Excellent work - a methodical review like this is exactly what I’ve been looking for in these sorts of open source solutions.
I know it’s not the focus of a code review like this, but I’m interested to hear your views on the general supply chain lifecycle problems inherent to open-source package management platforms. Principally, are vetting processes appropriate to ensure that new formulas refer to the correct source? How does the user gain confidence that their brew update is still referencing a trusted source? What happens when a domain is taken over? How quickly can the team respond to untrusted sources from formulas?
I know these aren’t all Homebrew problems to solve, but they’re important ecosystem considerations.
(These problems also exist in the winget and choco platforms, but less so in commercially supported repos like apt and yum. For me, and many other admins, they are a major concern when it comes to the Windows Store.)
Edit: lastly, in case the homebrew team are watching: an npm-style vulnerability notice would be awesome
I can't emphasize enough how much of a genuine issue this is, especially where package managers are being used on production environments or within CI/CD pipelines. There's enough publicized cases of Chinese CCP operatives gaining pull request access to key packages, and I'm sure many more get discovered that are covered up/not made public. Even just turn over of package ownership from reputable entities to lesser known individuals is of course worrying.
As a SWE/EngMgr turned VC, I'm curious if there's startups or commercial companies providing some kind of assurance here (but also worried the $ TAM for solving this problem probably isn't enough to make it a standalone business).
Also for that case, I don't think we have any clue who the guy is. Name just not meaning anything. Or anyone has any link to a formal trace to the origin?
Yeah, well, harvesting human organs (selling them to US customers) and maintaining death camps in 2024 is kind of "bad guys" for me. But, to each his own, I suppose.
The U.S. also harvests the organs of dead prisoners without consent. This is well-documented. 2 Democratic senators even proposed a bill to "reduce sentences" by "donating" your organs.
The U.S. runs the world's most extensive biological weapons research program and firmly opposes any verification for the BWC to which the U.S. is a signatory. The Pentagon operates a ridiculous number of bio labs in other nations.
The U.S. NIH was indirectly responsible for Covid - thanks to sponsorship of gain-of-function research into bat coronaviruses via the Ecohealth alliance, sponsorship of which was approved by good old "I represent Science" Dr Fauci. A massive and desperate cover up operation was performed by the NIH here. Hell, there were e-mails sent to delete everything and deflect all inquiries.
The U.S. deliberately sponsors coups in nations across the world for leaders they don't like - as evidenced by de-classified documents. The U.S. military budget is 7 times higher than that of China. Nearly a million people were killed directly and in-directly in Yemen thanks to good old American bombs.
Let's not even get into earlier acts - like Obama's "moderate rebels" in Syria who were busy chaining women in Aleppo and who devolved into ISIS after the Syrian army kicked them out and decided to conquer Iraq instead - all with the latest American weaponry in hand! (I strongly suggest speaking to a native Syrian who lived in Aleppo during that time to know about the horror)
Other than these very small misdemeanours, the U.S. is a saint! Doubly so on the internet. /s
Before moving to Nix, I was using MacPorts since Homebrew had some...eccentric behavior at the time (didn't work with multi-user setups, owned your /usr/local, lots of "works on my machine" problems from auto-updating and lack of version control, ...). One thing that has always felt insecure about Homebrew to me was the ability to use GitHub (not Git) URLs as ad-hoc packages. I wonder if that is how TOB-BREW-13 worked? That feature of Homebrew has always sounded like a security incident waiting to happen.
In any case, I'd be interested in seeing an audit of Nix on Mac OS. Especially if there is a flaw in how `nix develop` and related commands work.
Funny that you mention it, I also went Homebrew -> MacPorts -> Nix.
Homebrew had analytics and broke versions too often. MacPorts is way more stable, but some niche packages would not build well, and I had terminfo issues with tmux.
Nix allows me to override most of that, and I can share home manager config with my Debian workstation.
For the life of me, I will never understand how developers, of all people, see “just take ownership of system directories, which we will relentlessly pollute” as acceptable behavior for homebrew.
I don't think this is a fair characterization: on Intel, Homebrew uses `/usr/local`, which Apple has (historically) left empty as a location for non-OS managed software to be placed. To my understanding, this is an artifact of macOS's partial BSD ancestry. On ARM-based Macs, Homebrew uses `/opt` to avoid even this confusion (a trait it shares with other non-OS software but administrative-type software).
On the other hand, if Homebrew used `/usr` by default, this would be a fair characterization. But it doesn't.
But the problem is that /usr/local/bin is in the default PATH. They defended this discussion to take over until Apple silicon came and they “silently” fixed it avoiding admitting anything wrong in the beginning
I don’t really understand what the problem you’re referring to is: /usr/local is explicitly the non-OS software hierarchy, which is why Homebrew used it. When Apple Silicon came out, the prefix was changed as part of allowing native and Rosetta-driven Homebrew installations to co-exist. There’s no nefarious reasoning behind it.
Edit: a thread with a bit of the history can be found here[1].
The really shameful behaviour at the time was that if you changed it (which you theorically could), some packages were so poorly written than they just broke and homebrew just warned you it was going to be this way instead of actually fixing the issue.
Nix doesn't sandbox builds by default on macOS. You can try enabling it yourself with `sandbox = true` in nix.conf, but Things May Break.
The Nix sandbox is also not really meant as a security boundary; there's no effort put into preventing sandbox escapes, and lots of stuff leaks from the host into the sandbox environment. You really want something like gVisor or a full VM if you want to build untrusted packages.
