Homebrew

Over the next few days, Homebrew’s repositories will begin to transition from PGP-based signing to SSH-based signing for @BrewTestBot commits.

Homebrew is pleased to congratulate Workbrew on their 1.0 launch today. Workbrew is a company founded by several Homebrew members and the Project Leader, @MikeMcQuaid, to use Homebrew as the foundation of a secure software delivery platform. Workbrew’s product is out of beta and ready to solve your workplace’s problems with securing Homebrew at scale, so go check it out!

Today, I’d like to announce Homebrew 4.4.0. The most significant changes since 4.3.0 are official macOS Sequoia (15) support, INSTALL_RECEIPT.json files for casks, macOS Monterey (12) deprecation and various other deprecations.

Homebrew had a security audit performed in 2023. This audit was funded by the Open Technology Fund and conducted by Trail of Bits. Trail of Bits’ report contained 25 items, of which 16 were fixed, 3 are in progress, and 6 are acknowledged by Homebrew’s maintainers. Below is the scope of testing, findings by severity, and mitigation and acknowledgements.

The Homebrew Summer 2024 Hackathon brought together maintainers from across the globe to focus on enhancing security and performance aspects of Homebrew. Held July 16 to July 20 and hosted at IndyHall in Philadelphia, the event aimed to address issues identified in last year’s security audit from Trail of Bits, and to optimize the software’s performance. This post will share outcomes from the event, evaluate the effectiveness of the gathering, and serve as a blueprint for other open source projects who are considering in-person events as a way to make focused progress.

Today, I’d like to announce Homebrew 4.3.0. The most significant changes since 4.2.0 are SBOM support, initial bottle attestation verification, new command analytics and uninstall autoremove by default.

Today, I’d like to announce Homebrew 4.2.0. The most significant changes since 4.1.0 are some major performance upgrades (e.g. using Ruby 3.1, upgrading fewer dependencies), .env file configuration and macOS Sonoma support.

Today, I’d like to announce Homebrew 4.1.0. The most significant changes since 4.0.0 are significant improvements to the security/reliability/performance/usability of Homebrew 4.0.0’s new JSON API, the completion of the migration of analytics from Google Analytics in the US to InfluxDB in the EU and groundwork for later macOS Sonoma (14) support.

Today, I’d like to announce Homebrew 4.0.0. The most significant change since 3.6.0 enables significantly faster Homebrew-maintained tap updates by migrating from Git-cloned taps to JSON downloads.

Homebrew’s Project Leadership Committee has green-lit two paid projects by our maintainers this year and since both have hit some milestones recently we’d love to give you, our sponsors and users, an update on their progress.

Today I’d like to announce Homebrew 3.6.0. The most significant changes since 3.5.0 are preliminary macOS Ventura support, the need for --eval-all/HOMEBREW_EVAL_ALL and a migration to Ubuntu 22.04 as our CI platform.

Today I’d like to announce Homebrew 3.5.0. The most significant changes since 3.4.0 are improved brew update behaviour and Homebrew (on macOS) requiring at least OS X El Capitan (10.11).

Homebrew has had a paid security audit and addressed all flagged issues. This blog post has been a long time coming; apologies for the delay.

Today I’d like to announce Homebrew 3.4.0. The most significant changes since 3.3.0 are HOMEBREW_NO_ENV_HINTS to hide configuration suggestions, brew services supported on systemd on Linux, brew install --overwrite and Homebrew beginning the process to leave the SFC.

Today I’d like to announce Homebrew 3.3.0. The most significant changes since 3.2.0 are the migration from Homebrew/linuxbrew-core to Homebrew/homebrew-core for all Homebrew on Linux users, the official support of macOS Monterey (and, as usual, dropping the support for Mojave due to us only supporting 3 macOS versions) and the addition of an opt-in HOMEBREW_INSTALL_FROM_API flag to avoid needing to have Homebrew/homebrew-core or Homebrew/homebrew-cask repositories tapped/cloned locally.

Today I’d like to announce Homebrew 3.2.0. The most significant changes since 3.1.0 are brew install now upgrades outdated formulae by default and basic macOS 12 (Monterey) support.

On 18th April 2021, a security researcher identified a vulnerability in our review-cask-pr GitHub Action used on the homebrew-cask and all homebrew-cask-* taps (non-default repositories) in the Homebrew organization and reported it on our HackerOne.

Today I’d like to announce Homebrew 3.1.0. The most significant change since 3.0.0 is the migration of our bottles (binary packages) to GitHub Packages.

Today I’d like to announce Homebrew 3.0.0. The most significant changes since 2.7.0 are official Apple Silicon support and a new bottle format in formulae.

Today I’d like to announce Homebrew 2.7.0. The most significant changes since 2.6.0 are API deprecations.

