If your developers use Macs, Homebrew is almost certainly used throughout your fleet, and acts as a critical component of engineering’s workflow. 

Is Homebrew secure? Does it meet requirements for enterprise-grade software, specifically in regulated industries? Does using a package manager compromise your company’s security posture? 

Our answer to these questions, at a high level, is yes: Homebrew is more secure than you might think.

Misconceptions about Homebrew

Let’s first dispel some myths about Homebrew: 

• Anyone can self-publish a package to Homebrew (not true!)

• Changes or updates in Homebrew do not require human review (false!)

• As a result of the above: Homebrew is as vulnerable to "supply-chain security attacks" as most language package managers (nope!)

While some package managers do not require human review for all newly-created or updated packages, that’s not the case with Homebrew. There’s rigor in the vetting process, which has a robust system of both automated and human-dependent processes. 

The contribution model: built with security in mind

Homebrew has two main repositories, known as “taps,” for package contributions: Homebrew/homebrew-core and Homebrew/homebrew-cask. Each has slightly different processes for testing, security, code review, and maintenance. 

Homebrew/homebrew-core

The Homebrew/homebrew-core tap only accepts open source packages, which will build from source on Homebrew’s testing infrastructure. Homebrew then generates a binary package called a bottle, which is what all users in a supported configuration will end up installing on their machines. 

To create a package for Homebrew/core, there is a brew create command that will generate a template for a new package definition called a formula, which specifies the source code URL, name and homepage URL for the software. See Homebrew/core’s Acceptable Formulae documentation for requirements to submit a formula. 

Check 1: Local tests on the formula

If you’re submitting the formula for inclusion in Homebrew/core, you’ll need to add a test to your formula to verify that Homebrew has built and  installed the software correctly. Next, you'll build the formula from source on your local machine, and, as long as that build is ok, open a pull request to the Homebrew/homebrew-core repository on GitHub.

Check 2: Automated audits from Homebrew project 

Homebrew’s GitHub Actions will run a series of automatic audits and style checks on the formula. These tests have been developed by the Homebrew maintainers to check not just style, but also that the license is acceptable, and to ensure the software is appropriate for Homebrew/core. 

Check 3: Human review from maintainers

Usually within a day, at least one human will review the pull request, and depending on the submission, may request updates to be made. Once the pull request is merged, 50 minutes later any Homebrew user can type brew install <formula> and install that software. 

Check 4: Ongoing maintenance 

From then onwards, a Homebrew maintainer, contributor, or GitHub Action will generally keep that formula up-to-date by monitoring when there's new versions, and creating pull requests for those. Users who have that software installed can keep their installation up-to-date by running brew upgrade.

If “upstream”, the original author of the software, gets compromised, the Homebrew project will respond accordingly by relying on a combination of Apple security features, CVE reports, and the Homebrew maintainers and security team. 

Homebrew/homebrew-cask

The Homebrew/homebrew-cask tap accepts pre-compiled binaries, and it’s most commonly used for installing desktop applications. Casks are not compiled on Homebrew infrastructure. Because of how they are packaged, some casks may be changed on the upstream’s server at any time so cannot be checksummed as formulae can. 

Casks can also be created via brew create but the code that’s generated for a cask looks a bit different. Instead of Homebrew compiling source code, it's downloading an application or binary off the internet and installing it on your machine. 

The process for submitting a cask is different from a formula: casks don’t have a test block, but there are still GitHub Actions tests to ensure the cask behaves properly. Casks can also auto update themselves. For the guidelines on submitting a cask, see Homebrew’s Acceptable Casks documentation.

For end-users: Casks and security

When an end-user installs a graphical application, that application needs to be signed by Apple, which provides their own security review process (i.e. Quarantine, Gatekeeper).

Homebrew’s Security Team

Among the core maintainers are security experts who advise and protect the project, most recently: 

• William Woodruff. As Engineering Director for security firm Trail of Bits, William also directs their Open Source Ecosystem Security group. 

• Patrick Linnane. Patrick, in addition to his role as Senior Director, Information Security Operations at Emburse, is a licensed CISSP and CCSP professional.

In addition to remediating incidents, the Security Team has led security audits and ensures Homebrew stays in-line with security best practices.

If you want 100% peace of mind, try Workbrew

• Security trust model. The security trust model of Homebrew is optimized for a single Mac admin user with complete control of their machine  which has made it among the most popular developer tools on the internet. By contrast, the security trust model of Workbrew provides separation between the workbrew user who owns and runs Homebrew, and the user (who does not have to be an admin) who can run Homebrew commands on the machine. You can think about it as a sort of two-way suspicion, insulating both parties.

• Fleet-wide security configuration. Homebrew operates on a single machine whereas Workbrew controls entire fleets of machines. This allows Workbrew customers to forbid formulae, casks, formula licenses or taps from their fleet or only allow installation from specific taps.

• Upgrade and monitor everywhere. When software in Homebrew has been updated to resolve a CVE, every user must run brew upgrade in order for the fleet to be secured. With Workbrew, this can be done with a single command as well as monitoring what software versions are installed.