Sure, Nix is extremely flexible in input definition, but it's different in the sense that Homebrew exposes a single command to e.g. install a cask from a user-inputted GitHub repository. So all an attacker needs to do is typo squat or take control of the GitHub repository that people are using to install a certain cask.
In Nix, flakes are pure functions and run in pure evaluation mode. One needs to consciously add a Git repository (URL + commit hash, branch, or tag) and then make use of something malicious exported by the input. But to find out what the flake exposes at all, reading the flake (or its documentation) is pretty much necessary.
All the Nix commands that take an 'installable' can take GitHub URLs. For instance:
$ nix run github:NixOS/nixpkgs#hello
Hello world!
That command will download nixpkgs from GitHub, evaluate the `hello` flake attribute, build it (or download it from a cache), and run it.
> But to find out what the flake exposes at all, reading the flake (or its documentation) is pretty much necessary.
If the flake exposes default packages or apps, then you do not need to provide a flake attribute:
$ nix run github:NixOS/nixpkgs
error: flake 'github:NixOS/nixpkgs' does not provide attribute 'apps.aarch64-darwin.default', 'defaultApp.aarch64-darwin', 'packages.aarch64-darwin.default' or 'defaultPackage.aarch64-darwin'
So you can run e.g. Alejandra [1], a Nix formatter, like so:
EDIT: For what it's worth, I think this feature can be useful sometimes, but it does also suffer from the same typosquatting problems as we see in other ecosystems.
I peeked at the sandbox escape bug and its associated fix: https://github.com/Homebrew/brew/pull/17700/commits/f4e5e0c7.... Is this…correct? Like, this is to prevent it from being interpolated into a sandbox profile and messing things up. How confident are we about this list of characters?
The commit message could have answered that question, but instead, it only repeats what the diff already tells us: "Don't allow special characters in sandbox rule paths". It doesn't explain why, or what's special about the particular characters that it disallows. A better message would have said something like "Prevent certain characters in the path because otherwise ... We need to worry about these specific characters but not others because..."
Even if I wrote this code and knew what it did today, if I come across this it a year from now, I'm left scratching my head: why did I make this change?
I ditched `brew` for `nix` a while back and while the TUI could be more end-user-friendly (to the point that I wrote a wrapper called "ixnay" just so I could do "ixnay install <packagename>" as easily as with brew, https://github.com/pmarreck/ixnay), the overall guarantees make it worth it.
(the script itself is of no use to you since it only talks to a piece of hardware)
The command dispatcher case statement and all the embedded help is in do_cmd() at 2857, and the help reader is help() at 425
I like their explicit #args vs #help
One jank in mine is I have a verbosity level setting which affects most messages, and help() uses it to filter some of the help. Normal verbosity shows only the normal help for the normal commands. If verbosity is set higher, then help() shows more commands.
The way that's implimented in help() is extra comments that change the behavior of help() as it's scanning the file from top to bottom.
When it hits a '#v 2' it starts only displaying the help if the user has currently set verbosity>=2 until further notice. Later down the file it hits a '#v 1' and starts displaying help again...
It works but it feels kind of 70's or assembly.
#v 1
#h normal help for mortals
#h ...
#v 2
#h don't confuse the simple folk with this dangerous powerful stuff...
#h ...
#v 1
#h a few more normal commands
#h ...
#v 0
#h display this even the user has set verbosity to 0 to request silence
#h ...
I mean, this is basically all of Bash lol. A very clever idea that has endured since the 70's but also shows it... And yet we get obsessed with "writing perfect Bash" still.
The amazing thing is that there are also old "functional shells" like es-shell https://wryun.github.io/es-shell/ (he still works on this and it is indeed very interesting!)
I wish I had known about ixnay earlier! I also got annoyed of the user experience, to the point where I also wrote my own tool, hdn: https://github.com/seasonedfish/hdn
I just noticed there's a bug with uninstalling. Probably a parsing issue, they must have changed the output of nix for that (this isn't the first time that happened...)
I am a bit surprised this did not highlight major low skill attack surface in Homebrew as compared to almost all Linux and *BSD package managers: Supply chain integrity.
Homebrew maintainers mostly do not sign commits/packages, do not sign reviews/merges, do not verify author/reviewer sigs at compile time, do not reproduce builds in separately controlled CI, do not enforce hardware 2FA on Github.
Every user of brew is only as secure as whichever of hundreds of brew maintainers has the worst opsec today.
Also since dependabot automatically makes commits, you could get a malicious commit into an external project you control, wait for dependabot to make a commit to homebrew to upgrade it, then merge it yourself (as becoming a homebrew maintainer has almost no vetting, just fix a few easy bugs)
You could also just take over one of the expired email domains of a maintainer and send a password reset email to yourself and take over an account of someone on vacation or hiatus.
Can likely get thousands of companies compromised before anyone notices.
Honestly I would never allow Brew on any company machines I have authority over. It is giving hundreds of randos, (and anyone that takes advantage of their poor opsec) the ability to execute any code on user systems.
Major Linux package managers do not go nearly far enough with things like review signing, but most at -least- do author-level package signing, human review, and independent reproduction for most packages.
Given how many high value targets like corporate sysadmins allow brew on their computers, Brew is on track to overshadow Crowdstrike any day now for most harm caused by insufficient supply chain management.
