All the homebrew packages have checksums and are versioned in git, so if the upstream website is compromised and a malware installer is put in place of the package, `curl | bash` will just install the malware, while `brew` would start erroring out and refuse to install after downloading something with a different checksum.
You also get an audit log in the form of the git repo, and you also ensure everyone's downloading the same file, since `curl | bash` could serve different scripts to different IPs or user-agents.
I don't think brew does proper build sandboxing, so like `./configure.sh` could still download some random thing from the internet that could change, so it's only a bit better.
If you want proper sandboxing and thus even more security, consider nix.
alt Hacker News
There are some real differences.
All the homebrew packages have checksums and are versioned in git, so if the upstream website is compromised and a malware installer is put in place of the package, `curl | bash` will just install the malware, while `brew` would start erroring out and refuse to install after downloading something with a different checksum.
You also get an audit log in the form of the git repo, and you also ensure everyone's downloading the same file, since `curl | bash` could serve different scripts to different IPs or user-agents.
I don't think brew does proper build sandboxing, so like `./configure.sh` could still download some random thing from the internet that could change, so it's only a bit better.
If you want proper sandboxing and thus even more security, consider nix.