Are there any downsides to using Homebrew as a package manager on Linux?

I’m especially concerned about it being somehow broken, unwieldy, insecure or privacy-invasive.

Case in point; at times I have to rely on a Chromium-based browser if a website decides to misbehave on a Firefox-based browser. Out of the available options I gravitate towards Brave as it seems like the least bad out of the bunch.

Unfortunately, their RPM-package leaves a lot to be desired and has multiple times just been awful to deal with. So much so that I have been using another Chromium-based browser instead that’s available directly from my distro’s repos. But…, I would still switch to Brave in an instant if Brave was found in my distro’s repos. A quick search on repology.org reveals that an up-to-date Brave is packaged in the AUR (unsurprisingly), Manjaro and https://docs.brew.sh/Homebrew-on-Linux. I don’t feel like changing distros for the sake of a single program, but adding Homebrew to my arsenal of universal package managers doesn’t sound that bad. But, not all universal package managers are created equal, therefore I was interested to know how Homebrew fares compared to the others and if it handles the packaging of the browser without blemishing the capabilities of the browser’s sandbox.

P.S. I expect people to recommend me Distrobox instead. Don’t worry, I have been a staunch user of Distrobox for quite a while now. I have also run Brave through an Arch-distrobox in the past. But due to some concerns I’ve had, I chose to discontinue this. Btw, its Flatpak package ain’t bad either. But unfortunately it’s not official, so I choose to not make use of it for that reason.

Pantherina,
@Pantherina@feddit.de avatar

Distrobox… or simply Flatpak?

alt,

Read the part after P.S 😅.

stella,

Not sure why you would want to.

Linux package managers are state of the art.

alt, (edited )

Not sure why you would want to.

😅, it’s explained in OP.

Linux package managers are state of the art.

I wonder if Nix-users would agree 🤔.

Aux,

Brave is worse than Chrome. Affiliate link auto injection, unauthorised selling is copyrighted data, their own unblockable ad network, etc. Use Firefox.

alt,

Their business-practices sure do leave a lot to desire, which actually does hurt their trustworthiness; arguably their most valuable asset as a privacy-first browser. Hmm…, good food for thought, thank you!

Use Firefox.

I mostly do already 😅, from OP: “at times I have to rely on a Chromium-based browser if a website decides to misbehave on a Firefox-based browser.

HumanPerson,

You can try ungoogled chromium. That is what I use when librewolf won’t work.

alt,

Thank you for mentioning that! I had dismissed it due to alleged shortcomings of its security features. While the allegations are (still) there, I’ve never heard any rebuttal or anything else of that matter. Would you happen to know anything in this regard?

HumanPerson,

Sorry no. I just use it once a month or so for one website and I think it works with FF now.

alt,

Thanks anyways!

jackpot,
@jackpot@lemmy.ml avatar

what is a package manager

alt,

I feel a bit lazy at the moment, but Brodie does IMO an excellent job at explaining what a package manager is within the context of Linux. I’d recommend you to watch that instead over here; it’s already set to play at the correct time*.

stella,

Utilities that manage packages on your system.

Graphical ones include Pamac and Synaptic.

The command-line ones are more known: apt (debian), pacman (arch), rpm (fedora), and yum (suse)

zwekihoyy,

check Nix instead.

alt,

Nix is definitely cool and I already have it installed on my system. Unfortunately, even Nix has trouble with keeping Brave up-to-date at all times. It’s still on 1.59.120, while Brave has had three releases since. It took about 3 days after the release of version 1.59.120 for them to release it on their repos. As you can see, it leaves a lot to desire.

Acters, (edited )

It’s a community maintained repo. The possibility of updating it yourself is possible. The master branch is updated to the 1.59.124, which came out a week ago. And was updated around the same time. 1.60.110 was just released 1 day ago. You can update it yourself. After all, it’s supposed to give you a great default state to fall back to, not keep you on the bleeding edge of releases.

Edir: how to do it yourself and contribute to the community. nixos.wiki/wiki/Update_a_package

alt,

The master branch is updated to the 1.59.124

Brain fart on my side, thanks for correcting me so respectfully 😊!

Hmm…, maintaining it myself is an interesting thought. Perhaps I should take a look at that, thanks a lot for your input. Much appreciated!