If macs supported PKGBUILDs like Pacman with a similar level of performance and there were correctly maintained packages for core programs I'd feel like using a mac would have a lot less compromises for convenience.
Homebrew is great and the formulae are maintained really well but the simplicity of PKGBUILDS, the fast syncing, and lack of cognitive burden of recalling multiple arguments/flags for package managers make me wish pacman just worked on macs.
The concept is the same (given a definition file, build a package from a central repo, aka ports-like), but one of the features of PKGBUILD has is that it's easy to build an ad-hoc package outside the main tree. For example, you can download a bundle of PKGBUILD and `makepkg` in any directory to build a package.
In other ports-like build systems, this can be a bit more complicated. For example, MacPorts allows you to use a local repository, but it requires configuring that local repository in `/opt/local/etc/macports/sources.conf` and `portindex` it beforehand before MacPorts could pick it up. Some others don't support building out of the main tree at all.
Personally, out of all ports-like building systems, I like MacPorts' Portfile the most. It's similar to FreeBSD Ports' BSD Makefile (MacPorts was created by Jordan Hubbard who also co-created FreeBSD Ports) but using DSL via Tcl interp instead of being a shell script (POSIX shell in the case of Alpine's APKBUILD, bash in the case of others). From my experience, the syntax is very nice to work with, though you need to know a bit of Tcl for a non-trivial package.
The main attack vector IMHO is the simple fact that one can sneak in new packages with malicious intent by simply contributing a new formula.
The team of maintainers is too small to audit all of the newly contributed formulae.
I'm suprised that this attack vector wasn't part of the audit.
I don’t think the current Homebrew core formulae reviewers consider their team too small to sufficiently review all new incoming formula requests. But even if it was: this is one of the vagaries of packaging that’s explicitly called out in the post: the boundary between first- and third-party execution is inherently murky, and there’s IMO relatively more security “value” in determining where third-party execution can surprisingly happen than pointing out all of the unsurprising things that happen when you intentionally run third-party code.
(With that being said, I think packagaging ecosystems in general should be reviewed for those kinds of acceptance processes. But that would be closer to a “red team” style audit than a software audit, since it’s about human processes.)
Yeah, I just had a scare the other day with someone downloading a console emulator called "Cmder" which is a collection of a bunch of FOSS tools. It literally had ~1,000 files that could be malicious including powershell scripts, perl scripts, python scripts, shell scripts, DLLs, EXEs, etc. It turned out it was benign, but it's really scary that people just clone these Git repos and hope for the best.
Yep. We use the TOB-$PRODUCT-$XXXX convention for our audit findings, where $PRODUCT is the target under audit and $XXXX is a unique incrementing counter for each finding.
(As far as I know, a lot of audit firms do similar things.)
Given that I did the audit, I don’t think it’s appropriate for me to offer an endorsement (or a negative endorsement) in this context. What I’ll say is this: the findings on Homebrew were not inconsistent with what I’d expect to find on any similarly sized userspace package manager that serves its own binary builds.
My dumb brain had to read it 3 times before realizing that by saying "the findings were not inconsistent with what I'd expect" you meant "the findings _were_ consistent with what I'd expect"
"not inconsistent" is a common phrase and is used for a reason. It's a subtle difference but "not inconsistent" is not exactly the same as "is consistent".
It needs to convey concepts that are infinitely variable rather than binary.
When a poet or novelist says something in an unusual way, they are being more accurate not less accurate. If there is ambiguity, it is because the concept or observation they mean to express has some ambiguous element.
Trying to avoid that is just downsampling analog color reality to a 200ppi 1bpp fax.
A related concept that even the most aspbergers STEM head should be able to understand, is how a scientist almost never asserts anything unequivocally. Almost every statement is qualified with whatever is appropriate to the context. Even the most fundamental constants of the universe like the speed of light are famously relative. Are those scientists being more or less ambiguous when they decline to say something simple and direct?
Everything they don't say is deliberate and carefully crafted to be as correct as possible, not some sloppy ommission.
If there's any hope of Nix seeing widespread adoption as a Mac package manager, uh... this link kinda shoots it down a lot.
From that:
- create a new APFS volume for your Nix store
- update /etc/synthetic.conf to direct macOS to create a "synthetic" empty root directory to mount your volume
- specify mount options for the volume in /etc/fstab: rw: read-write, noauto: prevent the system from auto-mounting the volume (so the LaunchDaemon mentioned below can control mounting it, and to avoid masking problems with that mounting service), nobrowse: prevent the Nix Store volume from showing up on your desktop; also keeps Spotlight from spending resources to index this volume
- if you have FileVault enabled: generate an encryption password, put it in your system Keychain, use it to encrypt the volume
- create a system LaunchDaemon to mount this volume early enough in the boot process to avoid problems loading or restoring any programs that need access to your Nix store
Even as someone who knows how to do all that... no thanks.
I’m a bit puzzled by the wording of this blog post, because it says you’ve worked with Homebrew to do this audit, but your name sounds familiar to me, and indeed if we check Homebrew’s README [1]:
> Homebrew's maintainers are […long list of names…] William Woodruff […]
I wasn’t a maintainer at the time I did the audit :-). I’ve been a non-maintaining “member” of the project for a long time, which is the pseudo-emeritus position we give to previous maintainers who want to continue participating in internal conversations and governance. I was then offered membership again, months after the audit, due to some unrelated work on Homebrew that didn’t exist and wasn’t planned before the audit was planned.
