惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

量子位
小众软件
小众软件
S
SegmentFault 最新的问题
人人都是产品经理
人人都是产品经理
博客园 - 【当耐特】
博客园 - 三生石上(FineUI控件)
C
Check Point Blog
S
Schneier on Security
Microsoft Azure Blog
Microsoft Azure Blog
N
Netflix TechBlog - Medium
Engineering at Meta
Engineering at Meta
GbyAI
GbyAI
罗磊的独立博客
有赞技术团队
有赞技术团队
V
V2EX
Y
Y Combinator Blog
博客园 - 叶小钗
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
F
Fortinet All Blogs
W
WeLiveSecurity
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Stack Overflow Blog
Stack Overflow Blog
The Cloudflare Blog
S
Security @ Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog
MyScale Blog
MyScale Blog
Hugging Face - Blog
Hugging Face - Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
www.infosecurity-magazine.com
www.infosecurity-magazine.com
PCI Perspectives
PCI Perspectives
H
Heimdal Security Blog
Schneier on Security
Schneier on Security
Security Latest
Security Latest
AWS News Blog
AWS News Blog
月光博客
月光博客
Security Archives - TechRepublic
Security Archives - TechRepublic
Recent Announcements
Recent Announcements
Google DeepMind News
Google DeepMind News
博客园 - Franky
Cisco Talos Blog
Cisco Talos Blog
T
Threat Research - Cisco Blogs
M
MIT News - Artificial intelligence
T
Troy Hunt's Blog
N
News and Events Feed by Topic
Cloudbric
Cloudbric
Scott Helme
Scott Helme
云风的 BLOG
云风的 BLOG
Attack and Defense Labs
Attack and Defense Labs

Homebrew

6.0.0 5.1.0 5.0.0 4.6.0 4.5.0 Homebrew’s new git signing key Homebrew and Workbrew 4.4.0 2023 Security Audit Homebrew’s Summer 2024 Hackathon 4.3.0 4.2.0 4.1.0 4.0.0 Maintainer Projects 3.6.0 3.5.0 Security Audit 3.4.0 3.3.0 3.2.0 Security Incident Disclosure 3.1.0 3.0.0 2.7.0 2.6.0 Homebrew tap with bottles uploaded to GitHub Releases 2.5.0 2.4.0 2.3.0 2.2.0 Homebrew Maintainer Meeting 2.1.0 2.0.0 1.9.0 1.8.0 1.7.0 1.6.0 1.5.0 1.4.0 1.3.0 1.2.0 1.1.0 1.0.0
Security Incident Disclosure
MikeMcQuaid · 2018-08-05 · via Homebrew

On 31st July 2018 a security researcher identified a GitHub personal access token with recently elevated scopes was leaked from Homebrew’s Jenkins that gave them access to git push on Homebrew/brew and Homebrew/homebrew-core. They reported this to our Hacker One. Within a few hours the credentials had been revoked, replaced and sanitised within Jenkins so they would not be revealed in future. Homebrew/brew and Homebrew/homebrew-core were updated so non-administrators on those repositories cannot push directly to master. Most repositories in the Homebrew organisation (notably not Homebrew/homebrew-core due to their current workflow and maintainer requests) were also updated to require CI checks from a pull request to pass before changes can be pushed to master.

What was impacted

GitHub Support was contacted and they verified the relevant token had not been used to perform any pushes to Homebrew/brew or Homebrew/homebrew-core during the period of elevated scopes. To be explicit: no packages were compromised and no action is required by users due to this incident.

What we’re doing about it

  • We have for several years enabled 2FA and third party application restrictions for the entire Homebrew GitHub organisation. This was also recommended by the security researcher.
  • We enabled branch protection and required reviews on additional repositories as mentioned above.
  • We requested all Homebrew maintainers review and prune their personal access tokens and disable SMS fallback for 2FA.
  • The security researcher also recommended we consider using GPG signing for Homebrew/homebrew-core. The Homebrew project leadership committee took a vote on this and it was rejected non-unanimously due to workflow concerns.

We did, do and will continue to take the security of the project and our users very seriously. We try our best to behave as a for-profit company would do in terms of timely response to security issues but this is heavily limited by our lack of resources. For example, in this the Homebrew maintainer who resolved the above issues was on paternity leave from work and the primary carer for their child and had to reach a quick resolution while their child had a nap.

We need more help to improve Homebrew’s security. Please consider contributing your code and code reviews to our GitHub projects, get in touch to volunteer to be on-call for security and/or system administration emergencies or donate through Patreon.

Thanks for using Homebrew!

Latest Posts

  • 6.0.0 11 Jun 2026

    Today, I’m proud to announce Homebrew 6.0.0. The most significant changes since 5.1.0 are a new tap trust security mechanism, the new faster, smaller, default internal...

  • 5.1.0 10 Mar 2026

    Homebrew 5.1.0 has been released. Homebrew’s most significant changes since 5.0.0 are expanded brew bundle support, brew version-install, new -full formula handling an...

  • 5.0.0 12 Nov 2025

    Today, I’d like to announce Homebrew 5.0.0. The most significant changes since 4.6.0 are download concurrency by default, official support for Linux ARM64/AArch64, tim...

  • 4.6.0 05 Aug 2025

    Today, I’d like to announce Homebrew 4.6.0. The most significant changes since 4.5.0 are opt-in concurrent downloads with HOMEBREW_DOWNLOAD_CONCURRENCY, preliminary ma...

  • 4.5.0 29 Apr 2025

    Today, I’d like to announce Homebrew 4.5.0. The most significant changes since 4.4.0 are major improvements to brew bundle/services, preliminary Linux support for cask...