Atemu,
@Atemu@lemmy.ml avatar

Minor version bumps should be mostly trivial: Change version and hash, package that into commit+PR (ckeck guidelines on that!) and that’s it most of the time.

The harder part is QA; ensuring it still works as expected. Therefore, even just testing update PRs as they come in would be a great help.
If the code change is trivial and a user of the package said it still works for them, a commiter coming along is likely convinced of the PR’s quality and just merges it.

It’s super easy to contribute to Nixpkgs in a meaningful manner :)

kzhe,

Brave homophobic though

It is the best Chromium based browser, in a sense, unfortunately…

alt,

Brave homophobic though

Its CEO; yes.

It is the best Chromium based browser, in a sense, unfortunately…

Agreed.

ErnieBernie10,

Check thorium

coolmojo,

You can also use AppImages. The appman and am script is handy way download and update apps. Have a look at the following website for details:

portable-linux-apps.github.io

It has up-to-date brave.

alt,

You can also use AppImages.

I’m not necessarily opposed to it, as I do use them if they’re inaccessible to me otherwise and if it’s official and up-to-date. But for security-sensitive apps (like a browser) I would rather not rely on it. Furthermore, it seems it’s unofficial anyways.

portable-linux-apps.github.io

This is a cool resource. Thank you!

Presi300,
@Presi300@lemmy.world avatar

…why would you use homebrew on linux?

You already use an arch container that has access to the AUR, which has literally every package, available on linux.

Also, if anything, flatpaks are THE official (universal) packaging format for Linux, it’s the most widely adopted and most well integrated of the universal packaging formats. I’m not saying that homebrew is bad, just why bother with it when you’ve got 100 other packaging formats that are all better…

alt,

You already use an arch container that has access to the AUR, which has literally every package, available on linux.

Call me paranoid if you will.

if anything, flatpaks are THE official (universal) packaging format for Linux

I don’t deny that, I make good use of a ton of flatpaks on my system. I also believe that it’s the best we have. And I would literally switch to Brave as a flatpak if it would satisfy the following:

  • Be official and thus maintained by Brave itself.
  • Not having to forego its own more powerful sandbox due to (hopefully) current restrictions of Flatpak. Yes, you read that correctly; while flatpaks are arguably the safest way to consume most applications, this doesn’t apply to apps that actually have stronger sandboxes which had to be ‘slimmed down’ when packaged as a flatpak. Thus, currently, for maximum protection, one simply can’t rely on flatpaks for their Chromium-based browsers. If you choose to do so and it has worked out for you wonderfully; that’s awesome, I’ve been there and enjoyed the experience as well. But, I can’t justify it for myself any longer.
Presi300,
@Presi300@lemmy.world avatar

I rely on flatpaks for all non-firefox browsers and haven’t had any issues with them, I’ve used the brave flatpaks specifically for almost a year now and no issues…

alt,

I think I already addressed that point with

If you choose to do so and it has worked out for you wonderfully; that’s awesome, I’ve been there and enjoyed the experience as well. But, I can’t justify it for myself any longer.

If you meant something else, then please feel free to correct me.

zwekihoyy,

it’s still factual that flatpaks sandbox is weak by default, especially compared to what chromium provides on its own.

AProfessional,

The web process sandboxing is basically the same inside and outside of flatpak.

alt,

Would you mind elaborating? First time hearing this and a quick search didn’t resolve it.

AProfessional,

github.com/refi64/zypak

It lets Chromium use flatpak sub-sandboxes and is basically identical to its normal sandbox in terms of permissions.

alt,

I am thankful that zypak exists so that Chromium-based browsers and Electron apps don’t have to explicitly flag –no-sandbox to continue functioning. However, it doesn’t undermine the fact that native Chromium’s sandbox is more powerful than Flatpak’s sandbox. As such, if one desires security, then one should gravitate towards the native installed one.

It lets Chromium use flatpak sub-sandboxes

Are you sure that’s the case?

AProfessional,

The sandbox is not weakened meaningfully. It’s in a different namespace, no filesystem, no network, no GPU, seccomp rules still applied.

alt, (edited )

Unfortunately, you didn’t -to my knowledge- support nor retract your claim on Chromium using flatpak sub-sandboxes. Therefore, I find it hard to continue taking your words at face value.