This was all disclosed as part of a conflict-of-interest disclosure I did, both with my company and with the Homebrew maintainers, but I agree that the blog post could also say that explicitly. I’ll try and get it added today.
TL;DR: I was not a maintainer at the time the audit was performed, but I was previously (years before) and am currently a maintainer. The audit was performed by myself and my colleagues in our professional capacities.
You might say devbox gives nix a brew-like interface and ergonomic.
More accurately, when you use a package manager, you use the “ecosystem” including the package index and pre-built binaries, and the cli. There aren’t many alternatives to homebrew as an ecosystem, especially including cask. Macports isn’t a homebrew replacement in the sense that it doesn’t have “cask”. Nix has something similar, although not as many packages. This makes nix probably the only viable alternative to homebrew with cask.
But nix is very hard to onboard. Devbox just makes it much easier to start using in say the first 30 min.
For me, the key push towards using it as a Homebrew replacement was the fact that I already used Devbox to create isolated dev environments for individual projects I work on.
Now I have one tool to manage all dependencies.
Other than that, it likely comes down to personal preference.
One neat thing is `devbox global push/pull <repo>` to persist my config in a repo.
Oh this looks pretty cool. I started using Docker a while ago for dev projects to avoid package/language version hell, but sometimes its a bit overkill
I had done the same before I learned about Devbox.
It's very lightweight and gets very powerful combined with `git worktree` to work on multiple branches in parallel, each with its own database instance.
Kinda off topic, but when I see a project or an article use brew on Linux instead of their native package manager or something like flatpak I generally assume the author has very limited knowledge about Linux and I can ignore this project/article.
Even though Homebrew isn’t meant as a replacement for the system package manager, there are legitimate use cases.
For example, if you’re on Debian but need a newer version of just one tool, it makes absolute sense to install Homebrew alongside. It’s designed to play well with the system package manager, uses its own separate prefix so it won’t cause shared libs confusion, and only shadows the packages you install with it. Nothing wrong with that inherently, and certainly not a sign of limited knowledge.
I don't see that. Brew on Linux is a copy of dito on osx which itself was inspired by Linux package managers.
Instead of using the real deal, people generally suggest Brew because that's what they are familiar with from osx.
If you need bleeding edge of something (and don't want to build from source) we got things like flatpak, appimage directly from developers or AUR and nix and other stuff.
I'm yet to find someone proposing brew over the rest because of some new package genuinely being available only on brew only.
> we got things like flatpak, appimage directly from developers
Some people prefer timely, high-quality, well-tested bugfixes and security updates for the underlying low-level dependencies of an app.
An upstream app developer is much less likely to provide an updated flatpak mere minutes after e.g. a critical OpenSSH security fix comes out of embargo. Distro maintainers on the other hand, such as the Homebrew core maintainers, can do that. They also have security audits, see TFA, and established processes. Nothing wrong with that at all.
> and nix
That just comes down to personal preference. Some people like Nix due to the amazing level of isolation it provides, and that’s perfectly fine. Some prefer Homebrew instead because it’s easy to use and respects the FHS.
All the things we’ve discussed so far are highly subjective, come down to personal preference, and say absolutely nothing about how skilled a user is.
Core system package managers (apt etc) handle security issues quickly and in collaboration with security researchers and authorities. They have far more manpower, experience and connections than brew.
Bleeding edge is handled by rolling package managers, and these often build automatically from source as soon as a commit is tagged.
I don't see a clear reason to use brew, which does everything a little bit worse. In fact, I see it as a red flag in projects since it usually indicates lack of first class Linux support.
> They have far more manpower, experience and connections than brew.
And Homebrew’s maintainer team, in turn, has far more of all that than the average Flatpak app developer has, which your earlier comment suggested as an alternative to Homebrew.
> I see it as a red flag in projects since it usually indicates lack of first class Linux support.
In most distros, upstream projects have very little say in whether or not the distro is going to include them.
It’s the distro maintainers who make that decision, and it depends on many different factors, some of them outside of the upstream project’s control, but none of them related to „first class Linux support.“
For example: is the upstream license an acceptable fit for the distro? How many dependencies does it have, and are those already available as packages in that distro? Does it make technical assumptions that clash with the distro’s assumptions? Has anyone stepped up and authored the package yet? And so on.
Never have I seen “lack of first class Linux support” as a scale-tipping argument against including a particular package in a distro.
Great that there are people looking into this. I wonder if there would be similar findings were they to perform an audit on MacPorts or the Nix package manager.
A while back I was trying to understand why Homebrew requires pre-built executables to be installed into /home/linuxbrew. I asked about it here[0]. This requirement basically makes it impossible to use homebrew to quickly install programs on systems where you don't have root, or at least have homebrew already configured (not sure if that would solve it but I assume so).
They pointed me to an example program that would break if not run this way: Facebook's Watchman[1].
It bizarrely (to me) has hard coded paths compiled into it, which force you to run it from specific directories.
Would love to understand what's going on here and why you would ever make software work this way. I feel I'm missing a fairly obvious Chesterton's Fence.
The short (but possibly not satisfying) answer is that Homebrew's relocation of packages (including binary relocation) is best effort, in part because of the myriad ways in which packages can embed absolute (or incorrect relative) paths and other state in their build products. macOS bottles are generally more relocatable (in part because of a lot of scar tissue around binary relocation), but it's a general problem with build system quality, build complexities, and - reasonably - disinterested upstreams.
