1. 47

  2. 1

    It’s clear that there’s a lot of work that could be done to improve the security of the Homebrew project. If you use Homebrew at your place of work, consider asking them to donate to the project. As an industry, we need to invest in the well being of core OSS software that we all use and depend on.

    Totally agree. We need internal pressure from employees to get companies who are free-riding on software like Homebrew to step up and contribute to its development. I imagine that an ongoing donation would be well within the expense budget of a lot of managers or department heads - it’s not like you should need the CEO to sign off on it. A security scare seems like a good way to justify this, if one is needed, though really it should already be enough to say “We rely on Homebrew/npm/pip/etc… to setup engineer laptops. If it goes away for lack of funding we will lose x days / weeks replacing it. So we’re donating a few hundred dollars a month to help keep it alive. And look, they gave us a badge.”

    Now I almost wonder if we should setup a wall-of-shame type website for major companies who use tools like Homebrew and don’t contribute funding (though I would be worried both about the inherent negativity of such a site, and also its accuracy).