Security of Homebrew Bootstrap Process

As part of our ongoing research into supply chain attacks, we have been looking into the overall security of various OSS projects. Homebrew is one such project – providing Linux packages for MacOS. The current bootstrap process is retrieving the bootstrap shell script directly from GitHub and piping it into bash without verification as follows:

/bin/bash -c "$(curl -fsSL"

We had a discussion with the project maintainers around the security of this approach, and while it is not great security-wise, it is somewhat safer than hosting the script on an intermediate web server (like, since changes will be noticed within a GitHub repo fairly quickly (similar to what happened with PHP).

Details of the discussion can be found here: