Show HN: Homebrew 6.0.0

Posted by mikemcquaid 6 hours ago

Today, I’m proud to announce Homebrew 6.0.0. The most significant changes since 5.1.0 are a new tap trust security mechanism, the new faster, smaller, default internal Homebrew JSON API, sandboxing on Linux, better defaults informed by our user survey, many brew bundle improvements, improved performance and initial support for macOS 27 (Golden Gate).

Happy to discuss any questions here!

284 points | 66 commentspage 2

paulddraper 1 hour ago|

I tried hosting a homebrew tap, after hosting apt and yum repositories.

That was when I realized Homebrew is much, much harder.

Your server needs to implement the git protocol. You can't just stick it on some server with a CDN in front of it, you need to run and fortify a git server.

Strange choices IMHO.

threecheese 1 hour ago||

I assume this trust issue is related to the not-infrequent MacOS notifications asking for permission to run Ruby in the background or when the machine starts. It says nothing about Homebrew though.

tom1337 1 hour ago|

macOS Permission Management regarding shell scripts is so bad. For example they show you a list of software thats allowed to access the full disk - but I have like 8 "sh" or "bash" in there and some random scripts with no way to open the enclosing directory in Finder making it basically impossible to see what it is and if its legit…

7839284023 3 hours ago||

Awesome! Thank you for the update.

I noticed that homebrew updated _all_ my casks when running 'brew upgrade' (even those with "auto_updates: true" in their Cask JSON API).

Is this intended, new default behavior? This did not use to happen...

perryprog 2 hours ago||

You need to set HOMEBREW_NO_UPGRADE_AUTO_UPDATES_CASKS to 1, as alluded to by a hint when it (first?) occurs. This means if you have hints off (via HOMEBREW_NO_ENV_HINTS) then I suspect you can start getting this behavior without warning which is a bummer.

hk__2 1 hour ago|||

> This means if you have hints off (via HOMEBREW_NO_ENV_HINTS) then I suspect you can start getting this behavior without warning which is a bummer.

I read this as "This means if you close your eyes you don’t see things, which is a bummer."

reaperducer 2 hours ago|||

This means if you have hints off (via HOMEBREW_NO_ENV_HINTS) then I suspect you can start getting this behavior without warning which is a bummer.

When you instruct the system not to tell you things, the system not telling you those things is a bummer?

If I could get more of the tech I interact with to stop doing things I didn't ask it to, it would reduce a lot of stress and wasted time.

perryprog 1 hour ago||

Ah, I suppose I did word that poorly—I more mean that a significant breaking change (Casks that previously were documented as being excluded from auto-updating suddenly being auto-updated) which can occur silently is a rough end-user experience, even if the user explicitly opted into hiding hints.

mikemcquaid 2 hours ago|||

Yes this is intended. We skip those that seem to have already auto-updated underneath. Our code for this is not yet rock solid so please file issues for those you notice are not doing the right thing here.

pdntspa 17 minutes ago||

This sort of overly eager upgrading has caused me a lot of problems over the years. I really wish it didn't default to updating the entire world just because you want to update one package.

ansonhoyt 2 hours ago||

Is there a way to `brew trust` inside my Brewfile? That'd be nice for the handful of formulas I install from github repos via `brew bundle --global`.

usrme 2 hours ago||

This is described here (https://docs.brew.sh/Tap-Trust) if you scroll down a bit.

dpassen1 2 hours ago||

`brew tap/recipe, trusted: true`

pknerd 1 hour ago||

Thanks for producing such an amazing piece of software. Most of my Mac installations are based on Homebrew, but I have to rely on version management tools like Pyenv or nvm for Python and Node. Wish there was some standard 'Homebrew' way to install multiple versions of node, php and Python

PufPufPuf 1 hour ago||

Have a look at https://mise.jdx.dev/, it's exactly what you're looking for!

mikemcquaid 1 hour ago||

There's a selection of ways that may or may not work for you:

- `formula@version` packages

- `brew version-install` (which uses `brew extract` and `brew tap-new` under the hood)

- `version_file:` support in `brew bundle

- `brew pyenv-sync`

0xbadcafebee 2 hours ago||

Personally I stopped using Homebrew after I got screwed too many times on mandatory upgrades that I couldn't pin. I use a combination of Mise and MacPorts now so I don't get any more surprise breakage and forced obsolescence. Plus Mise allows me to upgrade to any new version, whereas with Homebrew you have to wait for whenever the tap feels like upgrading (llama.cpp tap skips every 10 releases)

mikemcquaid 1 hour ago||

Glad you've found a workflow that works for you, genuinely.

For others still using Homebrew: a lot of work has gone into upgrading only when we absolutely have to and showing these upgrades to the user before we do them, including in this release.

pjm331 20 minutes ago||

and i `brew update && brew upgrade --greedy` every morning with my first cup of coffee because i like to live on the edge like that

thanks for all your work!

ryandrake 1 hour ago|||

I've moved over to MacPorts due to Homebrew's aggressive support phase-out schedule[1]. My daily driver iMac is now in the Tier-3 "go away" bucket. Absolutely loved Homebrew for the short period of time I could use it, but I'm not going to get on the hardware update treadmill just to keep using it.

1: https://docs.brew.sh/Support-Tiers

frollogaston 1 hour ago|||

I switched to MacPorts because of permission issues with brew, used it for years, then switched back after MacPorts inexplicably started wanting to install like 9000 packages just to install something small-ish like wget. Which is probably just as likely to happen with any other package manager but whatever.

PufPufPuf 1 hour ago|||

I'm in the "switched most to Mise" stage, might look into MacPorts for the remaining stuff, thanks for the tip!

bigyabai 1 hour ago||

Nix is also worth checking out, even if the Darwin packaging is a bit flaky. I really appreciate having cross-platform devshells when I have to alternate between Mac and Linux on a regular basis.

PufPufPuf 1 hour ago||

Mise is also cross-platform, we actually use it at work for projects we develop locally on macOS, then build in CI on Linux -- it even supports multiplatform lockfiles. I had a few tries with Nix but it's a lot to wrap your head around, Mise is simple to "just try".

swingboy 1 hour ago||

Interesting that the `brew-rs` experiment has concluded and didn't find much of a performance increase. I suppose that is expected though with a lot of the bottleneck being network IO?

joshuat 2 hours ago||

Is the eventual goal to move most formula/cask behavior into declarative install steps and treat Ruby as an escape hatch?

mikemcquaid 2 hours ago|

Yes, exactly. The goal is you can install all official packages without needing custom postinstall/preflight/postflight blocks.

let_rec 1 hour ago||

Does Homebrew have good support for exact (and older) versions of packages now?

PufPufPuf 1 hour ago||

Nope, still rolling. Have a look at https://mise.jdx.dev/ if you need exact versions

c-hendricks 1 hour ago|||

I don't think that's a part of its goals at all.

mikemcquaid 1 hour ago||

`brew version-install` may do what you want here.

ch-bas 1 hour ago|

Thanks for the hardwork.

More comments...