I know it’s not the focus of a code review like this, but I’m interested to hear your views on the general supply chain lifecycle problems inherent to open-source package management platforms. Principally, are vetting processes appropriate to ensure that new formulas refer to the correct source? How does the user gain confidence that their brew update is still referencing a trusted source? What happens when a domain is taken over? How quickly can the team respond to untrusted sources from formulas?

I know these aren’t all Homebrew problems to solve, but they’re important ecosystem considerations.

(These problems also exist in the winget and choco platforms, but less so in commercially supported repos like apt and yum. For me, and many other admins, they are a major concern when it comes to the Windows Store.)

Edit: lastly, in case the homebrew team are watching: an npm-style vulnerability notice would be awesome

As a SWE/EngMgr turned VC, I'm curious if there's startups or commercial companies providing some kind of assurance here (but also worried the $ TAM for solving this problem probably isn't enough to make it a standalone business).

In any case, I'd be interested in seeing an audit of Nix on Mac OS. Especially if there is a flaw in how `nix develop` and related commands work.

Nix allows me to override most of that, and I can share home manager config with my Debian workstation.

On the other hand, if Homebrew used `/usr` by default, this would be a fair characterization. But it doesn't.

Edit: a thread with a bit of the history can be found here[1].

[1]: https://github.com/Homebrew/brew/issues/9177

The Nix sandbox is also not really meant as a security boundary; there's no effort put into preventing sandbox escapes, and lots of stuff leaks from the host into the sandbox environment. You really want something like gVisor or a full VM if you want to build untrusted packages.

In Nix, flakes are pure functions and run in pure evaluation mode. One needs to consciously add a Git repository (URL + commit hash, branch, or tag) and then make use of something malicious exported by the input. But to find out what the flake exposes at all, reading the flake (or its documentation) is pretty much necessary.

    $ nix run github:NixOS/nixpkgs#hello
    Hello world!

> But to find out what the flake exposes at all, reading the flake (or its documentation) is pretty much necessary.

If the flake exposes default packages or apps, then you do not need to provide a flake attribute:

    $ nix run github:NixOS/nixpkgs
    error: flake 'github:NixOS/nixpkgs' does not provide attribute 'apps.aarch64-darwin.default', 'defaultApp.aarch64-darwin', 'packages.aarch64-darwin.default' or 'defaultPackage.aarch64-darwin'

    $ nix run github:kamadorueda/alejandra

EDIT: For what it's worth, I think this feature can be useful sometimes, but it does also suffer from the same typosquatting problems as we see in other ecosystems.

Even if I wrote this code and knew what it did today, if I come across this it a year from now, I'm left scratching my head: why did I make this change?

A real world example of a good commit message:

https://github.com/git/git/commit/92fe7c7d42cc941ed70d6fce98...

(With that being said, I think packagaging ecosystems in general should be reviewed for those kinds of acceptance processes. But that would be closer to a “red team” style audit than a software audit, since it’s about human processes.)

> ... These avenues do not necessarily violate Homebrew’s core security assumptions (which assume trustworthy formulae),...

Homebrew is great and the formulae are maintained really well but the simplicity of PKGBUILDS, the fast syncing, and lack of cognitive burden of recalling multiple arguments/flags for package managers make me wish pacman just worked on macs.

In other ports-like build systems, this can be a bit more complicated. For example, MacPorts allows you to use a local repository, but it requires configuring that local repository in `/opt/local/etc/macports/sources.conf` and `portindex` it beforehand before MacPorts could pick it up. Some others don't support building out of the main tree at all.

Personally, out of all ports-like building systems, I like MacPorts' Portfile the most. It's similar to FreeBSD Ports' BSD Makefile (MacPorts was created by Jordan Hubbard who also co-created FreeBSD Ports) but using DSL via Tcl interp instead of being a shell script (POSIX shell in the case of Alpine's APKBUILD, bash in the case of others). From my experience, the syntax is very nice to work with, though you need to know a bit of Tcl for a non-trivial package.

> Homebrew's maintainers are […long list of names…] William Woodruff […]

[1]: https://github.com/Homebrew/brew

Is there any reason this is not mentioned in the blog post? I don’t think it would make a difference, but just to clarify things.

This was all disclosed as part of a conflict-of-interest disclosure I did, both with my company and with the Homebrew maintainers, but I agree that the blog post could also say that explicitly. I’ll try and get it added today.

TL;DR: I was not a maintainer at the time the audit was performed, but I was previously (years before) and am currently a maintainer. The audit was performed by myself and my colleagues in our professional capacities.

Edit: Oh, it's "Trail Of Bits - homeBREW". But probably still yes.

