homebrew-core VS libarchive

$ brew info eza ==> eza: stable 0.18.13 (bottled) Modern, maintained replacement for ls https://github.com/eza-community/eza Not installed From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/e/eza.rb License: MIT ==> Dependencies Build: pandoc ✘, pkg-config ✔, rust ✘ Required: libgit2 ✘ ==> Analytics install: 12,792 (30 days), 38,295 (90 days), 68,375 (365 days) install-on-request: 12,790 (30 days), 38,293 (90 days), 68,375 (365 days) build-error: 0 (30 days)

Is disabling the compromised repo the typical GitHub policy? My concern is there are monorepos used by package managers, like brew, that are a collection of thousands of projects [1]. These monorepos seem like a prime target for attack and if GitHub disables one because a malicious commit was merged then you've taken down an entire ecosystem.

[1] https://github.com/Homebrew/homebrew-core

> Correct. Though we do not appear to be affected, this revert was done out of an abundance of caution.

[1] https://github.com/Homebrew/homebrew-core/pull/167512

> right, but now you know even less about your setup when you some roadblock

This is the same with a binary though. And with homebrew, you can't follow patches or flags used or if they change.

- https://github.com/Homebrew/homebrew-core/blob/c964ad7fa53ad...

definitely be careful about using fortune in a corporate environment or public space if you don't know what dat files you are using or you might just get an extremely unwelcome surprise.

I was practicing a presentation and used to use "fortune" all the time. I forget exactly what it output but I remember being absolutely mortified about what could have happened if that had popped up during an internal company tech talk.

Kudos to brew for keeping unsuspecting people safe

https://github.com/Homebrew/homebrew-core/commit/3fb3c4c3e55...

I'm sorry to be asking this as I find it a bit silly, but it's blocking my PR [3], so could a few of you star the project on Github [1] to get my PR to run?

[1] https://github.com/laktak/chkbit-py

[2] https://brew.sh

[3] https://github.com/Homebrew/homebrew-core/pull/160018

29. October 2021 At this point Jia Tan pops up, and the first thing we see from him is an innocuous patch to the xz repository, and while a lot of people believe he started out trying his luck with another library also known as libarchive, this is not the case, I would bet it’s more of a backup looking at the dates, being that there are a few days in between as shown in this commit.

Potentially malicious commit by same author on libarchive: https://github.com/libarchive/libarchive/pull/1609

Full agreement, and with the addition of xpk¹/xfd² as natural extensions to that extensibility too. I see things like xfd supporting xz¹, and I'm simultaneously amazed that it exists and happy that I don't need to do xz {,de}compression on 68k ;)

I guess we have something similar-ish with libarchive⁴, but nobody(including me) has pushed the extra mile to get file dialogs to support random compression and decompression formats.

Beyond OT: I didn't realise how much stuff was still going on at aminet, but I love love LOVE that people are still dropping new car sets for Geoff Crammond's F1GP.

¹ http://aminet.net/package/util/pack/xpk_User

² http://aminet.net/package/util/pack/xfdmaster

³ http://aminet.net/package/util/pack/xfd_lzma.lha

⁴ https://www.libarchive.org/

I don't have a preview channel install handy to check, but apparently they're using libarchive so here's the full list assuming they expose everything it supports:

https://github.com/libarchive/libarchive/wiki/LibarchiveForm...

As announced at the Build conference back in May, this build adds native support for reading additional archive file formats using the libarchive open-source project such as

LibarchiveFormats · libarchive/libarchive Wiki · GitHub

Seems what they're using is BSD-liscensed: https://github.com/libarchive/libarchive/wiki