Since homebrew is community-driven, what will happen if someone submits a malicious formula. Will this get merged into the main repository and end up being installed by everyone else? How can homebrew prevent this?
How does homebrew maintainers ensure the authenticity of binaries from each formula?
305 views Asked by quarterest At
1
There are 1 answers
Related Questions in HOMEBREW
- macOS BigSur - Unable to run bundled php version or brew php 8
- Cannot locally connect to MySQL
- Homebrew Upgrade Outdated Formulae Output Clarification
- Does Mac OS have different Git versioning?
- Troubleshooting graphviz install / python module
- How to get brew list as JSON output
- mysqli not installed with PHP 8.0.30 (MAC)
- How to work around the "collect2: error: ld returned 1 exit status" error when running simple fortran files with the gfortran command?
- problem with connecting c++ libraries installed via homebrew macos m1
- Unable to install old gcc version on Mac using homebrew. Error in make possibly due to incorrect header file version
- Cannot install snappy with brew - fatal error: 'cassert' file not found
- boto3 python module is installed, but can not be loaded
- Installing CPAN module DBD::mysql on macOS Sonoma fails with "symbol not found."
- Homebrew Clang C++ compilation fails
- Mac OS X - Brew installed Leiningen permission error / wrong directory
Related Questions in HOMEBREW-CASK
- macOS BigSur - Unable to run bundled php version or brew php 8
- Publish Already built Mac Applications (.app) on HomeBrew
- Downgrade SOLR to V8 using homebrew on mac
- How do I mark a homebrew tap cask formulae as updated?
- MacOS Brew unable to update or remove temurin
- How to resolve Docker-Engine stopped issue on MAC-OS Ventura?
- cask 'eclipse-java' is unreadable: undefined method 'before_colon'
- Installed latest ruby on mac but still showing old in terminal
- Why is my uninstall / reinstall failing for the Wireshark cask on Homebrew?
- Homebrew failing to download autoconf package
- Aws-cli brew update warning , not sure how to fix it
- Error upgrading Google Chrome Cask using HomeBrew
- Error: When running command to list all downloadable cask apps
- Mac install java [openjdk]: brew vs. cask vs. IntelliJ IDEA (different JDK paths)
- Homebrew Cask, Error: No such file or directory @ rb_sysopen - /opt/homebrew/Library/Homebrew/shims/shared/charm
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
These things could conceivably happen. The general consensus out there seems to be that the likelihood is small enough to ignore. IT companies like Google, Amazon, and so on are perfectly OK with employees using it, so it is probably fine if you do too.
Review works
Getting a malicious formula merged is actually not that easy. The fact that you need a GitHub account and that building up a GitHub profile (to give yourself credibility) is a hard work (you have to program) can be a first line of defense.
There are actual humans looking at the formula during the Pull Request process. Nothing obvious should pass through, moreover, it is possible that just the fact of people being there and doing the checking dissuades many from even trying to propose something malicious.
Possible attacks
Has any repository hacking actually happened? Hard to say, because the following example could easily be just a honest mistake.
CVE-2008-0166
In 2008, an overactive Debian maintainer introduced a bug to OpenSSL, apparently in an effort to "clean up the code." (https://www.schneier.com/blog/archives/2008/05/random_number_b.html)
Lets now turn to other possible attack mechanisms
Typo-squatting
Attacker uploads a package that is similarly named to a popular one. People make typos and download the spoofed one.
This was successfully demonstrated for Pypi in N. P. Tschacher's bachelor thesis, see incolumitas.com/2016/06/08/typosquatting-package-managers/.
Any kind of manual review should catch it, so Homebrew is likely safe from it.
Reflections on Trusting Trust
(https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)
Famous essay by Ken Thompson which walks you through a procedure to insert a Trojan horse into a software stack (both the compiler and the application), so that it is present in both, but not easily detectable in either.
Dependency confusion
(https://www.schneier.com/blog/archives/2021/02/dependency-confusion-another-supply-chain-vulnerability.html)
Pick a company that is running an internal package repository. Publish a public package which has the same name as an internal company package. Then, the package installer may mistakenly prioritize the public name, and therefore employees of the company suddenly start installing your package.