Security Issues using Homebrew or Macports, malicious binary insertion

Ken Cunningham ken.cunningham.webuse at
Tue Nov 6 18:03:47 UTC 2018

On 2018-11-06, at 9:54 AM, Ryan Schmidt wrote:
> MacPorts keeps track of what files each port installs and does not permit one port to overwrite another port's files (unless the user requests this by using the -f flag, so the user should refrain from habitually using this flag).

It is also to be noted that homebrew can not suddenly change itself to deliver this degree of security without a fairly complete rehash of the way it works, and most/many/all of it's "advantages" of installing in /usr/local that have served to make it popular would then be totally lost, and most likely many/most/all of it's formulae would need to be rewritten to accommodate this change. Many of them at present assume things are found automatically in /usr/local .

homebrew has been popular because it's "easy" -- it's files in /usr/local are found without intervention by any compiler or shell. However,  that does not come without costs. 

MacPorts requires more work to specifically include certain include paths, library paths, and executable paths -- but that comes with some knowledge of what you're actually getting, and the security of knowing that it can't be messed with without your permission.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the macports-users mailing list