homebrew-core VS clients

$ brew info eza ==> eza: stable 0.18.13 (bottled) Modern, maintained replacement for ls https://github.com/eza-community/eza Not installed From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/e/eza.rb License: MIT ==> Dependencies Build: pandoc ✘, pkg-config ✔, rust ✘ Required: libgit2 ✘ ==> Analytics install: 12,792 (30 days), 38,295 (90 days), 68,375 (365 days) install-on-request: 12,790 (30 days), 38,293 (90 days), 68,375 (365 days) build-error: 0 (30 days)

Is disabling the compromised repo the typical GitHub policy? My concern is there are monorepos used by package managers, like brew, that are a collection of thousands of projects [1]. These monorepos seem like a prime target for attack and if GitHub disables one because a malicious commit was merged then you've taken down an entire ecosystem.

[1] https://github.com/Homebrew/homebrew-core

> Correct. Though we do not appear to be affected, this revert was done out of an abundance of caution.

[1] https://github.com/Homebrew/homebrew-core/pull/167512

> right, but now you know even less about your setup when you some roadblock

This is the same with a binary though. And with homebrew, you can't follow patches or flags used or if they change.

- https://github.com/Homebrew/homebrew-core/blob/c964ad7fa53ad...

definitely be careful about using fortune in a corporate environment or public space if you don't know what dat files you are using or you might just get an extremely unwelcome surprise.

I was practicing a presentation and used to use "fortune" all the time. I forget exactly what it output but I remember being absolutely mortified about what could have happened if that had popped up during an internal company tech talk.

Kudos to brew for keeping unsuspecting people safe

https://github.com/Homebrew/homebrew-core/commit/3fb3c4c3e55...

I'm sorry to be asking this as I find it a bit silly, but it's blocking my PR [3], so could a few of you star the project on Github [1] to get my PR to run?

[1] https://github.com/laktak/chkbit-py

[2] https://brew.sh

[3] https://github.com/Homebrew/homebrew-core/pull/160018

I didn't go chasing through all the typescript but I'd presume adding a new PassphraseGenerationStrategy https://github.com/bitwarden/clients/blob/desktop-v2024.3.0/...

Breaking: Open Source software have BUGS!

https://github.com/bitwarden/clients/issues/6560#issuecommen...

Bug fix for this has been merged last week. It is not in 2023.10 though, so you will have to wait for the next release of the web vault.

It's definitely out (https://github.com/bitwarden/clients/releases/tag/browser-v2... just looks like browsers haven't approved it yet.

I'm not sure about any specifics beyond that both are getting support for them (for the keepass ecosystem I'm sure about other mobile clients, but I don't think the feature request to support passkeys has been acknowledged by the keepass2android dev sadly). Here's the keepassxc PR with some details about the implementation, and what should be done in future work on passkey support: https://github.com/keepassxreboot/keepassxc/pull/8825

Bitwarden has a few blogs if you search for bitwarden passkeys, but from skimming one it didn't seem to go into technical details (though I didn't watch the videos). I guess you could look through the PRs: https://github.com/bitwarden/clients/pulls?q=is%3Apr+passkey... but I don't really feel like doing that.

Bitwarden has regular external audits (here is the 2022 audit) and the code (both server side and client side) is open source (here f.e).

/bitwarden_license directory

Now the secret manager is in the `bitwarden_license` directory so it is not a GPL covered product and not open source but covered by BITWARDEN LICENSE AGREEMENT [3]. It does not allow you to use it as OSS.

[1] https://github.com/bitwarden/clients/tree/master/bitwarden_l...