Some packages may send user data to China about brew HOT 8 CLOSED

If you have privacy concerns regarding the vendor of a particular cask, in this case firefox@cn, then simply don't install the cask.

from brew.

Oh, Homebred is not as good as Apple of security and privacy, which may become a gap

Homebred installed the software with vulnerability to users before

I mean xz-utils

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

from brew.

I can't find firefox@cn on the Homebrew cask tap, so I'm guessing it's provisioned by a third-party tap. Third-party taps (formulae or casks) are always "use at your own risk", just like third-party repos for every other package manager.

Homebred installed the software with vulnerability to users before

So did Red Hat, SUSE, Debian, Ubuntu and likely many other distros, especially the cutting-edge ones. It happened, it got fixed.

from brew.

Also: there's no evidence that the vulnerable version affected macOS but we reverted it to be abundantly cautious.

from brew.

I can't find firefox@cn on the Homebrew cask tap, so I'm guessing it's provisioned by a third-party tap. Third-party taps (formulae or casks) are always "use at your own risk", just like third-party repos for every other package manager.

I never modified configuration of Homebrew

So did Red Hat, SUSE, Debian, Ubuntu and likely many other distros, especially the cutting-edge ones. It happened, it got fixed.

That problem occurs in the test version of debian and ubuntu and RedHat. So most users are safe. I don't know if Homebrew has test version. I never modified configuration of Homebrew

Also: there's no evidence that the vulnerable version affected macOS but we reverted it to be abundantly cautious.

Yes, That virus works on X86 CPU and opened ssh port

from brew.

I never modified configuration of Homebrew

And yet you have access to firefox@cn, which I can't find at all. Are you using a Chinese Homebrew mirror? What's the output of the following?

brew config
brew info --cask firefox@cn

from brew.

And yet you have access to firefox@cn, which I can't find at all. Are you using a Chinese Homebrew mirror? What's the output of the following?

what?

brew config         
HOMEBREW_VERSION: 4.2.20
ORIGIN: https://github.com/Homebrew/brew
HEAD: c2ed3327c605c3e738359c9807b8f4cd6fec09eb
Last commit: 2 days ago
Core tap JSON: 30 Apr 02:21 UTC
Core cask tap JSON: 30 Apr 02:21 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 8
Homebrew Ruby: 3.1.4 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.1.4/bin/ruby
CPU: octa-core 64-bit arm_blizzard_avalanche
Clang: 15.0.0 build 1500
Git: 2.39.3 => /Applications/Xcode.app/Contents/Developer/usr/bin/git
Curl: 8.4.0 => /usr/bin/curl
macOS: 14.4.1-arm64
CLT: 15.3.0.0.1.1708646388
Xcode: 15.2
Rosetta 2: false

brew info --cask firefox@cn
==> firefox@cn: 116.0 (auto_updates)
https://www.firefox.com.cn/
Not installed
From: https://github.com/Homebrew/homebrew-cask/blob/HEAD/Casks/f/[email protected]
==> Name
firefox-cn
==> Description
Chinese version of Firefox
==> Artifacts
Firefox.app (App)
==> Analytics
install: 1 (30 days), 1 (90 days), 1 (365 days)

from brew.

https://github.com/Homebrew/homebrew-cask/blob/HEAD/Casks/f/[email protected] is in an official tap.

Please take up your issues with that software with Firefox itself, not Homebrew.

from brew.