I've been playing around more with GitHub Actions and found that using them to do deploys, releases and (basic) "cron jobs" are nice but not widely used. Let me know if anything here useful or you disagree with!
This behaviour came about because, before we did that we ended up upgrading just what you wanted and breaking other packages by mistake.
It’s taken a long time but we’re finally at the point where we do (pretty much) only upgrade the minimal software we need to actually avoid breakage rather than the previous “better safe than sorry” conservative approach. We also now tell you by default everything we’ll upgrade before we do it (unless you say “upgrade foo” and all we are gonna do is upgrade foo).
So: we’ve maybe solved this issue and maybe not. The perfect outcomes for everyone here is pretty much impossible given the original design of Homebrew. MacPorts or Nix or Mise are likely a better fit in that case.
brew as-console-user may help here. We don’t support a multiuser setup so there may be some limitations but we try our best to address problems as they come up.
You can now trust individual files inside taps. It was not clear to all users before now that some commands (before —-eval-all, a mess this replaces) would evaluate all packages Ruby code from all taps). This cleans that up and some other security degrading edge cases I won’t bore you with here.
Trust is also user specific now.
It’s not a silver bullet but it does help address some potential attacks and gives us a foundation to improve on over time.
We’ve complained about this to Google many times to no avail. It’s very frustrating. They are literally paid money to let people install malware on your machine. Please direct all annoyance and resentment to them (we share it).
I square them because both of them allow me to do lots of open source work and enjoy it.
Your signing point is not accurate. It doesn’t apply to all packages, only casks in the official tap. With casks the trust model, particularly on things that auto-update and don’t expose versions or checksums on download URLs, heavily relies on Apple’s security guardrails. We pushed against them for a while but Apple’s direction of travel made it clear that it was a waste of our energy and that we were at risk of compromising our users through doing so.
You can still automatically remove quarantine in third-party taps as desired, we’re just making it less easy to do so because we consider it a security feature that should require a deliberate bypass.
I don’t think anyone is obliged to donate to Homebrew but this sort of framing, assuming you use Homebrew, isn’t great. If you find what we do morally distasteful: go use something else. MacPorts, Mise and Nix are all good. This will be better for everyone than using us begrudgingly.
I would say I’ve embraced AI most heavily and I wrote this document so: yes.
I review AI written code on Homebrew the same way I review code from a no avatar GitHub user with no previous contributions.
The experimental and abandoned brew-rs frontend was more “vibe coded” using my knowledge of how to benchmark and test homebrew accurately and with a shitload of manual testing. Maybe that’s why the performance wasn’t as good as expected, who knows.
> We'll lose support from you guys a year before Apple!
Homebrew will still work (increasingly poorly) on macOS Intel for a year after that, it just won’t be “supported” or tested in CI environments (where currently macOS Intel usually slows down the release of lots of software for all other platforms).
That a volunteer run project with no employees is unable to come anywhere near the support levels of the world’s second biggest, trillion dollar company should not be surprise.
We’re also limited that GitHub (part of Microsoft, 4th biggest, also trillion dollar company) will have killed all macOS Intel CI by autumn/fall 2027 too.
We are announcing this well in advance to give people migration paths to MacPorts or other hardware.
There’s nothing stopping you for doing the work to setup “Intelbrew” and support it for the community. When I started work on Homebrew it had no funding or CI or binary packages/bottles at all. I did much of that work myself. It was hard but you could do the same.
Completely reasonable to say “I don’t have time!” but: then you need to accept the decisions of those that do, sorry.