For the past 4 months, Trail of Bits has worked (with OpenSSF funding and support) on build provenance for the Homebrew package manager (the primary package manager for macOS and a source of hundreds of millions of monthly binary downloads). This talk will be an in situ analysis of the work currently in progress, along with key achievements and challenges encountered thus far. We'll do a technical dive on Homebrew and why its architecture is particularly amenable to build provenance, as well as offer takeaways for other similar ecosystems (like Chocolatey) that would benefit from the same approach. Finally, we'll lay out the remaining roadmap, with an eye towards community feedback and alignment with larger supply chain trends and standardization efforts.
Presented at:
- SOSS Community Day NA, 2024
Authored by:
- Joe Sweeney