Homebrew, de facto standard package manager for macOS, now forces Apple's $99/yr notarization bullshit for all casks.
Shame on you, Homebrew, for effectively killing FOSS apps from casks.
https://brew.sh/2025/11/12/homebrew-5.0.0/Open linkView original on lemmy.funami.tech245
Comments50
dafuq? That's basically the entire point
So yeah, there will be a fork soon that's just compatible with the casks. Luckily that is very easily to do / manage
Et tu brewtus?
Their explanation as to why:
The adjusted solution/workflow: use something other than homebrew
How will these other solutions bypass Apples quarantine?
By doing what homebrew currently does when you pass the
--no-quarantineflag, which is callxattr.Note that I'd probably support removing
--no-quarantineif Apple's notarization service was free.Yes, but you can still compile the code yourself. It's only problematic for binary distribution. This is basically a question of balancing security vs. freedom I suppose.
Difference is compiling an app from source for Android is not really feasible on Android devices, whereas doing so on macOS is literally built into the package managers for macOS and is generally pretty trivial beyond it taking more time.
Also, macOS doesn't prevent you from running the apps entirely.
I mean, theres macports and what else? Is macports even kickin still? No other package managers other than homebrew
Pretty sure it's still around. Nix is an option as well.
May be a sign to install Linux 😏 brew sucks anyways
True but I desperately need
no compatibility,closed source,AppleCare,expensive hardware,limited lifespan,lock in.... What did you call it Linux?It's crazy how bad software compatibility on macos is. I used to assume it was about the same or slightly better than linux in that regard, but my attempts to help my friend play games on macos have almost entirely failed despite the fact that I have tons of experience playing games on linux since it's always been my main os
I'm stuck with it at work. Plus Linux usually sucks on Mac for a long time while drivers get written
MacPorts has always been better.
I'll check It out. I gave up and flashed Mac back on it and gave I to my sister. At least she's off windows now.
Only pc I have that I can do any thing with is a Thinkpad with linux
I feel you. Once I was forced to code on a mac too. It made me insane ☠️
Even with wsl windows was a much bigger pain imo.
Right now the biggest issue is my company end point security
Pre-11 windows was at least less buggier than Mac OS. But I agree: It's a big pain too! Linux just works better for me.
If Brew sucks, why is it the preferred package manager for CLI tools in Bazzite?
I don't use Bazzite. But if you have any pro arguments for Brew, feel free to share them. Change my mind.
I don’t really have an opinion, just an observation that switching back to Linux for me did not take me away from Homebrew
Heh, there goes Librewolf's only sane updating mechanism. IIRC, the devs of that are vehemently against paying Apple the money to sign the code, and they also fail to provide their own updater. It was one of the main drivers behind my switch to Waterfox.
bad librewolf, shame on them for not paying the tax
Snark all you want, a browser that breaks every time it updates because the code isn't signed, not great.
But I thought Mac was just Linux for people who loved to spend money... Seems on brand to me.
*Unix
**BSD
Both
That's why I buy Macs! /hj (Though I do install and use Arch BTW on my M2 MacBook Air)
Only arch users say that.
Why would someone using another OS say that they use arch?
The unsigned (FOSS) Apps aren't removed yet. They will be removed by 2026-09-01. Removing --no-quarantine before that seems counter productive. And quite frankly removing unsigned Apps at all seems like a stupid idea. Homebrew is a third party package mamager, why are they precapitulating to Apple?
Third party taps (or are they fourth party?) will step in. You can run
xattr -d com.apple.quarantinein the .rb file.Relevant links.
I don't think this is homebrews fault? It looks like apps need to be signed to run on apple silicone.
Yes and no. Yes, it has to be signed, but no, it doesn't have to be Apple's signing, it can be ad-hoc signed for the device programmatically. What they're doing is that removing that ability to remove quarantine bits and ad-hoc signing
on installationand forcing everything to be Apple-signed.EDIT: Ad-hoc signing is compile-time. Quarantine bit just has to be removed at install-time.
100% their fault since there's a way to ad-hoc sign and run, and they're removing it and sucking Apple's dick.
EDIT: and there's even an example found in one of this post's comment of a 3rd party cask doing that in preparation of complete flag removal from Homebrew!
https://github.com/Homebrew/brew/issues/20755#issuecomment-3330984446
Whole point of Gatekeeper is Apple policing users’ devices. The security benefit is just a side effect. If anything, users need to be protected from Apple more than small time hackers.
This is a shame. Big tech brain is affecting developers everywhere.
Controversial opinion: best way to learn fire will burn you is to try and see. I personally learned a lot about computers by infecting my machine with a shitton of malware when I was a kid. Modern parents are very adamant on letting kids run free and learn stuff by themselves, why not apply the same logic to computers?
What a shame. It’s probably my favorite tool on the platform.
I never understood what a "cask" in the brew lanuage means. I just do installs and if the brew install instructions involves a cask I just do it. How do I figure out which packages this will have an effect on on my system?
Casks are as a rule GUI applications. So if you want to install Firefox with homebrew would need to install it via a cask.
I think they've started flagging unnotarized apps as (deprecated), so maybe do a
brew infoon each.You can simply run
brew doctorand it will show you all deprecated casks.Cool beans 👏
What does this mean?
Apps have to be signed to be installed.
You can still install and run them but you need to manually him through the startup hoops once
if you use a Mac git gud.
Homebrew could provide their own casks of FOSS applications, compiled on their infrastructure and signed by their key. It's kinda what F-Droid does on phones.
Code signing should be done though.
You can disagree with Apple's approach that maintains them as the only signing authority, but, at a fundamental level, code signing is the only way to distribute an executable and have the user be able to trust who authored it (and thus what's in it).
Of the like 30 things I have installed through brew, 1 is not signed. Do I agree with the change, no. But there are other options out there.