Security of Homebrew Bootstrap Process

As part of our ongoing research into supply chain attacks, we have been looking into the overall security of various OSS projects. Homebrew is one such project – providing Linux packages for MacOS. The current bootstrap process is retrieving the bootstrap shell script directly from GitHub and piping it into bash without verification as follows:

/bin/bash -c "$(curl -fsSL"

We had a discussion with the project maintainers around the security of this approach, and while it is not great security-wise, it is somewhat safer than hosting the script on an intermediate web server (like, since changes will be noticed within a GitHub repo fairly quickly (similar to what happened with PHP).

Details of the discussion can be found here:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.