Homebrew Questions


(Frozen Clock9) #1

Hello Im new to programming and Homebrew so I am very wary of security issues.

I was wondering if Homebrew is safe for Macbook pro that has a Password Manager(Dashlane) in it?

Like will installing Homebrew compromise the security of my Password Manager and Macbook?

Im sorry if I sound paranoid :stuck_out_tongue:


(Eduard Rozenberg) #2

That is a very broad question with no answer. There are many ways in which machines can and do get compromised, including via malicious websites and downloads which can install keyloggers and screencap software.

If you want absolute security for a password manager, install it on a freshly wiped machine with networking permanently off, and don’t ever sync the data to any outside service. This is a serious suggestion some people actually follow.

Popular software sometimes does get hijacked. For ex. https://blog.malwarebytes.com/threat-analysis/2016/09/transmission-hijacked-again-to-spread-malware/

Regarding homebrew specifically, I’m sure they take all the necessary precautions to prevent their build machines from being compromised, but nothing is ever 100%.

In order of increasing amount of work, here are some things you could do if you choose:

  • Install all homebrew packages using the --build-from-source flag. Slow. Homebrew is focused on pre-built binary packaged software, so if you run into issues you’ll have work to do and you may not get much help. -> MikeMcQuaid makes a great point below that you’re better off sticking with homebrew’s default binary package installation (bottles).
  • Review the homebrew formulas that install/build the packages you plan to install. Compare checksums and download locations with the actual source from the websites it comes from. Do this every time homebrew updates the version of the package source code.
  • Review the various homebrew scripts and files that do all the work. Do this every time there is a homebrew update to any of those files - track and review any changes on the homebrew site before you do brew update.
  • Review all of the source code and build scripts for each package you install, before you build it from source.

As you can see it’s an impossible task for entities who are not governments or large corporations. It comes down to how much you trust a group of people to be doing the best they can to keep things secure. Your password manager is never going to be 100% secure as long as you’re using the Internet on that machine. A good thing to do is to have a plan for what you would do if it ever gets broken into.


(Eduard Rozenberg) #3

For an example of just one of many complex issues involved, see this good discussion of signing files.


(Mike McQuaid) #4

I don’t agree this is more likely to improve your security. Homebrew’s servers are better protected than the average machine and we checksum our binary packages.

Even these folks aren’t doing these things either :laughing:. Good point, though, it’s definitely an infinite time sink.


(Frozen Clock9) #5

Hello thanks fo replying back :smiley: From reading the replies it seems I can summarise some of the points (Im still a beginner to programming so I don’t understand most of the things said) to:

  • Nothing is ever 100% safe when it comes to keeping any machine safe from malicious attacks but in
    the case of Homebrew it is a very safe software to download stuff like node, java or python

  • To be 100% safe with password managers it is best to wipe the device then install it and place your
    passwords in it.

  • Have a plan when the password manager does fail

Thanks Guys


(Augustotavares4) #6

Hey guys i’m struggling to install brew tap homebrew/nginx every time i try install give me error.

this is the error : Error: homebrew/nginx was deprecated. This tap is now empty as all its formulae were migrated.

Augusto


(Jacob Ledbetter) #7

That means nginx is now in homebrew/core and no longer needs to be tapped.