Binaries are built on CI infra with logs that are publicly available and with all the source code doing the builds publicly available. Effectively the same process as local, from source builds. The bottle DSL ensures that the SHA binaries are not tampered with between when they were built (and the source code sha checked) and when they are delivered.

I know this is still a different trust model, but, IMO, not too different.

I know reproducible builds are on the radar for Homebrew in the future, and that should ease some of your concerns too.

For a good thread on Homebrew security checkout https://twitter.com/c_pellegrino/status/1093195802871246848

Hey! Thanks for the reply. I’ll definitely check that link out. It’s really nice to know more about the process behind delivering binaries.

Yes, I like Homebrew's GNU stow - like capabilities of linking stuff in and out of your environment.

A word of warning, however: Homebrew 2.0 removes your old formula from the Cellar when upgrading. If you want to disable this you must set HOMEBREW_NO_INSTALL_CLEANUP in your environment if you want to hold on to those older versions.

You can put it under your home folder too. That's the primary use case, I believe: cases where the system is old & crufty and you don't have root.

> I'd trust it more than homebrew anyway.

I'm curious why you feel this way.

Yes, many maintainers/linuxbrew folk are/were in science/academia. They were tired of logging into HPC system X and needing a certain piece of software. With linuxbrew/homebrew on linux you can just install/build the entire toolchain in user land and get software in your home directory when you don't have root.