Publish through homebrew like a civilized person, please!
Any decent project should have a way to install without Homebrew. It's really not necessary.
I'd classify that as an Apple problem rather than a Homebrew problem. If Apple themselves cannot be arsed to support an OS version, why would a volunteer project take on such a challenge?
For every piece of software I've fetched using Homebrew, there's a "compile from source" option available on Github or some other source repo.
I think GP's issue is forcing the use of homebrew for what seems like a rather trivial install. Just make the binary easily downloadable. It's not like you can't open the curled script to see what it fetches and do it yourself. It's just that having to jump through this useless hoop is annoying.
My mac is running the latest version of Tahoe but I never liked homebrew. You can bet I won't install it just for one app.
Sources:
At the very least, replace homebrew with something like devbox which has `devbox global` for globally managing packages, it uses nix under the hood, and it's probably the simplest most direct replacement for homebrew.
[1]: https://saagarjha.com/blog/2019/04/26/thoughts-on-macos-pack...
Alternatively, you could do development in a container and use apt-get there. That's probably safest now that we're using coding agents.
The UNIX in macOS is good enough for my needs, and I manually install anything extra that I might require.
Codex, Claude Desktop, etc etc all starting out as "macOS exclusive" feels so silly when they're targeting programmers. Linux is the only OS a programmer can actually patch and contribute to, and yet somehow we've got a huge number of developers who don't care about having a good package manager, don't care about being able to modify their kernel, don't care about their freedom to access and edit the code of the software they rely on to work...
It's depressing how much of the software industry is just people on macbooks using homebrew to install a newer version of bash and paying $5 for "magnet" to snap windows to the corners since their OS holds them in a prison where they can't simply build themselves a tiling window manager in a weekend.
The OS is core to your tools and workflows, and using macOS cedes your right to understand, edit, and improve your OS and workflows to a company that is actively hostile to open source, and more and more hostile to users (with a significant increase in ads and overly priced paid services over the years).
Anyway, yeah, homebrew sucks. At least nix works on macOS now so there's an okay package manager there, but frankly support for macOS has been a huge drag of resources on the nix ecosystem, and I wish macOS would die off in the programming ecosystem so nix could ditch it.
And I also hate what modern Macos is heading towards. I'm still ignoring/canceling the update on both my devices for the new "glass" interface.
And a thinkpad running Linux is just not doing it for me. I want my power efficient mac hardware.
Truth be told I just want to have my mbp running Linux. But right now it's not yet where it needs to be and I am most certainly not smart enough to help build it :(
The graphics story on Linux also sucks. I recently tried to convert my Windows gaming machine to Linux (because I hate W11 with a burning passion). It does work, but it’s incredibly painful. Wayland, fractional scaling, 120+ Hz, HDR. It’s getting better thanks to all the work Valve etc are putting in, but it’s still a janky messy patchwork.
MacOS just works. It works reliably. Installing things is easy. Playing games is easy. I’m able to customize and configure enough for my needs. I love it and I hope it sticks around because there is no way in hell I would move my work machines over to Linux full time.
They cut support for old platforms way to fast and just in essence try to dictate far too much.
Disabling JS + bracketed paste seems to be the only good solution.
Btw OP article uses a weird setup, why would they use `bash -c "$(curl $(echo qux | base64))"` instead of just "curl | bash"
> It's not really any different than downloading a binary from a website, which we've been doing for 30 years.
The two are very different, even though some ecosystems (such as PHP) have used the "curl | bash" idiom for about the same amount of time. Specifically, binary downloads from reputable sites have separately published hashes (MD5, SHA, etc.) to confirm what is being retrieved along with other mechanisms to certify the source of the binaries.
How does that model work with distros like debian, where they freeze package versions and you might not get claude code until 2027 (or whenever the next release is)?
1. Create your own apt repository with newer software, and install from that. It's easy to package things, you can share the repository with trusted friends, running linux with friends is fun.
2. You can switch to a distro, like NixOS or Arch, which values up-to-date software more than slow stable updates.
Debian does seem to be more aligned with mailservers and such, where updates can be slow and thoughtful, not as much with personal ai development boxes where you want the hot new ai tool of the week available asap.
... Either way, learning to package software correctly for your distro of choice is a good idea, it's fun to bang out a nix expression or debian package when you need to install something that's not available yet.
A truly civilized person would use Linux, OpenBSD, etc, a free operating system where they may contribute fixes for their fellow man without having to beg at the boots of the single richest company on the planet with radar numbers asking for fixes from on high.
All the homebrew packages have checksums and are versioned in git, so if the upstream website is compromised and a malware installer is put in place of the package, `curl | bash` will just install the malware, while `brew` would start erroring out and refuse to install after downloading something with a different checksum.
You also get an audit log in the form of the git repo, and you also ensure everyone's downloading the same file, since `curl | bash` could serve different scripts to different IPs or user-agents.
I don't think brew does proper build sandboxing, so like `./configure.sh` could still download some random thing from the internet that could change, so it's only a bit better.
