Since homebrew is community-driven, what will happen if someone submits a malicious formula. Will this get merged into the main repository and end up being installed by everyone else? How can homebrew prevent this?
How does homebrew maintainers ensure the authenticity of binaries from each formula?
302 Views Asked by quarterest At
1
There are 1 best solutions below
Related Questions in HOMEBREW
- Warning: PHP Startup: Unable to load dynamic library openssl
- elinks reports `Bad HTTP response` in Mac OS
- OSX What does "error: cannot convert 'const std::__cxx11::basic_string<char>" mean?
- Error installing required packages in Yosemite
- troubles when I use homebrew
- gem eventmachine fatal error: 'openssl/ssl.h' file not found
- Not able to install php memcache
- Upgrading rsync on OS X using Homebrew
- Brew Install Ruby-Build fails with: cannot run C compiled programs
- How can I fix "Error: Formulae found in multiple taps"?
- "No such file or directory" with "brew doctor" command
- Ruby gems path issue (system vs brew)
- curl error with brew install php56 --with-cgi
- No matter what I do, my environment can't see libjpeg for Pillow on OSX 10.10 with Virtualenv
- OSX - installing Apache/PHP stack trough Homebrew fails
Related Questions in HOMEBREW-CASK
- "Unlinked kegs in your Cellar". How do I remove them?
- How does homebrew maintainers ensure the authenticity of binaries from each formula?
- React Native - run-ios - React Packager process fails due to thinking I am running io.js version 1.6.2
- Use brew cask to build app before deploying it
- Shell script loop over array passed as argument to multi-argument function?
- Error when running brew cask install
- How to Install Sublime Text 3 using Homebrew cask
- Homebrew updates and app self updates
- MacOS Brew unable to update or remove temurin
- How do I mark a homebrew tap cask formulae as updated?
- Why is homebrew cask needed?
- How to resolve the conflict between homebrew packages?
- Latest version of Chromium installed with Homebrew does not play video - how to resolve?
- how to brew install --cask itch.app to /Applications
- What is the difference between homebrew casks 'dotnet' and 'dotnet-sdk' and formula 'dotnet'
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
These things could conceivably happen. The general consensus out there seems to be that the likelihood is small enough to ignore. IT companies like Google, Amazon, and so on are perfectly OK with employees using it, so it is probably fine if you do too.
Review works
Getting a malicious formula merged is actually not that easy. The fact that you need a GitHub account and that building up a GitHub profile (to give yourself credibility) is a hard work (you have to program) can be a first line of defense.
There are actual humans looking at the formula during the Pull Request process. Nothing obvious should pass through, moreover, it is possible that just the fact of people being there and doing the checking dissuades many from even trying to propose something malicious.
Possible attacks
Has any repository hacking actually happened? Hard to say, because the following example could easily be just a honest mistake.
CVE-2008-0166
In 2008, an overactive Debian maintainer introduced a bug to OpenSSL, apparently in an effort to "clean up the code." (https://www.schneier.com/blog/archives/2008/05/random_number_b.html)
Lets now turn to other possible attack mechanisms
Typo-squatting
Attacker uploads a package that is similarly named to a popular one. People make typos and download the spoofed one.
This was successfully demonstrated for Pypi in N. P. Tschacher's bachelor thesis, see incolumitas.com/2016/06/08/typosquatting-package-managers/.
Any kind of manual review should catch it, so Homebrew is likely safe from it.
Reflections on Trusting Trust
(https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)
Famous essay by Ken Thompson which walks you through a procedure to insert a Trojan horse into a software stack (both the compiler and the application), so that it is present in both, but not easily detectable in either.
Dependency confusion
(https://www.schneier.com/blog/archives/2021/02/dependency-confusion-another-supply-chain-vulnerability.html)
Pick a company that is running an internal package repository. Publish a public package which has the same name as an internal company package. Then, the package installer may mistakenly prioritize the public name, and therefore employees of the company suddenly start installing your package.