Homebrew 6.0.0: Securing Third-Party Formulae with Tap Trust

For years, installing a third-party tap in Homebrew was essentially a leap of faith. You were trusting that the maintainer wasn't hiding a malicious Ruby script in their repository, because once you added that tap, Homebrew would happily execute that code on your machine. It's a massive security blind spot that's always felt a bit reckless, especially for anyone managing a production environment.

The latest update finally fixes this with a new tap trust mechanism. Now, Homebrew won't just blindly evaluate code from an untrusted tap. It flags them first and requires you to explicitly trust the source before anything runs. It's a sensible change, and honestly, it's overdue.

There is plenty of other stuff in this release, like sandboxing on Linux and initial support for macOS 15. But the real story is how Homebrew is finally tightening the screws on how it handles external code. I'm curious if this will actually change how people manage their taps, or if we'll all just keep hitting "yes" without thinking.

The security flaw in third-party taps

Homebrew used to treat third-party taps like trusted internal code. Because taps are essentially Git repositories, adding one meant you were running Ruby code from a stranger on your machine without a sandbox. This is a massive security hole. If a maintainer's account is compromised, a malicious update to a formula can execute arbitrary code the next time you run a brew command.

The current trust model shifts this burden to the user. You now have to explicitly consent to the risks when adding a tap that isn't part of the core library. It's a manual check rather than a blind trust system. This part is genuinely confusing because the "warning" is often just a prompt you've been trained to click through, but the underlying change is that Homebrew no longer assumes every tap is safe by default.

To add a third-party tap today, you'll use the standard tap command, but you'll see the security prompt if the source isn't verified.

brew tap user/repo

The shift toward explicit consent is a start, but it doesn't solve the fundamental problem that Ruby is powerful and dangerous. I'm not convinced a prompt is enough of a deterrent for most users. The real fix would be a restricted execution environment, but that's a much harder engineering problem to solve without breaking the thousands of formulas that rely on system access.

Performance gains in 6.0.0

The most noticeable change in 6.0.0 is how much faster brew leaves is. It's about 30% quicker than the previous version. This isn't a magic fix; it's the result of reducing the amount of redundant metadata the command processes when calculating the dependency tree.

Startup performance is also better across the board. The team implemented specific tweaks to how Homebrew initializes, which removes the "lag" you feel the moment you hit enter. One of the more technical wins is the parallelization of bottle tab fetching during upgrade and less commands. Instead of fetching these tabs one by one, Homebrew now requests them in parallel, which significantly cuts down the waiting time when you have a long list of outdated packages.

If you want to see the difference in your own environment, you can time the execution of the leaves command.

time brew leaves

I'm not sure if a 30% gain in a specific subcommand is a massive win for the average user, but for people managing hundreds of formulae, it's a relief. The overall feel is that the tool is finally catching up to the speed of the hardware it runs on.

Managing trust in your workflow

Homebrew now requires you to explicitly trust a tap before you can install formulas from it. If you try to install a formula from an untrusted source, the CLI stops you and asks for confirmation. This is a sensible move. It's a basic security gate that prevents a random tap from executing scripts on your machine without you knowing exactly where they came from.

To trust a tap, you use the tap command with the --trust flag. This adds the tap to a local trust list, so you don't have to answer the prompt every single time you update or install a package.

brew tap --trust user/repo

The new interaction pattern is a bit jarring at first because it breaks the "install and forget" flow. This part is genuinely confusing because the prompt looks similar to the standard installation confirmation, but it's specifically about the source's integrity. It's an extra step, but it's better than the alternative of blindly trusting every third-party repository you find on GitHub.

The internal changes to how Homebrew handles these taps have also improved speed. The system is faster because it now uses parallelized bottle tab fetching during upgrades. This means brew leaves is about 30% faster than it was in previous versions.

Conclusion

Homebrew 6.0.0 is faster, but that speed doesn't erase the reality that you're still running third-party scripts with high privileges. The performance gains are nice, but they're a distraction from the actual problem: how much do you actually trust the people maintaining your taps?

I'm still not convinced that "trusting" a tap is a sustainable security model for anyone doing serious work. Until there's a better way to audit these dependencies without spending four hours a week in a diff viewer, you're just gambling on the hygiene of a stranger's GitHub repo.