If you want proper sandboxing and thus even more security, consider nix.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/inst...)"
Then it prompts user for admin previledges. Also, it does not support installing as a local non-admin user.
You can install it via a .pkg here: [0]
Why does anyone trust that project to understand security?
The GitHub links are one of the nastiest Malware I ever encountered in my life!
I steals your Apple Keychain, all your "Safe" Passkeys, your Google Chrome "Saved Passwords", even your KeePass Database!
Login and security is still not sufficiently solved with attack-proofs for the most important things in life like your Bank, Email, Wallets, Social Logins.
Your "logged-in Sessions" also get stolen! It's unbearable that most cookies expire in months "ON THE SERVER SIDE"! You have no control and can't log the attacker out!
It happened to me, when I was in China and searched for ExpressVPN, because the main website didn't load forever, the GitHub link seemed like an alternative.. damn.. I changed my Google Password 5 times and the attacker was still able to log-in, it was so devastating! I had to change my email passwords multiple times too.
Sessions are what make logins valid and this is the weakest link of all. I wish Sessions used Off-The-Record encryption with One-Time-Pads, such that each acccess requires a new key, that can only be derived with a valid reply that makes safe that the attacker can be logged out safely.
I am unfamiliar with the Apple ecosystem, but is there anything special about this specific app that makes it trustworthy (e.g: reputable dev, made by Apple, etc.)? Looking it up, it seems like an $8 app for a link unshortener app.
In any case, there have been malicious sites that return different results based on the headers (e.g: user agent. If it is downloaded via a user-agent of a web browser, return a benign script, if it is curl, return the malicious script). But I suppose this wouldn't be a problem if you directly inspect and use the unshortened link.
> Terminal isn’t intended to be a place for the innocent to paste obfuscated commands
Tale as old as time. Isn't there an attack that was starting to get popular last year on Windows of a "captcha" asking you to hit Super + R, and pasting a command to "verify" your captcha? But I suppose this type of attack has been going on for a long, long, time. I remember Facebook and some other websites used to have a big warning in the developer console, asking not to paste scripts users found online there, as they are likely scams and will not do what they claim the script would do.
---
Side-Note: Is the layout of the website confusing for anyone else? Without borders on the image, (and the image being the same width of the paragraph text) it seemed like part of the page, and I found myself trying to select text on the image, and briefly wondering why I could not do so. Turning on my Dark Reader extension helped a little bit, since the screenshots were on a white background, but it still felt a bit jarring.
A day later my parents called me very stressed out about a popup on my mother’s iPhone saying she had been hacked. I asked them to take a screenshot, and again it was a website that was styled to look like a modal on top of a iOS Settings app page. With the new ui this was extremely effective, as the page title is just a tiny thing down the bottom in scrolled state.
I don’t know what is going on, but I’d assume the problem is AI moderation.
[0] https://developer.apple.com/library/archive/documentation/Se...
[1] https://learn.microsoft.com/en-us/windows/win32/secauthz/man...
Windows implements ACLs in a far more granular way than macOS and most other Unicies, however (with the exception of Slowaris).
Basic hygiene is very simple: never run as Administrator. Create and use a regular user or poweruser group user. It's similar to a regular linux practice. Use Administrator account when needed only.
I do occasionally use an app to clean somebody’s Mac of an irritating browser search hijack. I’ve never seen anything else.
Why should I change my mind?
I have been to many clubs many times and never suffered violence. I’ve also walked down alleys without concern. I did them in safe places where that wasn’t a material concern.
Windows is Detroit. MacOS is Palo Alto. What’s good practice in one is wasteful or dangerous for the other.
Convincing a Linux user to paste rm -rf / into the terminal is not malware. It's social engineering.
Scanning binaries for known malware is already built into the OS.
Gatekeeper and Xprotect are good, but there's only so much they can do.
Clearly it isn't. XProtect is a joke. It's 2004-era ClamAV level of protection.
In this case, the user is warned that the command wants to do something dangerous and must manually allow or deny the action.
Beyond result quality it's absurd that it took LLMs to get meaningful natural language search. Google could have been working on that for many years, even if in a comparably simple manner, but seemingly never even bothered to try, even though that was always obviously going to be the next big step in search.
My point is, this is not solved by AI answers.
You had to disable permissions or approve some of that.
> Obviously there was a solution, probably an easy one, but I didn’t even look for it
It's hard to take this seriously. It's the most obvious setting possible. Settings > Privacy & Security > Full Disk Access > tick the apps you want to have it.
What's even the complaint here? That Mac has solid app permissions, but you can't be bothered to open the settings?
I also said it was the “final straw”. No worries at all if you’re not familiar with that expression. It means that there were lots of similar slights previously, and that the event I mentioned, while minor, was the one that finally pushed me to make the decision I made.
This sort of patronizing assholery is childish and unbecoming. Your comment would've been better without it.
And then there's also Apple which won't allow functional web apps, lest it affects their app store 30% cut.
If you want to trash your system I believe nothing prevents you from giving Firefox full-disk access.