I have enjoyed these interactions, so don’t get me wrong; but if I (possibly) catch you on spreading misinformation (even if unintentional), then I find it hard to keep engagement up as there’s no guarantee that anything else coming from you is actually correct.

I would love to be corrected on this though, so please feel free if I have misunderstood you or anything else that would revive this conversation. If not, then I would still like to thank you from the bottom of my heart for this friendly interaction we’ve had. Take care!

AProfessional,

I linked the source but sure, I’ll link it more for you.

The portal code is here: github.com/refi64/zypak/…/flatpak_portal_proxy.h

The actual code that Chromium calls is here: github.com/refi64/zypak/blob/…/spawn_latest.cc#L2…

This calls the org.freedesktop.portal.Flatpak service.

This service is here: github.com/flatpak/flatpak/tree/main/portal

The Spawn method creates a new sandbox completely isolated from the originating sandbox.

alt,

I linked the source but sure, I’ll link it more for you.

I am aware, but the same source seemingly contradicted your point^[1]^ regarding sub-sandboxing.

Wow, thanks a lot for the work you’ve put into this! It might take some time for me to go through this, but I’ll definitely take a look and perhaps I’ll return on this at a later point. Perhaps with this I will finally be able to install my Chromium-based browsers as a flatpak and don’t feel bad about it.

Once again, your engagement has been much appreciated! So please feel free to let me know if I can buy you a coffee or something 😊! Unfortunately, statements like “Thank you so much!” don’t quite capture the sheer magnitude of gratitude I feel towards you right now. For whatever it’s worth; I salute you, good human.

  1. “It lets Chromium use flatpak sub-sandboxes” that you expressed in this comment.
AProfessional,

The comment on there is odd, I’m not even sure what that issue is referring to. Not much exciting happened in that release for new features but there were subsandbox security fixes github.com/flatpak/flatpak/…/1.10.8...1.12.0

alt,

Thanks for taking the time to take a proper look at the link!

Pantherina,
@Pantherina@feddit.de avatar

Officially supported doesnt mean its more stable. They can just take binaries, add dependenciesy tadaa.

Bubblewrap is not insecure. But I am not an expert

alt,

Officially supported doesnt mean its more stable.

Never implied that anyways. Official merely ensures that the amount of trusted parties can be minimized.

Bubblewrap is not insecure.

Bubblewrap, when properly applied is indeed excellent; perhaps the best utility to sandbox applications on Linux. I’m thankful that flatpaks makes use of bubblewrap, namespaces and seccomp to offer relatively safe/secure apps/binaries, I’m unaware of any other ‘(universal) package manager’ within the Linux-space that offers similar feats in that regard. Unfortunately, Chromium-based browsers just happen to have an even stronger sandbox -if properly configured- than flatpaks are currently capable of.

Pantherina,
@Pantherina@feddit.de avatar

Okay true. I am not so much into this Browser sandbox thing and dont really get it. Its a different way than bubblewrap, as from Firefox RPM for example I can open any file and save anywhere. But its process isolation right?

alt,

as from Firefox RPM for example I can open any file and save anywhere. But its process isolation right?

For Firefox, the verdict on its native sandbox vs Flatpak’s native sandbox doesn’t seem conclusive. With -assumingly- knowledgeable peeps on both sides of the argument, which indeed does raise the question how knowledgeable they actually are. Nonetheless, for myself, I’ve accepted Flatpak’s sandbox to not be inferior to Firefox’ native one. Thus, I don’t see any problem with using its flatpak.

Pantherina,
@Pantherina@feddit.de avatar

Apart from having all the nice KDE integration and things like Keepass integration, Fido2 keys, drag and drop and some more things…

Also afaik the Fedora Firefox has a good SELinux profile and it runs damn fast. I did a speed test and it was best, along with Mozillas all-together-binary.

alt,

Apart from having all the nice KDE integration

I’m a sucker for GNOME :P , but I’ll keep it in mind.

things like Keepass integration

The flatpak does allow integration, but isn’t built-in unfortunately; so one has to fiddle a bit themselves to set it up.

Fido2 keys

I should rely more on those. Do you have any recommendations? I’ve been hearing good things about Nitropad and Yubico, but I honestly don’t know if they’re actually good and how they would fare amongst eachother.

drag and drop

Overrated anyways /s :P .