Today I’d like to announce Homebrew 2.6.0. The most significant changes since 2.5.0 are macOS Big Sur support on Intel, brew commands replacing all brew cask commands, the beginnings of macOS M1/Apple Silicon/ARM support and API deprecations.

Since the Homebrew 2.5.2 release, you can upload bottles (binary packages) to GitHub Releases, in addition to the previous standard - Bintray. Support was added to Homebrew/brew in this PR on 2020-09-15, and a companion PR to Homebrew/homebrew-test-bot added support for setting the base download URL of bottles to point to a specific release on GitHub.

Today I’d like to announce Homebrew 2.5.0. The most significant changes since 2.4.0 are better brew cask integration, license support and API deprecations.

Today I’d like to announce Homebrew 2.4.0. The most significant changes since 2.3.0 are dropping macOS Mavericks support, the deprecation of devel versions and brew audit speedups.

Today I’d like to announce Homebrew 2.3.0. The most significant changes since 2.2.0 are GitHub Actions CI usage, fetching resources before installation, Docker image improvements and the deprecation of brew install from URLs.

Today I’d like to announce Homebrew 2.2.0. The most significant changes since 2.1.0 are macOS Catalina support, performance increases and better Homebrew on Linux ecosystem integration.

In February 2019 we had our first Homebrew maintainer in-person meeting at and around the FOSDEM 2019 conference in Brussels. Maintainers travelled from as far as India and Canada in order to get face-time with each other and have high-bandwidth conversations.

Today I’d like to announce Homebrew 2.1.0. The most significant changes since 2.0.0 are casks on https://formulae.brew.sh, search on Homebrew sites and better Docker support.

Today I’d like to announce Homebrew 2.0.0. The most significant changes since 1.9.0 are official support for Linux and Windows 10 (with Windows Subsystem for Linux), brew cleanup running automatically, no more options in Homebrew/homebrew-core, and removal of support for OS X Mountain Lion (10.8) and older.

Today I’d like to announce Homebrew 1.9.0. The most significant changes since 1.8.0 are Linux support, (optional) automatic brew cleanup and providing bottles (binary packages) to more Homebrew users.

Today I’d like to announce Homebrew 1.8.0. The most significant changes since 1.7.0 are official Mojave support, linkage auto-repair on brew upgrade, brew info displaying analytics data and quarantining Cask’s downloads.

On 31st July 2018 a security researcher identified a GitHub personal access token with recently elevated scopes was leaked from Homebrew’s Jenkins that gave them access to git push on Homebrew/brew and Homebrew/homebrew-core. They reported this to our Hacker One. Within a few hours the credentials had been revoked, replaced and sanitised within Jenkins so they would not be revealed in future. Homebrew/brew and Homebrew/homebrew-core were updated so non-administrators on those repositories cannot push directly to master. Most repositories in the Homebrew organisation (notably not Homebrew/homebrew-core due to their current workflow and maintainer requests) were also updated to require CI checks from a pull request to pass before changes can be pushed to master.

Today I’d like to announce Homebrew 1.7.0. The most significant changes since 1.7.0 are fixes for macOS 10.14 Mojave’s developer beta, Homebrew Formulae’s JSON analytics and formulae APIs and various formula API deprecations.

Today I’d like to announce Homebrew 1.6.0. The most significant changes since 1.5.0 are brew install python installing Python 3, the deprecation of Homebrew/homebrew-php and various formula API deprecations.

Today I’d like to announce Homebrew 1.5.0. The most significant changes since 1.4.0 are deprecations of formula APIs and some Homebrew organisation formula taps.

Today I’d like to announce Homebrew 1.4.0. The most significant change since 1.3.0 is that Homebrew filters environment variables.

Today I’d like to announce Homebrew 1.3.0. The most significant change since 1.2.0 is that brew install python no longer installs a python binary without manual PATH additions and instead installs a python2 binary. This avoids overriding the system python binary by default when installing Python as a dependency. It also paves the way to eventually have python be Python 3.x.

Today I’d like to announce Homebrew 1.2.0. The most significant change since 1.1.0 is that most Homebrew taps (package repositories) in the Homebrew GitHub organisation have been deprecated and the currently buildable software moved into Homebrew/homebrew-core. This will improve the quality and availability of all their software.

Today I’d like to announce Homebrew 1.1.0. We’ve had a great response to Homebrew 1.0.0 and been iterating on our work there. That 1.1.0 follows 1.0.9 is a happy coincidence due to breaking changes; in the future we may have a e.g. 1.1.10.

Today I’m proud to announce Homebrew 1.0.0. In the seven years since Homebrew was created by @mxcl our community has grown to almost 6000 unique contributors, a wide-reaching third-party “tap” ecosystem and thousands of packages.