MikeMcQuaidHomebrew has had a paid security audit and addressed all flagged issues. This blog post has been a long time coming; apologies for the delay.
Here’s an overview of the timescale:
- 11th June 2020: The Mozilla Open Source program (MOSS) reaches out to Homebrew as we were nominated for a paid, sponsored security audit by Radically Open Security (ROS)
- 11th June 2020: Homebrew meets with ROS and provides the main areas of focus:
- macOS sandbox escapes
- CI/development workflow issues (e.g. ways to exploit our CI infrastructure or deploy changes that haven’t been reviewed)
- Bad uses/setting/checking of Unix permissions
- Formulae being able to modify the Homebrew/brew source process
- 18th June 2020: ROS meets with Homebrew to further discuss the audit, scope and process and provide access to ROS systems (e.g. GitLab, RocketChat)
- 23rd September 2020: MOSS and ROS confirm contract
- 14th October 2020: ROS begins security audit
- October 2020 - March 2021: ROS communicates issues to Homebrew which are resolved, e.g. with https://github.com/Homebrew/brew/pull/10970 and https://github.com/Homebrew/brew/pull/10972
- 31st March 2021: ROS provides final security audit report PDF to Homebrew
- 21st April 2021: Homebrew provides a related security incident disclosure based on follow-up work
- 16 August 2022: Homebrew adds final security audit report PDF to this page
