
direwolf20|21 days ago
Wowfunhappy|21 days ago
mediumsmart|21 days ago
fouc|22 days ago
At the very least, replace homebrew with something like devbox which has `devbox global` for globally managing packages, it uses nix under the hood, and it's probably the simplest most direct replacement for homebrew.
pram|22 days ago
AnonC|22 days ago
[1]: https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-pack...
skybrian|21 days ago
Alternatively, you could do development in a container and use apt-get there. That's probably safest now that we're using coding agents.
TheDong|22 days ago
Codex, Claude Desktop, etc etc all starting out as "macOS exclusive" feels so silly when they're targeting programmers. Linux is the only OS a programmer can actually patch and contribute to, and yet somehow we've got a huge number of developers who don't care about having a good package manager, don't care about being able to modify their kernel, don't care about their freedom to access and edit the code of the software they rely on to work...
It's depressing how much of the software industry is just people on macbooks using homebrew to install a newer version of bash and paying $5 for "magnet" to snap windows to the corners since their OS holds them in a prison where they can't simply build themselves a tiling window manager in a weekend.
The OS is core to your tools and workflows, and using macOS cedes your right to understand, edit, and improve your OS and workflows to a company that is actively hostile to open source, and more and more hostile to users (with a significant increase in ads and overly priced paid services over the years).
Anyway, yeah, homebrew sucks. At least nix works on macOS now so there's an okay package manager there, but frankly support for macOS has been a huge drag of resources on the nix ecosystem, and I wish macOS would die off in the programming ecosystem so nix could ditch it.
marxisttemp|21 days ago
comex|21 days ago
pjmlp|21 days ago
The UNIX in macOS is good enough for my needs, and I manually install anything extra that I might require.
krackers|22 days ago
Disabling JS + bracketed paste seems to be the only good solution.
Btw OP article uses a weird setup, why would they use `bash -c "$(curl $(echo qux | base64))"` instead of just "curl | bash"
retired|22 days ago
root_axis|22 days ago
AdieuToLogic|22 days ago
> It's not really any different than downloading a binary from a website, which we've been doing for 30 years.
The two are very different, even though some ecosystems (such as PHP) have used the "curl | bash" idiom for about the same amount of time. Specifically, binary downloads from reputable sites have separately published hashes (MD5, SHA, etc.) to confirm what is being retrieved along with other mechanisms to certify the source of the binaries.
idle_zealot|22 days ago
fastest963|21 days ago
sfbapt|22 days ago
TheDong|21 days ago
All the homebrew packages have checksums and are versioned in git, so if the upstream website is compromised and a malware installer is put in place of the package, `curl | bash` will just install the malware, while `brew` would start erroring out and refuse to install after downloading something with a different checksum.
You also get an audit log in the form of the git repo, and you also ensure everyone's downloading the same file, since `curl | bash` could serve different scripts to different IPs or user-agents.
I don't think brew does proper build sandboxing, so like `./configure.sh` could still download some random thing from the internet that could change, so it's only a bit better.
If you want proper sandboxing and thus even more security, consider nix.
isodev|22 days ago
donatj|22 days ago
gchamonlive|22 days ago
steve1977|21 days ago
TheDong|21 days ago
A truly civilized person would use Linux, OpenBSD, etc, a free operating system where they may contribute fixes for their fellow man without having to beg at the boots of the single richest company on the planet with radar numbers asking for fixes from on high.
bugbuddy|22 days ago
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/inst...)"
Then it prompts user for admin previledges. Also, it does not support installing as a local non-admin user.
rvz|22 days ago
You can install it via a .pkg here: [0]
[0] https://github.com/Homebrew/brew/releases/tag/5.0.13
brigandish|22 days ago
Why does anyone trust that project to understand security?
marxisttemp|21 days ago
what|22 days ago
tacker2000|21 days ago
They cut support for old platforms way to fast and just in essence try to dictate far too much.