![]() ![]() ![]() Users can enter simple commands like $ brew install -cask firefox to install popular programs without having to use the built-in installer. Homebrew works on the command line interface Terminal. The Cask plugin extends the functionality of Homebrew allowing users to install command-line workflows, fonts, plugins, and other software. It allows you to easily install and uninstall add-ons to the Mac system using “casks.” It runs on Git and Ruby and can easily be modified by knowledgeable coders. Homebrew is an open-source software package installer for Mac and Linux. So, I strongly feel that a security audit against the centralized ecosystem is required.” What is Homebrew? The researcher commented that “If this vulnerability was abused by a malicious actor, it could be used to compromise the machines that run brew before it gets reverted. Now all pull requests require manual review and approval. As a result, Homebrew removed the auto-merge feature and the “review-cask-pr” from all Git repositories. RyotaK also included a proof-of-concept (POC) to illustrate his point. This poses a severe danger to Homebrew users. In layman’s terms, what he is describing is that malicious code injected into legitimate files were merged without any review or approval. Due to this flaw, the parser can be spoofed into completely ignoring the offending lines, resulting in successfully approving a malicious pull request.” This is due to a flaw in the git_diff dependency of the review-cask-pr GitHub Action, which is used to parse a pull request’s diff for inspection. “The discovered vulnerability would allow an attacker to inject arbitrary code into a cask and have it be merged automatically. The flaw was fixed on April 19.”Īfter the fix, Markus Reiter of Homebrew said, What Happened?Īs reported by The Hacker News, Japanese security researcher, RyotaK notified the Homebrew maintainer group on April 18 that “the way code changes in its GitHub repository were handled, resulting in a scenario where a malicious pull request - i.e., the proposed changes - could be automatically reviewed and approved. ![]() (For the same reasons, fink uses /sw as its prefix.Homebrew users should take notice that a glaring RCE flaw in the Homebrew repository system could have allowed bad actors to use a fraudulent update to execute malicious code on the user’s machine. MacPorts doesn't want to be a victim of that, and /opt/local provides the splendid isolation (as would any other dedicated directory, of course).Īlso, /usr/local traditionally contains the given system's local admin tools MacPorts doesn't want to stomp on that either. While this could be dismissed as the user's own error, it is a fact that people click through installers blindly, and consequently collisions under /usr/local (and other prominent directories) happen very often. Many other software packages and packaging systems install into /usr/local, and could accidentally overwrite what MacPorts has installed, or vice versa. However, having MacPorts under /usr/local would be error-prone for precisely that reason. Traditionally, the place to install third party software on many UNIX systems is /usr/local. Why is /opt/local the default install location for MacPorts? ![]() PS: This article I found on the subject raises some good other points. If you don't know what the fuck I'm talking about, use Homebrew. If it bothers you when your bash and perl scripts don't work the same on Mac, use MacPorts. If your primary/only programming language is JavaScript, Python, or Ruby, Homebrew. If you use the command line only to manually type and execute short sequences of commands: Homebew. If you write scripts / software that you run in the command line, MacPorts. If you think Oh My Zsh is slow bloatware, go with MacPorts. If you like Oh My Zsh, you're probably a Homebrew user. If you prefer CamelCase and terms like x-ly, x-ify, x-io, and x.js, Homebrew is probably better for you. if you like short, all-lowercase words like awk, sed, grep, vim, and gcc, MacPorts. Every time I've tried with Homebrew, something eventually goes horribly wrong. It's fine to try to hide the details from the user until something goes wrong. Homebrew wants to be Mac-like in its easiness, but I prefer transparency over a veneer of simplicity. I think Homebrew is great for people who don't typically use the command line but absolutely need to install one piece of command line software for a project, or for people who use the command line frequently, but mostly only to `npm run build` and `git push`. I also use my Mac to administer a number of Linux servers. I'm a software engineer and spend almost all of my computer time in a fullscreen terminal. ![]()
0 Comments
Leave a Reply. |