Hacker News: broxit

New comment by broxit in "Show HN: Homebrew 6.0.0"

broxit — Thu, 11 Jun 2026 18:26:36 +0000

> Even in that case, my suggestion would be that we just run it in our own CI and block package release.

I agree.

> open source security scanner that runs on all Homebrew packages and requires a cooldown.

I think that is where all this is going in the longterm.

Until then, any upstream shenanigans are more likely to surface in hours 0-48 after a new release than hours 0-4.

New comment by broxit in "Show HN: Homebrew 6.0.0"

broxit — Thu, 11 Jun 2026 18:04:54 +0000

Glad to see that Homebrew is taking security seriously. Still, I want to minimize the number of parties who can quickly get new code onto my machine.

Your doc says "Human review of each release." What does that actually entail?

uv had a release at 10:21am yesterday with 7,060 additions and 2,409 deletions. The new release was available in homebrew at 11:46am. What human review happened there?

I don't know of any other OS package manager that ships code this quickly to users. Arch Linux has not pushed the new release of uv yet, for example.

New comment by broxit in "Show HN: Homebrew 6.0.0"

broxit — Thu, 11 Jun 2026 17:30:13 +0000

Thanks for the update. Is there any chance we can get some kind of cooldown mechanism in Homebrew?

The only people I want to trust to quickly ship new code to my machine are Apple and my browser (which handles more untrusted input than anything else).

For everything else (vscode and its extensions, npm, homebrew, and all the apps that self-update), I prefer to err on the side of waiting a few days.

Some exceptional 0days might warrant a cooldown bypass, but even in its current form users are vulnerable to 0days until they run brew upgrade.