undefined | Better HN

0 pointsrdatajef12y ago0 comments

I'm hoping someone could answer this for me. How do you trust the applications that `brew cask` installs?

What is preventing `brew cask install firefox` from installing something malicious? When I download an application manually, I trust the site I'm on by virtue of being there and being savvy enough to know it's a legitimate site. But when you script it, you lose the ability to gauge see for yourself what you're downloading.

I realize I could probably do: `brew cask info firefox`, find the ruby file it points to (https://github.com/caskroom/homebrew-cask/commits/master/Cas...), open that up, verify the link is trustworthy.. but I don't want to do that for every installation. And if it's valid now, what's to prevent it from changing in the future?

How do you guys justify using cask?

0 comments

1 comments · 1 top-level

phinze12y ago

Hey there! This is a valid concern, but I don't think it's all that different from using Homebrew. The community maintains the cask definitions, and all pull requests are reviewed via the project team. There's a checksum verification feature built in, though we're still figuring out how to reconcile that with un-versioned download URLs [1].

At the end of the day, when you use any package management software, you are implicitly trusting the team that maintains said software. Perhaps it would be better for us to do our best to force users to make that trust more explicit? It's an interesting question - any suggestions you have would be more than welcome - feel free to open an issue to discuss! :)

[1] https://github.com/caskroom/homebrew-cask/issues/1021

j / k navigate · click thread line to collapse