Shorten installation URL to brew.sh/install.sh#1279
Shorten installation URL to brew.sh/install.sh#1279pragnyanramtha wants to merge 2 commits intoHomebrew:mainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR shortens the Homebrew install command shown on the website by switching from the GitHub raw URL to a brew.sh/install.sh wrapper hosted from this site.
Changes:
- Added a new root-level
install.shwrapper that fetches and executes the official installer fromHomebrew/install. - Updated the homepage install snippet to use
https://brew.sh/install.shinstead of the long GitHub raw URL.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
install.sh |
Adds a wrapper script intended to proxy execution to the upstream Homebrew installer. |
_layouts/index.html |
Updates the displayed install command to point at the new short URL. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
We haven't had any requests to this extent so I don't really think this is a concern.
I don't see how that makes it reliable. I do see how this new location can be much easier to compromise for bad actors since there is now a second install script maintainers need to keep track of. |
|
Hey @SMillerDev, appreciate the review, but i wanted to address something. On security: The install.sh added here is a thin wrapper that does nothing but fetch and execute the script from the official Homebrew/install repo. So a compromise of brew.sh/install.sh alone gives an attacker nothing (and would be very hard/suspicious to do), they'd also need to compromise Homebrew/install itself for anything malicious to reach the user. The actual attack surface hasn't changed; this script is just a redirect in shell form. On user demand: I get that there haven't been formal requests, but the use case is real, Homebrew is increasingly being adopted on Linux, including headless and no-DE environments (servers, WSL, CI setups) where manually typing or copying a long raw.githubusercontent.com URL is genuinely painful. A short, memorable |
it's literally one click. passing on this. |
I meant it was a pain to copy and manually type it out in distro's without a desktop environment. And it looks much cleaner. |
It would give an attacker full control over what runs next. Someone could adjust a gem to rewrite this file and potentially compromise everyone who installs homebrew. |
|
Understood, thanks for reviewing! |
This PR simplifies the Homebrew installation command displayed on the website by pointing it to a local wrapper script.
Changes:
fetches and executes the official Homebrew install script from GitHub on the fly.
URL to the much shorter https://brew.sh/install.sh.
Why this approach?
repository, we ensure users always get the most up-to-date and secure version without needing
manual updates to this repository.
directly to bash (curl | bash), as it ensures the script is fully downloaded and parsed before
execution begins, protecting users from partial execution in case of network failure.