(As far as I know, a lot of audit firms do similar things.)

What is your personal recommendation for Mac users? Would you suggest a different package manager and, if so, which?

“Not inconsistent” is more cautious and less assertive. It allows for some ambiguity rather than claiming perfect consistency.

It needs to convey concepts that are infinitely variable rather than binary.

When a poet or novelist says something in an unusual way, they are being more accurate not less accurate. If there is ambiguity, it is because the concept or observation they mean to express has some ambiguous element.

Trying to avoid that is just downsampling analog color reality to a 200ppi 1bpp fax.

A related concept that even the most aspbergers STEM head should be able to understand, is how a scientist almost never asserts anything unequivocally. Almost every statement is qualified with whatever is appropriate to the context. Even the most fundamental constants of the universe like the speed of light are famously relative. Are those scientists being more or less ambiguous when they decline to say something simple and direct?

Everything they don't say is deliberate and carefully crafted to be as correct as possible, not some sloppy ommission.

From that:

- create a new APFS volume for your Nix store

- update /etc/synthetic.conf to direct macOS to create a "synthetic" empty root directory to mount your volume - specify mount options for the volume in /etc/fstab: rw: read-write, noauto: prevent the system from auto-mounting the volume (so the LaunchDaemon mentioned below can control mounting it, and to avoid masking problems with that mounting service), nobrowse: prevent the Nix Store volume from showing up on your desktop; also keeps Spotlight from spending resources to index this volume

- if you have FileVault enabled: generate an encryption password, put it in your system Keychain, use it to encrypt the volume

- create a system LaunchDaemon to mount this volume early enough in the boot process to avoid problems loading or restoring any programs that need access to your Nix store

Even as someone who knows how to do all that... no thanks.

More accurately, when you use a package manager, you use the “ecosystem” including the package index and pre-built binaries, and the cli. There aren’t many alternatives to homebrew as an ecosystem, especially including cask. Macports isn’t a homebrew replacement in the sense that it doesn’t have “cask”. Nix has something similar, although not as many packages. This makes nix probably the only viable alternative to homebrew with cask.

But nix is very hard to onboard. Devbox just makes it much easier to start using in say the first 30 min.

Now I have one tool to manage all dependencies.

Other than that, it likely comes down to personal preference.

One neat thing is `devbox global push/pull ` to persist my config in a repo.

For example, if you’re on Debian but need a newer version of just one tool, it makes absolute sense to install Homebrew alongside. It’s designed to play well with the system package manager, uses its own separate prefix so it won’t cause shared libs confusion, and only shadows the packages you install with it. Nothing wrong with that inherently, and certainly not a sign of limited knowledge.

Instead of using the real deal, people generally suggest Brew because that's what they are familiar with from osx.

If you need bleeding edge of something (and don't want to build from source) we got things like flatpak, appimage directly from developers or AUR and nix and other stuff.

I'm yet to find someone proposing brew over the rest because of some new package genuinely being available only on brew only.

Some people prefer timely, high-quality, well-tested bugfixes and security updates for the underlying low-level dependencies of an app.

An upstream app developer is much less likely to provide an updated flatpak mere minutes after e.g. a critical OpenSSH security fix comes out of embargo. Distro maintainers on the other hand, such as the Homebrew core maintainers, can do that. They also have security audits, see TFA, and established processes. Nothing wrong with that at all.

> and nix

That just comes down to personal preference. Some people like Nix due to the amazing level of isolation it provides, and that’s perfectly fine. Some prefer Homebrew instead because it’s easy to use and respects the FHS.

All the things we’ve discussed so far are highly subjective, come down to personal preference, and say absolutely nothing about how skilled a user is.

Bleeding edge is handled by rolling package managers, and these often build automatically from source as soon as a commit is tagged.

I don't see a clear reason to use brew, which does everything a little bit worse. In fact, I see it as a red flag in projects since it usually indicates lack of first class Linux support.

I just noticed there's a bug with uninstalling. Probably a parsing issue, they must have changed the output of nix for that (this isn't the first time that happened...)

I've had some form of `grep '^#h ' $0` in most of my scripts forever.

This one is a purity stunt and doesn't use grep, or anything else: https://github.com/bkw777/pdd.sh

(the script itself is of no use to you since it only talks to a piece of hardware)

The command dispatcher case statement and all the embedded help is in do_cmd() at 2857, and the help reader is help() at 425

I like their explicit #args vs #help

One jank in mine is I have a verbosity level setting which affects most messages, and help() uses it to filter some of the help. Normal verbosity shows only the normal help for the normal commands. If verbosity is set higher, then help() shows more commands.