In the case of Watchman, I have to assume that internal use is the most supported use case, and uniformity of deployment is desirable across the fleet there, and so, configurability wasn't as big of a concern?
That makes sense. The weird part to me is that Homebrew would limit their approach and eliminate an entire class of use cases to accommodate programs that work this way. There has to be more to it.
I don't think that's accurate—homebrew specifically says that it only uses the .linuxbrew directory when a formula contains a hardcoded path (which it scans for), and only if you choose not to install it from source.
So, based on the responses from the maintainers, for the .linuxbrew directory to be used, you have to satisfy 2 conditions:
1. you have to be installing one of the ~10% of formula that isn't trivially relocatable.
2. you have to be using a precompiled binary (which it seems like homebrew is smart enough to not do if condition #1 fails and you're not using sudo)
My short experience with Watchman (a few years ago) indicates this. It’s pretty clearly only technically open-source, without much regard at all paid to third parties actually using it.
I’ve had a few build pipelines break over the years because of a watchman dependency. IIRC it was usually an issue with an npm library depending on watchman but downloading a binary that was incompatible with the architecture or implemented the wrong syscalls for the operating system.
This a not a unique problem to homebrew. Any pre-built binaries potentially shares this problem unless the build system the software use is intentionally written to avoid this problems.
Any package managers that is designed to not hard code the prefix, ie you can choose where the binaries go into, needs to handle this problem and have their own ways to deal with it. Conda for example has a long string of …placehold_placehold_… to facilitate editing the hardcoded path…
Source distribution is more robust against this problem comparing to binary distribution. (But sometimes the authors of the software did not package them well and would have hardcoded some paths somewhere.)
That’s why when you change the homebrew prefix, they will built from source instead, and it (using a different prefix) might not work.
The amount of value returned to the Apple ecosystem through brew is remarkable and while this post makes me even more in awe of the care that goes towards the community, I'm sad that one of the richest companies in the world isn't giving more back.
With so many other package managers available, I often wish something else was the de facto package manager on macOS. Something like pkgsrc, which follows conventions much better and is thereby much easier to manage.
Anyone know why Homebrew overtook MacPorts? I only have a vague recollection of a Rails colleague pushing me to switch circa 2013 or so and haven't given it much thought since, but it (MacPorts) seemed to be similarly ubiquitous prior.
When I started using a Mac in 2009, MacPorts, Fink (and I think there was another I can't recall the name) simply wouldn't work for me. They would take very long to build what I wanted, there weren't nearly as many packages as was in Debian/Ubuntu, and many were old versions. Worse, many build attempts would just fail.
In that scenario, brew worked like a charm. It was quick, had most or even more packages than Debian/Ubuntu and they were newer. Failure to install was rare.
Then, Apple started yearly release of OS X, and that both broke brew and my system hard, so I started investigating and found out about the many "shortcuts" that brew took and how it violated systems components. I was dismayed, and abandoned brew for good.
So, I stood a period where I would use many of my tools inside a Ubuntu VM, until probably 2013-2014, when for some reason I tried again MacPorts, and I don't know why, but that time it was much more reliable, and because of Apple's insane atm SSDs with 2 GB/s bandwidth, install became quick enough. Packages were still somewhat lagging behind in available versions, but the variety of them kinda reached the levels of what was in Debian/Ubuntu, so it was good enough for me.
Then, the killer feature, I found out about macports variants and selectors, which I find the most awesome thing to this date in package managers (I haven't tried nix, still, it might be magnitude better in that regard). No needing to use rvm, pyenv, custom installs of gcc messing with make/autotools, and the only sane way of compiling various Haskell projects (before haskell-stack).
I don't know when they introduced it, but I believe MacPorts will build the common variants of the more-used packages. So, if you install a package with the default variants, you'll get a binary download instead of building from source.
But indeed; fast SSDs, parallel compilation, and modern CPUs really help!
MacPorts was slower (bringing in its own dependencies for everything meant longer build steps) and required sudo more. There were some annoying fiddly parts that made it seem like the homebrew users around you were having more fun exploring packages.
It was also exciting how many packages and casks were in homebrew and it was easy to make your own.
Also, back then there were lots of people experiencing package managers for the first time and they took to homebrew easily.
Then so many projects started to publish brew install links as a way to get started; homebrew felt like a default.
Now, with our faster computers, more space, and more packages installed, and macports shipping more binaries and using its own normal user, macports' duplication of dependencies looks more like an advantage than a disadvantage. And because homebrew taught so many people how to use package managers, macports is not their first so easier to start using.
> Also, back then there were lots of people experiencing package managers for the first time and they took to homebrew easily.
I suppose it was almost 15 years ago now but this is what I recall. Homebrew was easier, snappier, and the general friction coefficient felt smaller.
It's a little funny reading this and then wonder... Why did I leave MacPorts behind? I don't think I put much thought into it at the time and rather went by feel. I was still somewhat new to this stuff having started my career more in design than development.
- it has always had a strong emphasis on presenting a simple, clean, pleasant, pretty, playful UI and executed that well
- when it came out, source-based package managers for macOS generally didn't have any binary caching mechanisms, so compile time mattered
- Homebrew's embrace of the base system as opposed to bringing its own dependencies bought it greater reuse at the cost of robustness, driving down total time to install many packages
- the language that `brew` and its packages were written in was trendy at thw time as well as pre-installed on macOS, which made them instantly accessible to huge numbers of web developers
- the older macOS package managers generally drew on traditions and tooling from the Linux world (e.g., Fink, with Debian tooling) or the wider Unix world (e.g., MacPorts and various *BSD ports systems and packages written in some Tcl IIRC).