Also afaik the Fedora Firefox has a good SELinux profile

It’s probably better configured with the native package than the flatpak one indeed. I wonder if this will change as Fedora is interested to ship Firefox as a flatpak by default on Silverblue (and variants).

it runs damn fast. I did a speed test and it was best

I haven’t had the best internet speeds since I’ve been relying on free VPN. But that’s on me :P .

Pantherina,
@Pantherina@feddit.de avatar

Fedora packages a Flatpak Firefox themselves, based off the RPM. So its good too, but lacks codecs with currently no way to enable them so yeah. They would need am extension of some sort hosted on Flathub. So simply using Firefox Flatpak from Flathub makes more sense.

I got a Nitrokey for Heads but for some reason it never arrived? I can say these things are very expensive. And Heads uses PGP and not others.

alt,

I somehow forgot that Fedora also had Firefox in their flatpak repos.

I got a Nitrokey for Heads

You know what’s good, fam.

but for some reason it never arrived

That’s messed up, though.

agitated_judge,

Last time I checked, homebrew on Linux only included cli apps. GUI apps are only available on mac. So you couldn’t use it to install a browser anyway.

alt,

Unfortunate. Thanks for the headsup :D !

Krause, (edited )
@Krause@lemmygrad.ml avatar

I tried Homebrew once in a VM and didn’t like it, I felt it was too invasive.

  1. github.com/Homebrew/install/blob/…/install.sh#L17…

Why does it create another user and put files under /home/linuxbrew/? Answer:

The script installs Homebrew to its default, supported, best prefix (/opt/homebrew for Apple Silicon, /usr/local for macOS Intel and /home/linuxbrew/.linuxbrew for Linux) so that you don’t need sudo after Homebrew’s initial installation when you brew install.

Where’s the logic in that? Why not just install to the user’s home directory so that you don’t even need root access in the first place?

  1. github.com/Homebrew/install/blob/…/install.sh#L22…

Why is sudo hard-coded? Answer: it’s to prevent people from using doas and other sudo alternatives.

  1. docs.brew.sh/Installation#untar-anywhere-unsuppor…

Why is installing from the tarball unsupported and so frowned upon? FFS isn’t this just supposed to be a package manager? Why is everything so complicated and opinionated when compared to pip, cargo, Flatpak, etc? Compare this mess to Golang’s install and uninstall process where you literally just need to tar -xzf a file or rm -rf a directory.

alt,

Wow, great comment! Much appreciated!

Where’s the logic in that? Why not just install to the user’s home directory so that you don’t even need root access in the first place?

Excellent remark! Wow, that by itself already wrote it off for me.

Why is sudo hard-coded? Answer: it’s to prevent people from using doas and other sudo alternatives.

Another home-run! Especially as I’ve been a staunch user of doas for quite a while now and wouldn’t like to give up on that. Thank you so much for informing me on this!

Your third point is also interesting to ponder upon, though it wasn’t as impactful to me personally as the previous two were.

I would like to thank you once again for your astoundingly awesome insights on this matter! This comment has definitely contributed the most in me letting go of the thought of using Homebrew entirely (while some others already informed me that GUI-apps (mostly) can’t be installed from Homebrew to function on Linux anyways).

mufasio,

Once x86 macOS became stable around snow leopard I switched from Linux to macOS full time on my mobile machines. For years home brew was a shining light to get a decent tool chain installed to be able to do development. But somewhere around the time they changed to naming macOS releases after places in California, both home brew and macOS started changing in ways that made it harder to maintain a stable development environment. Why and when did it start deciding to upgrade every package I have installed when I try to install a new package? It regularly broke both mine and our developers’ machines and I finally had enough of both. Stay away from home brew if you want your working development environment to continue working 6 months later. It WILL break when you need it most and cost you hours if not days of work to fix. I’ve never ran home brew on Linux but it’s honestly not anything I would ever consider even when it worked well.

Atemu,
@Atemu@lemmy.ml avatar

I can highly recommend using Nix on macOS! We never randomly update your apps (wtf?)

alt,

I would love to consume Brave as a nixpkgs, unfortunately it’s mostly not up to date; which I simply can’t accept.

Atemu,
@Atemu@lemmy.ml avatar

I haven’t used brave but I can see that we’re on the release before the one yesterday. I’d expect a PR in the coming days.

alt,

This comment of mine begs to differ 😜 . Though, I can see where you’re coming from.

alt,

Thanks for the insights! Do you know if these issues continue to persist?

