search

Homebrew / brew

🍺 The missing package manager for macOS (or Linux)
https://brew.sh
BSD 2-Clause "Simplified" License
39.62k stars 9.29k forks source link

Some packages may send user data to China #17183

Closed nursery01 closed 2 weeks ago

nursery01 commented 2 weeks ago

Verification

Provide a detailed description of the proposed feature

Some packages may send user data to China

Today, i saw New Casks in my shell

There is a software called firefox@cn in it. This is the China supply version

brew install firefox@cn
==> Downloading https://formulae.brew.sh/api/formula.jws.json
==> Downloading https://formulae.brew.sh/api/cask.jws.json
==> Downloading https://download-ssl.firefox.com.cn/releases/firefox/116.0/zh-CN/Firefox-latest.dmg

This package may send user data to China. The user data may be censorship by the Chinese government

https://en.wikipedia.org/wiki/Censorship_in_China

What is the motivation for the feature?

Protect the privacy of Taiwanese and Singaporeans and other people

How will the feature be relevant to at least 90% of Homebrew users?

If firefox@cn , No?

If other software also has this problem, then English users will also be affected

What alternatives to the feature have been considered?

I don`t know

bevanjkay commented 2 weeks ago

If you have privacy concerns regarding the vendor of a particular cask, in this case firefox@cn, then simply don't install the cask.

nursery01 commented 2 weeks ago

Oh, Homebred is not as good as Apple of security and privacy, which may become a gap

Homebred installed the software with vulnerability to users before

I mean xz-utils

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

gromgit commented 2 weeks ago

I can't find firefox@cn on the Homebrew cask tap, so I'm guessing it's provisioned by a third-party tap. Third-party taps (formulae or casks) are always "use at your own risk", just like third-party repos for every other package manager.

Homebred installed the software with vulnerability to users before

So did Red Hat, SUSE, Debian, Ubuntu and likely many other distros, especially the cutting-edge ones. It happened, it got fixed.

MikeMcQuaid commented 2 weeks ago

Also: there's no evidence that the vulnerable version affected macOS but we reverted it to be abundantly cautious.

nursery01 commented 2 weeks ago

I can't find firefox@cn on the Homebrew cask tap, so I'm guessing it's provisioned by a third-party tap. Third-party taps (formulae or casks) are always "use at your own risk", just like third-party repos for every other package manager.

I never modified configuration of Homebrew

So did Red Hat, SUSE, Debian, Ubuntu and likely many other distros, especially the cutting-edge ones. It happened, it got fixed.

That problem occurs in the test version of debian and ubuntu and RedHat. So most users are safe. I don't know if Homebrew has test version. I never modified configuration of Homebrew

Also: there's no evidence that the vulnerable version affected macOS but we reverted it to be abundantly cautious.

Yes, That virus works on X86 CPU and opened ssh port

gromgit commented 2 weeks ago

I never modified configuration of Homebrew

And yet you have access to firefox@cn, which I can't find at all. Are you using a Chinese Homebrew mirror? What's the output of the following?

brew config
brew info --cask firefox@cn
nursery01 commented 2 weeks ago

And yet you have access to firefox@cn, which I can't find at all. Are you using a Chinese Homebrew mirror? What's the output of the following?

what? 

brew config         
HOMEBREW_VERSION: 4.2.20
ORIGIN: https://github.com/Homebrew/brew
HEAD: c2ed3327c605c3e738359c9807b8f4cd6fec09eb
Last commit: 2 days ago
Core tap JSON: 30 Apr 02:21 UTC
Core cask tap JSON: 30 Apr 02:21 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 8
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: octa-core 64-bit arm_blizzard_avalanche
Clang: 15.0.0 build 1500
Git: 2.39.3 => /Applications/Xcode.app/Contents/Developer/usr/bin/git
Curl: 8.4.0 => /usr/bin/curl
macOS: 14.4.1-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: 15.2
Rosetta 2: false
brew info --cask firefox@cn
==> firefox@cn: 116.0 (auto_updates)
https://www.firefox.com.cn/
Not installed
From: https://github.com/Homebrew/homebrew-cask/blob/HEAD/Casks/f/firefox@cn.rb
==> Name
firefox-cn
==> Description
Chinese version of Firefox
==> Artifacts
Firefox.app (App)
==> Analytics
install: 1 (30 days), 1 (90 days), 1 (365 days)
MikeMcQuaid commented 2 weeks ago

https://github.com/Homebrew/homebrew-cask/blob/HEAD/Casks/f/firefox@cn.rb is in an official tap.

Please take up your issues with that software with Firefox itself, not Homebrew.