Closed nursery01 closed 2 weeks ago
If you have privacy concerns regarding the vendor of a particular cask, in this case firefox@cn
, then simply don't install the cask.
Oh, Homebred is not as good as Apple of security and privacy, which may become a gap
Homebred installed the software with vulnerability to users before
I mean xz-utils
I can't find firefox@cn
on the Homebrew cask tap, so I'm guessing it's provisioned by a third-party tap. Third-party taps (formulae or casks) are always "use at your own risk", just like third-party repos for every other package manager.
Homebred installed the software with vulnerability to users before
So did Red Hat, SUSE, Debian, Ubuntu and likely many other distros, especially the cutting-edge ones. It happened, it got fixed.
Also: there's no evidence that the vulnerable version affected macOS but we reverted it to be abundantly cautious.
I can't find firefox@cn on the Homebrew cask tap, so I'm guessing it's provisioned by a third-party tap. Third-party taps (formulae or casks) are always "use at your own risk", just like third-party repos for every other package manager.
I never modified configuration of Homebrew
So did Red Hat, SUSE, Debian, Ubuntu and likely many other distros, especially the cutting-edge ones. It happened, it got fixed.
That problem occurs in the test version of debian and ubuntu and RedHat. So most users are safe. I don't know if Homebrew has test version. I never modified configuration of Homebrew
Also: there's no evidence that the vulnerable version affected macOS but we reverted it to be abundantly cautious.
Yes, That virus works on X86 CPU and opened ssh port
I never modified configuration of Homebrew
And yet you have access to firefox@cn
, which I can't find at all. Are you using a Chinese Homebrew mirror? What's the output of the following?
brew config
brew info --cask firefox@cn
And yet you have access to firefox@cn, which I can't find at all. Are you using a Chinese Homebrew mirror? What's the output of the following?
what?
brew config
HOMEBREW_VERSION: 4.2.20
ORIGIN: https://github.com/Homebrew/brew
HEAD: c2ed3327c605c3e738359c9807b8f4cd6fec09eb
Last commit: 2 days ago
Core tap JSON: 30 Apr 02:21 UTC
Core cask tap JSON: 30 Apr 02:21 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 8
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: octa-core 64-bit arm_blizzard_avalanche
Clang: 15.0.0 build 1500
Git: 2.39.3 => /Applications/Xcode.app/Contents/Developer/usr/bin/git
Curl: 8.4.0 => /usr/bin/curl
macOS: 14.4.1-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: 15.2
Rosetta 2: false
brew info --cask firefox@cn
==> firefox@cn: 116.0 (auto_updates)
https://www.firefox.com.cn/
Not installed
From: https://github.com/Homebrew/homebrew-cask/blob/HEAD/Casks/f/firefox@cn.rb
==> Name
firefox-cn
==> Description
Chinese version of Firefox
==> Artifacts
Firefox.app (App)
==> Analytics
install: 1 (30 days), 1 (90 days), 1 (365 days)
https://github.com/Homebrew/homebrew-cask/blob/HEAD/Casks/f/firefox@cn.rb is in an official tap.
Please take up your issues with that software with Firefox itself, not Homebrew.
Verification
brew install wget
. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.Provide a detailed description of the proposed feature
Some packages may send user data to China
Today, i saw
New Casks
in my shellThere is a software called
firefox@cn
in it. This is the China supply versionThis package may send user data to China. The user data may be censorship by the Chinese government
https://en.wikipedia.org/wiki/Censorship_in_China
What is the motivation for the feature?
Protect the privacy of Taiwanese and Singaporeans and other people
How will the feature be relevant to at least 90% of Homebrew users?
If
firefox@cn
, No?If other software also has this problem, then English users will also be affected
What alternatives to the feature have been considered?
I don`t know