The way that's implimented in help() is extra comments that change the behavior of help() as it's scanning the file from top to bottom.

When it hits a '#v 2' it starts only displaying the help if the user has currently set verbosity>=2 until further notice. Later down the file it hits a '#v 1' and starts displaying help again...

It works but it feels kind of 70's or assembly.

  #v 1
  #h normal help for mortals
  #h ...
  #v 2
  #h don't confuse the simple folk with this dangerous powerful stuff...
  #h ...
  #v 1
  #h a few more normal commands
  #h ...
  #v 0
  #h display this even the user has set verbosity to 0 to request silence
  #h ...

I mean, this is basically all of Bash lol. A very clever idea that has endured since the 70's but also shows it... And yet we get obsessed with "writing perfect Bash" still.

The amazing thing is that there are also old "functional shells" like es-shell https://wryun.github.io/es-shell/ (he still works on this and it is indeed very interesting!)

They pointed me to an example program that would break if not run this way: Facebook's Watchman[1].

It bizarrely (to me) has hard coded paths compiled into it, which force you to run it from specific directories.

Would love to understand what's going on here and why you would ever make software work this way. I feel I'm missing a fairly obvious Chesterton's Fence.

[0]: https://github.com/orgs/Homebrew/discussions/5371

[1]: https://facebook.github.io/watchman/docs/install#prebuilt-bi...

So, based on the responses from the maintainers, for the .linuxbrew directory to be used, you have to satisfy 2 conditions:

1. you have to be installing one of the ~10% of formula that isn't trivially relocatable.

2. you have to be using a precompiled binary (which it seems like homebrew is smart enough to not do if condition #1 fails and you're not using sudo)

Any package managers that is designed to not hard code the prefix, ie you can choose where the binaries go into, needs to handle this problem and have their own ways to deal with it. Conda for example has a long string of …placehold_placehold_… to facilitate editing the hardcoded path…

Source distribution is more robust against this problem comparing to binary distribution. (But sometimes the authors of the software did not package them well and would have hardcoded some paths somewhere.)

That’s why when you change the homebrew prefix, they will built from source instead, and it (using a different prefix) might not work.

In that scenario, brew worked like a charm. It was quick, had most or even more packages than Debian/Ubuntu and they were newer. Failure to install was rare.

Then, Apple started yearly release of OS X, and that both broke brew and my system hard, so I started investigating and found out about the many "shortcuts" that brew took and how it violated systems components. I was dismayed, and abandoned brew for good.

So, I stood a period where I would use many of my tools inside a Ubuntu VM, until probably 2013-2014, when for some reason I tried again MacPorts, and I don't know why, but that time it was much more reliable, and because of Apple's insane atm SSDs with 2 GB/s bandwidth, install became quick enough. Packages were still somewhat lagging behind in available versions, but the variety of them kinda reached the levels of what was in Debian/Ubuntu, so it was good enough for me.

Then, the killer feature, I found out about macports variants and selectors, which I find the most awesome thing to this date in package managers (I haven't tried nix, still, it might be magnitude better in that regard). No needing to use rvm, pyenv, custom installs of gcc messing with make/autotools, and the only sane way of compiling various Haskell projects (before haskell-stack).

But indeed; fast SSDs, parallel compilation, and modern CPUs really help!

It was also exciting how many packages and casks were in homebrew and it was easy to make your own.

Also, back then there were lots of people experiencing package managers for the first time and they took to homebrew easily.

Then so many projects started to publish brew install links as a way to get started; homebrew felt like a default.

Now, with our faster computers, more space, and more packages installed, and macports shipping more binaries and using its own normal user, macports' duplication of dependencies looks more like an advantage than a disadvantage. And because homebrew taught so many people how to use package managers, macports is not their first so easier to start using.

I suppose it was almost 15 years ago now but this is what I recall. Homebrew was easier, snappier, and the general friction coefficient felt smaller.

It's a little funny reading this and then wonder... Why did I leave MacPorts behind? I don't think I put much thought into it at the time and rather went by feel. I was still somewhat new to this stuff having started my career more in design than development.

Homebrew had at least these things going for it:

  - it has always had a strong emphasis on presenting a simple, clean, pleasant, pretty, playful UI and executed that well
  - when it came out, source-based package managers for macOS generally didn't have any binary caching mechanisms, so compile time mattered
    - Homebrew's embrace of the base system as opposed to bringing its own dependencies bought it greater reuse at the cost of robustness, driving down total time to install many packages
  - the language that `brew` and its packages were written in was trendy at thw time as well as pre-installed on macOS, which made them instantly accessible to huge numbers of web developers
    - the older macOS package managers generally drew on traditions and tooling from the Linux world (e.g., Fink, with Debian tooling) or the wider Unix world (e.g., MacPorts and various *BSD ports systems and packages written in some Tcl IIRC).