The type of person with the experience that would lead them to prefer tools and conventions like one sees in Fink, MacPorts, and Pkgsrc, or to contribute to those projects, has likely always been dismayed, if not repulsed, by a number of Homebrewisms. I think we can therefore conclude that Homebrew didn't win the package availability race by converting MacPorts contributors— Homebrew succeeded in attracting a largely untapped pool of new contributors. Eventually there followed the majority of non-contributor users who just want to use whatever already offers the software they want to run.
At the point I switched from MacPorts to Homebrew, homebrew just worked more reliably in my experience. It installed things quicker and with fewer build/install failures. i don't know enough about what was going on under the hood to have any theory as to why this was my experience; I don't want to know what's going on under the hood, I just want to type `install whatever`, and have it work.
I guess MacPorts was (and is) geared more towards users with some proper UNIX or BSD background, e.g. people coming from FreeBSD.
Whereas Homebrew targets the typical Mac user who might need a CLI application occasionally, i.e. someone looking for simplicity, without being too technically savvy.
The latter group certainly makes up a much bigger share of users on macOS, especially nowadays.
When you installed a port with macports the idea was to use as much of the macports for build and runtime dependencies. Over time that became greater and so port install would be slow until you built enough dependancies. It also consumed more storage.
When you installed a port with brew it used as much of the OSX, X11, and XCode installed utilities as possible so it was faster and used less storage. But then you would install an update from Apple and things would break cause of that reliance, things like /usr/bin/perl.
People like beer but also Homebrew had a cute site and made ports simpler than MacPorts. Turns out complexity was maybe not unwarranted. I was among first adopters of brew but now I port for years
this was a while back, in the Gentoo Linux heyday, so it was popular to compile things, except that this was when computers were slow, so that meant waiting for compiles. the problem with macports was that (iirc, it's been a while) it compiled its own version of Python instead of just using the system python, which also broke sometimes. and then you had to compile all that shit again. brew won out because it was faster, and didn't duplicate redundant shit for no perceived reasom.
Switch to MacPorts. It supports precompiled packages, doesn’t take over the world and force anything on you the same way Homebrew does.
I’m really disappointed in how Homebrew took a lot of attention away from the existing package managers, made a bunch of terrible decisions related to packaging and flexibility and genera Unix philosophy, and then ate the world.
The Joyent folks leveraged it to allow their customers, who were perhaps not as familiar with Solaris/SmartOS, a larger pool of packages. Pkgsrc was running on Solaris before Joyent, Joyent built on top of it.
When I've had to use a Mac, I've used nix to good success. I'm actually surprised how well it worked; I was able to basically just use the same config I use on Linux, removing just the few Linux-specific packages.
Do you not use many packages and only strictly use FOSS tooling? I have a large and growing list of packages that have to be managed in Homebrew still because the package is one of the following:
1. Not available at all in nixpkgs (e.g. Docker Desktop, BetterTouchTool, etc)
2. In nixpkgs, but completely broken or missing some architecture support (e.g. Firefox)
3. Actually available and somewhat functional in nixpkgs, but some significant features don't work because of code signing requirements and needing to be managed in the Applications folder (e.g. 1Password)
Quite a few tools do in fact work well with nix on Mac. Especially if it's FOSS and/or a cli-only based tool. And for FOSS tooling such as Firefox, there is often a convoluted workaround (I'm currently using `github:bandithedoge/nixpkgs-firefox-darwin`). And of course you can always package it yourself by doing things The Hard Way.
But the platform is still quite a ways away from being able to be used as a daily driver on Mac without Homebrew.
Huh, interesting. I did primarily use FOSS and CLI applications. It's been a couple years, so I don't remember what exactly I used it for. I probably installed Docker Desktop via whatever method docker recommends, and I'm not sure about Firefox.
For alacrity, I remember it being annoying to integrate into Mac's launcher, but it otherwise worked.
Pretty much everything else was programming-related and just worked.
If you want graphical apps to be handled by nix on macos, you might be interested in <https://github.com/BatteredBunny/brew-nix>. nixpkgs does not package macos sandboxed apps AFAIK, that means typically only cli utilities, libraries and development tools only work.
Tried this when it was released on HN. It does not work out of the box. There is some problem with launching apps from outside of the applications folder. The trampoline Mac-app-útil approach does not work. Though in theory it probably should for most applications. I don’t know enough about the code signing process to be able to debug what is wrong with it.
I recently tried out mac-app-util¹, which fixes some of the usual pain with GUI apps. In conjunction with brew-nix², it looks like it might be most of what I'll need to move away from having Nix manage Homebrew for me.
I don't use very many GUI apps so now that the installation piece is taken care of, I can just package everything I use if it really comes down to it. That'd be worth it for me just to get rid of the painfully slow `brew` invocations that lurk in my activation scripts.
I tried this exact combination but it did not work out of the box for the apps I tried. For gui apps bundled with brew-nix they will panic due to something about how the code signing keys are copied with brew-nix. The Mac-app-util trampoline launcher does work with the regular way that brew is managed with nix (which under the hood just shells out to brew) though. So the problem is likely related to brew-nix installing apps outside of the Applications folder.
