Since homebrew is community-driven, what will happen if someone submits a malicious formula. Will this get merged into the main repository and end up being installed by everyone else? How can homebrew prevent this?
How does homebrew maintainers ensure the authenticity of binaries from each formula?
271 Views Asked by quarterest At
1
There are 1 best solutions below
Related Questions in HOMEBREW
- Ternary operator inside NavigationLink SwiftUI
- Use ViewRouter in SwiftUI Project in Xcode 12
- SwiftUI Navigation View - Handling Size Classes over multiple views
- Is there any way to create a new Gesture in SwiftUI?
- SwiftUI extension to display Image in Alert()
- Get changes on button tapped using Combine and SwiftUI
- Does `ShapeStyle` inherit from `View`?
- Nested transitions / animations in SwiftUI
- How do I set an image in a cell class from a ImagePicker Controller
- How to disable minimum value of 0 in Slider?
Related Questions in HOMEBREW-CASK
- Ternary operator inside NavigationLink SwiftUI
- Use ViewRouter in SwiftUI Project in Xcode 12
- SwiftUI Navigation View - Handling Size Classes over multiple views
- Is there any way to create a new Gesture in SwiftUI?
- SwiftUI extension to display Image in Alert()
- Get changes on button tapped using Combine and SwiftUI
- Does `ShapeStyle` inherit from `View`?
- Nested transitions / animations in SwiftUI
- How do I set an image in a cell class from a ImagePicker Controller
- How to disable minimum value of 0 in Slider?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
These things could conceivably happen. The general consensus out there seems to be that the likelihood is small enough to ignore. IT companies like Google, Amazon, and so on are perfectly OK with employees using it, so it is probably fine if you do too.
Review works
Getting a malicious formula merged is actually not that easy. The fact that you need a GitHub account and that building up a GitHub profile (to give yourself credibility) is a hard work (you have to program) can be a first line of defense.
There are actual humans looking at the formula during the Pull Request process. Nothing obvious should pass through, moreover, it is possible that just the fact of people being there and doing the checking dissuades many from even trying to propose something malicious.
Possible attacks
Has any repository hacking actually happened? Hard to say, because the following example could easily be just a honest mistake.
CVE-2008-0166
In 2008, an overactive Debian maintainer introduced a bug to OpenSSL, apparently in an effort to "clean up the code." (https://www.schneier.com/blog/archives/2008/05/random_number_b.html)
Lets now turn to other possible attack mechanisms
Typo-squatting
Attacker uploads a package that is similarly named to a popular one. People make typos and download the spoofed one.
This was successfully demonstrated for Pypi in N. P. Tschacher's bachelor thesis, see incolumitas.com/2016/06/08/typosquatting-package-managers/.
Any kind of manual review should catch it, so Homebrew is likely safe from it.
Reflections on Trusting Trust
(https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)
Famous essay by Ken Thompson which walks you through a procedure to insert a Trojan horse into a software stack (both the compiler and the application), so that it is present in both, but not easily detectable in either.
Dependency confusion
(https://www.schneier.com/blog/archives/2021/02/dependency-confusion-another-supply-chain-vulnerability.html)
Pick a company that is running an internal package repository. Publish a public package which has the same name as an internal company package. Then, the package installer may mistakenly prioritize the public name, and therefore employees of the company suddenly start installing your package.