Homebrew tightens tap security, begins work on its interface
Homebrew tightens tap security, begins work on its interface
https://www.helpnetsecurity.com/2026/06/18/homebrew-6-0-0-released/
Publish Date: 2026-06-18 00:30:00
Source Domain: www.helpnetsecurity.com
Anyone who installs software through a third-party Homebrew tap runs Ruby code written by people outside the project, and that code runs without a sandbox. That risk sits at the center of Homebrew 6.0.0.
Tap trust
Homebrew now requires a tap, along with any tap-qualified formula or cask, to be trusted before its code is evaluated or run. The official Homebrew taps stay trusted by default. The brew tap command gains options for managing trust and can trust a tap by its remote URL, and brew tap-info reports a trusted field. The brew bundle command honors a trusted option, and brew bundle dump records trusted entries.
Sandboxing and security fixes
A Bubblewrap sandbox arrives on Linux and aligns it with macOS, where build, test, and postinstall phases already run inside a sandbox. The Linux sandbox runs on by default for developers. Homebrew published three security advisories with this release. One covered a POST download strategy that bypassed HTTPS-to-HTTP redirect protection. Another covered root code execution through Git hooks in the macOS package postinstall step. The third covered a macOS installer that trusted a user-controlled plist in /var/tmp and could assign Homebrew ownership to a local attacker. Each received a fix.
An official interface
BrewUI is an official graphical interface for Homebrew. It remains under development, with general availability still ahead.
“Various people over the years have requested and built various Homebrew GUIs. We looked around to see if there were any that were open source, well maintained and met all the requirements we were looking for and didn’t find any so built one ourselves. It’s probably aimed a little more at newcomers than experienced Homebrew users but it is being designed to be suitable and usable for both,” Mike McQuaid, Homebrew Project Leader, told Help Net Security.
Performance and defaults
The internal JSON API becomes the default. It combines Homebrew’s metadata into a single, smaller…