I hacked around a bit trying a few different approaches before giving up and switching back to the regular nix-Darwin homebrew approach. But the issue is probably solvable by someone who knows a lot more about how the code signing process works with Macs and the Applications folder
Ugh! How annoying. Which apps did you try that with? I just gave it a try with a couple random ones. I tried Marta, CyberDuck, IINA, KeePassXC, and CotEditor and they all worked.
(Spotify didn't build because the Brew package doesn't have a hash, and Karabiner Elements didn't build bc idk why, but that's actually in Nixpkgs already and that version works fine.)
I did double-check that I have SIP enabled and everything. I'd be interested in trying to repro!
Aside: that mac-app-util works so nicely for the macOS apps that are already in Nixpkgs makes it feel much more worth it to me to package GUI apps for macOS, if that'll mean I can get rid of `brew` entirely. I wonder if this will spur others to also package more GUI apps this way.
1Password and docker desktop are two good test subjects. 1Password especially is the one I mentioned above as being a problem child in general with nix setups on Mac
VScode in particular was the one that broke for me, though that is actually available and mostly functional in nixpkgs so that one is not a showstopper.but might be a good test case to repro
I just tried 1Password and it refused to start not being in `/Applications`. I've seen this happen with one other app (Secretive), although it doesn't quite refuse to run. I can't remember all the details, but I think it has to do with a limitation in newer versions of macOS, where apps that try to register launchd services can only do so if they live in /Applications rather than ~/Applications. The problem with launching those background services from binaries that live in ~/Applications disappears if you disable SIP. When I first encountered it, it made me wonder if ~/Applications is not really supported on modern macOS. I wish I could find the issue for that but I didn't, when I looked just now. :-\
1Password definitely acts weird for me, to where I kind of wonder if the .app folder is malformed somehow. The version installed in the Nix store actually works fine-- but not if I double-click it or open it with the `open` command. In that case it kinda acts like something is going to launch but then it never comes up. But if I manually invoke `/Applications/Nix\ Apps/1Password.app/Contents/MacOS/1Password` from my terminal, it starts up fine! But when I directly launch that executable from Finder, the application does not start and I see that same message about not living in /Applications printed in the terminal. Idk why 1Password refuses to run from anywhere other than /Applications but that seems to be it's message rather than the operating system's.
It's a shame 1Password's Mac app can't run from the Nix store. They clearly have at least one Nixer at the company because they have cool integrations like this:
I couldn't even get the Docker Desktop package to build from `brew-nix`. OrbStack in the Nix store died on signature errors, but when I visited Security & Privacy in System Preferences after that, there was a little notice that OrbStack had been blocked from running because it was from an unrecognized developer, with the option to allow it. After being allowed, it seemed to work as normal. Same for Podman Desktop.
Why do the signatures for those apps end up getting replaced with this setup anyway?
As for your first question, about why 1Password refuses to run outside of Applications, I’m pretty sure it’s security. There is something special about Applications on MacOS that apparently AgileBits views as an attack vector when run outside of it.
I was curious about your final question as well, but I know little about how this works. The error when I tried vscode looked to be that the signature had gotten malformed somehow during brew-nix’s copy operation but since I had no idea what a correct signature should even look like I got stumped there.
I've been using pkgin and pkgsrc for years on macOS. Occasionally, I still need a small brew prefix when a dependency is missing or difficult to build. Molten-vk was the last such package.
pkgsrc is by far the most KISS package manager for macOS, I like it.
That was probably true in homebrew’s first year. At this point I would be shocked if more than a fraction of a percent of homebrew users have ever even heard of macports or fink.
On an old Macbook I keep around for various rare offline tasks, I actually did go back to MacPorts from Homebrew. Chief reason being: Homebrew doesn't support old versions of the OS so I was SOL trying to install a new package on it. The backwards compatibility is a nice feature!
My current machine is also not on the latest so I wonder if an attempt to brew update would nag me now...
Key difference is Mac ports keeps its tree separate in /opt. This means things take longer initially to install because it can’t just leverage system stuff already there. Upside is greater reliability because it doesn’t have to worry about a system update changing its dependencies.
I did not know about the new directory practice, thanks.
From what their site says it looks like it was done this way to keep ARM native stuff separate from old intel code which can still work under Rosetta. But I don't see any indication homebrew stopped linking system libraries as a matter of course (correct me if I'm wrong).
MacPorts makes a point of not doing this. /opt/local is its own universe and dependencies can be upgraded more or less aggressively than Apple's. https://trac.macports.org/wiki/FAQ#syslibs
I much rather them use system libraries than build parallel libs that don’t go through Apple’s vetting / changes. This has worked well for me in practice. I’ve actually never run into an issue where the system library got updated and that broke homebrew’s apps.
That seems like a totally valid perspective. Macports page I linked claims that Apple is often too slow to update, and in some cases only does so when there is a security breach. I can’t vouch for if that’s true. In my experiments maybe 10 yrs ago it took substantially longer for me to install a certain set of packages on Macports vs homebrew due to the parallel library thing. But I had had some broken packages with brew and found Macports more reliable.
Does seem like something Apple should fund / handle IMO.
I was wondering recently if there are any downsides of using MacPorts and homebrew for different packages on the same system. Homebrew excels at keeping all my single binary CLI tools up to date, but I don't particularly like how it forces me to upgrade more complex software packages like MySQL or FFmpeg constantly.
There is also the issue, that my iMac is stuck on Ventura, and soon won't be supported by homebrew anymore.
The approach of Mac ports and Homebrew have been the complete opposite when Homebrew came into existence.
