I will never use Homebrew again because I'm still sore that they dropped support for a Mac OS version that I was still using and couldn't upgrade because Apple didn't support my hardware anymore.

Any decent project should have a way to install without Homebrew. It's really not necessary.

I wish mac users would stop using homebrew and use a real package manager with actual dependency management.

At the very least, replace homebrew with something like devbox which has `devbox global` for globally managing packages, it uses nix under the hood, and it's probably the simplest most direct replacement for homebrew.

That wouldn't really help, it could be more naughty and use pastejacking so you don't even realize what's happening. That might end up catching a lot of people because as far as i know by default bash doesn't use bracketed paste, so you think you're copying a real command and it ends up sending your secrets before you know what happened.

Disabling JS + bracketed paste seems to be the only good solution.

Btw OP article uses a weird setup, why would they use `bash -c "$(curl $(echo qux | base64))"` instead of just "curl | bash"

Homebrew also installs through curl | bash but since recent they also offer a .pkg installer.

It's not really any different than downloading a binary from a website, which we've been doing for 30 years. Ultimately, it all comes down to trusting the source.

What's the security benefits of using homebrew? Isn't it just another layer of redirection before downloading the software?

A civilized person of course would use either MacPorts or a proper native macOS installer package.

A homebrew tap is really a lateral move from a safety perspective and still usually invoked by pasting into the command line.

And donate to Homebrew, like a civilised person

Maybe tools like https://github.com/vet-run/vet could help with these projects that would rather you use their custom install script instead of complying to distro-specific supply chains.

Meanwhile, homebrew install instructions:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/inst...)"

Then it prompts user for admin previledges. Also, it does not support installing as a local non-admin user.

As if homebrew is any more secure. The only reason to use homebrew is convenience.

I agree about the proliferance of curl | bash, but homebrew is not the answer.

They cut support for old platforms way to fast and just in essence try to dictate far too much.