Why and when did it start deciding to upgrade every package I have installed when I try to install a new package?

Is this perhaps related to how for most non-LTS distros (but especially on something like Arch) one is recommended to update all packages before installing a new package in hopes of preventing issues related to dependency hell? I don’t know if Homebrew’s model of packaging is similar enough to Linux’ to make sensible comparisons between the two, but this was just something that came up to me as a thought.

vhstape,
@vhstape@lemmy.sdf.org avatar

I’ve been using Homebrew on Linux for several years and never had an issue. As others have said, it will not be able to provide GUI applications (in most cases) as on macOS, but it is a great way to get system and indie software alike

alt,

Thank you for your input, it’s heart-breaking to hear that it’s not able to provide GUI applications (and thus browsers by extension). But I’m glad to hear that it has provided you a decent experience so far!

woelkchen,
@woelkchen@lemmy.world avatar

If you think that Brave is the best option, look up what a scumbag Brendan Eich is and the shady monetizing practices the company introduced.

alt, (edited )

The bad practices of its CEO doesn’t inherently write off the software, instead the software’s merits should do the talking. Which Chromium-based browser would you recommend based on its merits?

woelkchen,
@woelkchen@lemmy.world avatar

The bad practices of its CEO doesn’t inherently write off the software

Ah yes, the CEO with his little influence on the products from his company…

Which is Brave collection “donations” and then keeping them, then? Is it a CEO bad practice or a software bad practice?

instead the software’s merits should do the talking.

You’d get a Shawarma from a Hamas-run restaurant, right? Sure, they swear death to all infidels but their cooking is so authentic and great… Who cares that the restaurant funds them!

Which Chromium-bases browser would you recommend based on its merits?

Opera, Vivaldi, ungoogled-chromium, and some others don’t pull the same shit.

alt,

You’d get a Shawarma from a Hamas-run restaurant, right?

Honestly, I would seriously consider it if it was the best Shawarma in town. At least to try it once.

Opera, Vivaldi, ungoogled-chromium, and some others don’t pull the same shit.

Honestly, all of these are inferior based on merits. But thanks anyways!

stella,

Fun fact: the scumbag Brendan Eich who made Brave is the same scumbag Brendan Eich who made Javascript!

Yay!

j0rge,

I use homebrew on linux, you're not going to get GUI apps that way though, the linux binaries are almost exclusively cli apps and libraries, etc.

al1r4d,
@al1r4d@social.radhitya.id avatar

@j0rge @alt What motivation do you use to do this?

alt,

I am tagged, but did you address me as well? If so, my reasons can be found in the OP.

al1r4d,
@al1r4d@social.radhitya.id avatar

@alt sorry.. i use pleroma and All users in the thread will be tagged

alt,

Oh lol :P , thanks for answering my curiosity. Isn’t that like annoying to deal with for yourself as well 😅?

al1r4d,
@al1r4d@social.radhitya.id avatar

@alt yes, you right! hahaha

alt,

you’re not going to get GUI apps that way though

I should have known better :P. Thanks for the input!

sir_reginald, (edited )
@sir_reginald@lemmy.world avatar

I’d advise against using Brave, but that’s a different topic.

Just use the Flatpak. Do not care if it’s official, most packages in traditional package managers are not packaged officially, yet we use them all the time. Check the Flatpak repo instead to see if there’s something wrong.

Maybe check ungoogled chromium too while you’re at it.

alt,

most packages in traditional package managers are not packaged officially, yet we use them all the time.

While there’s definitely truth in this, aren’t we already trusting the repos of traditional package manager by choosing to use the associated distro? So, by e.g. choosing to use Debian , you’ve already (somehow) accepted their packages to be ‘thrustworthy’. We already trust the developers of the apps/binaries we use. Therefore, we have two sets of parties we trust by default. I would rather not increase the amount of people I have to trust for software, but I can understand why others might differ on this.

stella,

Yes, the main source of trust is in the repository and its maintainers when choosing a distro.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • uselessserver093
  • Food
  • [email protected]
  • aaaaaaacccccccce
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • oklahoma
  • Socialism
  • KbinCafe
  • TheResearchGuardian
  • SuperSentai
  • feritale
  • KamenRider
  • All magazines
    •