- brew had and has many more packages available

- brew updates versions more quickly

- brew uses much more simple paths that fit my brain better

- brew has a pleasing simplicity

Whereas Homebrew targets the typical Mac user who might need a CLI application occasionally, i.e. someone looking for simplicity, without being too technically savvy.

The latter group certainly makes up a much bigger share of users on macOS, especially nowadays.

When you installed a port with brew it used as much of the OSX, X11, and XCode installed utilities as possible so it was faster and used less storage. But then you would install an update from Apple and things would break cause of that reliance, things like /usr/bin/perl.

My first exposure to Mac package stuff was fink in the early aughts - compiling everything on a Pismo G3 was pretty slow going

I’m really disappointed in how Homebrew took a lot of attention away from the existing package managers, made a bunch of terrible decisions related to packaging and flexibility and genera Unix philosophy, and then ate the world.

: shakes fist at clouds, get off my lawn

1. Not available at all in nixpkgs (e.g. Docker Desktop, BetterTouchTool, etc)

2. In nixpkgs, but completely broken or missing some architecture support (e.g. Firefox)

3. Actually available and somewhat functional in nixpkgs, but some significant features don't work because of code signing requirements and needing to be managed in the Applications folder (e.g. 1Password)

Quite a few tools do in fact work well with nix on Mac. Especially if it's FOSS and/or a cli-only based tool. And for FOSS tooling such as Firefox, there is often a convoluted workaround (I'm currently using `github:bandithedoge/nixpkgs-firefox-darwin`). And of course you can always package it yourself by doing things The Hard Way.

But the platform is still quite a ways away from being able to be used as a daily driver on Mac without Homebrew.

For alacrity, I remember it being annoying to integrate into Mac's launcher, but it otherwise worked.

Pretty much everything else was programming-related and just worked.

I don't use very many GUI apps so now that the installation piece is taken care of, I can just package everything I use if it really comes down to it. That'd be worth it for me just to get rid of the painfully slow `brew` invocations that lurk in my activation scripts.

--

1: https://github.com/hraban/mac-app-util

2: https://github.com/BatteredBunny/brew-nix

I hacked around a bit trying a few different approaches before giving up and switching back to the regular nix-Darwin homebrew approach. But the issue is probably solvable by someone who knows a lot more about how the code signing process works with Macs and the Applications folder

(Spotify didn't build because the Brew package doesn't have a hash, and Karabiner Elements didn't build bc idk why, but that's actually in Nixpkgs already and that version works fine.)

I did double-check that I have SIP enabled and everything. I'd be interested in trying to repro!

Aside: that mac-app-util works so nicely for the macOS apps that are already in Nixpkgs makes it feel much more worth it to me to package GUI apps for macOS, if that'll mean I can get rid of `brew` entirely. I wonder if this will spur others to also package more GUI apps this way.

VScode in particular was the one that broke for me, though that is actually available and mostly functional in nixpkgs so that one is not a showstopper.but might be a good test case to repro

Oh, here's that issue: https://github.com/maxgoedjen/secretive/issues/77

1Password definitely acts weird for me, to where I kind of wonder if the .app folder is malformed somehow. The version installed in the Nix store actually works fine-- but not if I double-click it or open it with the `open` command. In that case it kinda acts like something is going to launch but then it never comes up. But if I manually invoke `/Applications/Nix\ Apps/1Password.app/Contents/MacOS/1Password` from my terminal, it starts up fine! But when I directly launch that executable from Finder, the application does not start and I see that same message about not living in /Applications printed in the terminal. Idk why 1Password refuses to run from anywhere other than /Applications but that seems to be it's message rather than the operating system's.

It's a shame 1Password's Mac app can't run from the Nix store. They clearly have at least one Nixer at the company because they have cool integrations like this:

https://developer.1password.com/docs/cli/shell-plugins/nix/

I couldn't even get the Docker Desktop package to build from `brew-nix`. OrbStack in the Nix store died on signature errors, but when I visited Security & Privacy in System Preferences after that, there was a little notice that OrbStack had been blocked from running because it was from an unrecognized developer, with the option to allow it. After being allowed, it seemed to work as normal. Same for Podman Desktop.

Why do the signatures for those apps end up getting replaced with this setup anyway?