Mac ports tried to make packages compatible with whatever Apple shipped, aka their own twists on Perl, python, OpenSSL etc.
While Homebrew tried to make macOS compatible with whatever existed out there.
As a developer Homebrew gave you a more up to date and fully functional experience.
Can’t tell you how it is today since Apple removed all interpreters and such from macOS.
Apple should have written it themselves. It's embarrassing that they didn't. Nonprofit Linux distros with one-millionth the resources manage to write package managers and run repos, and then with MacOS, Apple gives you diddly-squat.
Back in the day Apple marketed macOS as a serious Unix system for scientists and engineers boasting about NASA’s use of it.
I think if Apple aspired to lockdown general purpose computing they would push the ipad pro range with more models and slowly kill off the Mac but they’re not doing that.
> IMO, it's just counter to what Apple aspires MacOS to be.
Every OS wants to be attractive to developers. Apple has a long history of underdelivering this core proposition. To me it's an odd situation to reason about - look at Apple's dev conferences and then look at what it's like on the ground in dev's reality.
Please don't. It would be a resource hog SwiftUI monstrosity like the new Settings app. And while they are at it, they would probably introduce the 46353th bespoke feature into the Swift language too, because why not?
It would be (or at least have) a command-line utility like rpm, npm, apt, or pacman. That's necessary for it to integrate well with various installation scripts. So you wouldn't have to use a UI at all, especially if it's bad.
* Apple has no aversion to Ruby, and on the contrary has multiple developers pushing for it. They themselves had MacRuby, a project that allowed one to create Mac OS X (at the time) applications with Ruby.¹
* The reason there’s even an Xcode command line tools package available officially from Apple is because of Homebrew. A third-party made it first by extracting the necessary bits and then Apple officially supported it.²
* There’s a liaison between Homebrew and Apple, who helped during the Intel to Apple Silicon transition.³
Wrong. MacPorts started as official DarwinPorts, supported by Apple. It became independent later. It is a proper ports package manager.
Homebrew would have a good head start, because it can use a better language, ruby. But it blew its chances with many questionable choices, they are just amateurs. But as always, worse is better.
I thought it was clear from my comment that I was suggesting Apple would do it better. Think of how useful something like apt, npm, or pip is, and then realize that MacOS has no in-house equivalent.
I got sick of Homebrew after a while and tried switching to MacPorts, but it feels like an endless uphill battle when so many packages only offer source and Homebrew distributions.
You are not. I've been using MacPorts for 15+ years at this point. Started with fink and then made the switch around the days of Snow Leopard. I'm also a BSD user, so no surprise there. I enjoy being able to compile ports with non-standard variants (e.g., non-free codecs in ffmpeg, removing un-needed interpreters from packages, etc.)
I keep ports around for things like lilypond (which I use for quasi-professional score engraving) and some other packages that homebrew is weird on. The removal of options a few years back still stinks for be
I'm still sour that homebrew gained so many user when it was started by basically FUD-ing Macports and arguing that their ability to reuse the existing toolchain of OSX with the superior choice while Macports pointed out that homebrew design was flawed.
Fast forward to now, Homebrew actually had to make all the changes Macports pointed out as flawed design decisions because, well, they were but enjoy more users and has tainted Macports reputation. It's very much a case of the inferior product winning as far as I'm concerned. I know that most of the original team is not there anymore but I still mostly refuse to use it.
That’s like saying you dislike the current state of the USA because of George Washington.
You’re referring to Max Howell, who started Homebrew but hasn’t been part of it for over a decade. Max has been out of Homebrew for longer than he was ever in it, so everything you associate between the two is wrong.
Can you supply supporting evidence (links etc.) regarding "the author was being extremely upset (...) about not passing a Google interview" and "Homebrew having... weird design decisions"?
They're probably referring to this tweet from Max Howell [0]
> Google: 90% of our engineers use the software you wrote (Homebrew), but you can’t invert a binary tree on a whiteboard so fuck off.
I personally wouldn't hold that against him (or Homebrew). We also don't really know if Google rejected him based on the binary tree, or if it was something else (personality?).
> But ultimately, should Google have hired me? Yes, absolutely yes. I am often a dick, I am often difficult, I often don’t know computer science, but. BUT. I make really good things, maybe they aren't perfect, but people really like them. Surely, surely Google could have used that.
And a sensible response from Jonathan Blow to the "binary tree" nonsense:
> I hate to say it, but counter to most replies you are getting, I see this as an expected outcome. Inverting a binary tree is not some trick interview question. It's a very basic data structure manipulation, and the ideas involved there are applicable to everything. I probably wouldn't hire someone who couldn't solve this, either. It most likely indicates lack of comfort with (or understanding of) recursion, which is kind of serious. This is not to say that the hiring process is good (I have never experienced it) or that they shouldn't have hired you (quite possibly they should have) but maybe instead of getting mad, take this as a cue that you could build up your data-structure-manipulation muscles a bit more and become better for it -- as that stuff applies everywhere.
> Since 2012, Trail of Bits has helped secure some of the world’s most targeted organizations and products. We combine high-end security research with a real world attacker mentality to reduce risk and fortify code.
It's interesting that I don't see any analysis referencing OpenBSD (either as a product or as an alternative to something else they have done research on).
If you're having trouble finding the audit itself (it's linked indirectly), I'm linking a copy here as well[1].
[1]: https://github.com/trailofbits/publications/blob/eb9344f2261...