I was curious about your final question as well, but I know little about how this works. The error when I tried vscode looked to be that the signature had gotten malformed somehow during brew-nix’s copy operation but since I had no idea what a correct signature should even look like I got stumped there.

pkgsrc is by far the most KISS package manager for macOS, I like it.

I use brew, and have used pkgsrc in the past. I could go back for low pain.

Once, long ago...

My current machine is also not on the latest so I wonder if an attempt to brew update would nag me now...

I prefer the greater reliability of macports.

From what their site says it looks like it was done this way to keep ARM native stuff separate from old intel code which can still work under Rosetta. But I don't see any indication homebrew stopped linking system libraries as a matter of course (correct me if I'm wrong).

MacPorts makes a point of not doing this. /opt/local is its own universe and dependencies can be upgraded more or less aggressively than Apple's. https://trac.macports.org/wiki/FAQ#syslibs

Does seem like something Apple should fund / handle IMO.

There is also the issue, that my iMac is stuck on Ventura, and soon won't be supported by homebrew anymore.

- homebrew's design of having a single app's folder is better, e.g., can use your basic file manager to see the total size

- updates requiring manual inervention

- fewer/less updated packages (mabye due to the previous deficiency?)

- large duplicate database wasting space (and think it's even uncompressed) (brew got better when it moved to it API)

If they would do it all over again, I would bet that they would have wanted to make MacOS be like iOS.

Back in the day Apple marketed macOS as a serious Unix system for scientists and engineers boasting about NASA’s use of it.

I think if Apple aspired to lockdown general purpose computing they would push the ipad pro range with more models and slowly kill off the Mac but they’re not doing that.

Every OS wants to be attractive to developers. Apple has a long history of underdelivering this core proposition. To me it's an odd situation to reason about - look at Apple's dev conferences and then look at what it's like on the ground in dev's reality.

Please don't. It would be a resource hog SwiftUI monstrosity like the new Settings app. And while they are at it, they would probably introduce the 46353th bespoke feature into the Swift language too, because why not?

* Apple has no aversion to Ruby, and on the contrary has multiple developers pushing for it. They themselves had MacRuby, a project that allowed one to create Mac OS X (at the time) applications with Ruby.¹

* The reason there’s even an Xcode command line tools package available officially from Apple is because of Homebrew. A third-party made it first by extracting the necessary bits and then Apple officially supported it.²

* There’s a liaison between Homebrew and Apple, who helped during the Intel to Apple Silicon transition.³

¹ https://web.archive.org/web/20100908131627/http://developer....

² I know this from a reliable source and it is public information, but it was so long ago it’s hard to find.

³ The official Homebrew Twitter account tweeted about this at the time. I no longer have a Twitter account so can’t dig it up.

Homebrew would have a good head start, because it can use a better language, ruby. But it blew its chances with many questionable choices, they are just amateurs. But as always, worse is better.

The only ones with any CLI tools installed, though, are Nix and pkgsrc.

Fast forward to now, Homebrew actually had to make all the changes Macports pointed out as flawed design decisions because, well, they were but enjoy more users and has tainted Macports reputation. It's very much a case of the inferior product winning as far as I'm concerned. I know that most of the original team is not there anymore but I still mostly refuse to use it.

You’re referring to Max Howell, who started Homebrew but hasn’t been part of it for over a decade. Max has been out of Homebrew for longer than he was ever in it, so everything you associate between the two is wrong.

https://www.reddit.com/r/google/comments/7l5ibp/max_howell_h...

Notably, Howell said:

> But ultimately, should Google have hired me? Yes, absolutely yes. I am often a dick, I am often difficult, I often don’t know computer science, but. BUT. I make really good things, maybe they aren't perfect, but people really like them. Surely, surely Google could have used that.

And a sensible response from Jonathan Blow to the "binary tree" nonsense:

> I hate to say it, but counter to most replies you are getting, I see this as an expected outcome. Inverting a binary tree is not some trick interview question. It's a very basic data structure manipulation, and the ideas involved there are applicable to everything. I probably wouldn't hire someone who couldn't solve this, either. It most likely indicates lack of comfort with (or understanding of) recursion, which is kind of serious. This is not to say that the hiring process is good (I have never experienced it) or that they shouldn't have hired you (quite possibly they should have) but maybe instead of getting mad, take this as a cue that you could build up your data-structure-manipulation muscles a bit more and become better for it -- as that stuff applies everywhere.

No one should hold that against Homebrew. Max was already not part of it when that happened and he does not speak for the remaining team.

  > Since 2012, Trail of Bits has helped secure some of the world’s most targeted organizations and products. We combine high-­end security research with a real­ world attacker mentality to reduce risk and fortify code.