package mismanagement: mac homebrew

by popular demand, I am finally expanding on my occasional fediverse post about how terrible brew is for Mac OS package management.1

But also, a few caveats:

  1. I am a curmudgeon. I do not give a single fuck.
  2. Don’t try to persuade me to use brew. see (1).

Many of the things that I am about to mention might have been fixed in the five years since I last installed and used it. I still don’t care. Like Manjaro the record is so bad that nothing is going to win back my trust.

I also maintain n, a version management tool for NodeJS on MacPorts, Signal-Desktop on Void Linux, and help update other packages for both projects as needed.

$ curl | sudo bash until you’re drunk

Let’s start out with installing homebrew following the default instructions2:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  1. it asks to elevate permissions to take over /usr/local and change ownership on everything
  2. it clones the entire homebrew brew repository because they’ve apparently never heard of git’s --depth flag. what good does it do to have the ability to run brew 0.01?
  3. it builds brew from source. Admittedly it relies on MacOS’ (ancient) builtins instead of requiring a full Xcode install—this is one advantage, at least when installing it.
  4. it flashes a few messages about documentation—and oh also that it’s sending data to Google Analytics by default!3

$ hey google [analytics]

There is a lot of value in understanding what packages are getting used by which systems if you maintain packages. I have been known to look at the stats for Void’s Signal-Desktop package and MacPort’s n port. For the former, there are 12 Void machines running it, for n there have been 2 installations in the last long while, I think both of them are my machines.4

But the difference between the pretty basic stats that both Void and Macports have and the stats that Homebrew collects: homebrew acts as if it’s better to sin first and ask for permission later. MacPorts requires running sudo port load mpstats, Void requires installing popcorn and enabling the service.5 With both Void and MacPorts, you retain what I thought was a pretty basic principle of free and open source software: the ability to choose what happens on your machine.

Unlike on Void or MacPorts, Homebrew rolled out analytics silently. Instead of really handling the discussion well, it went about as poorly as you can imagine.6 And I’d bet the overwhelming majority of brew users still have no idea it’s happening—it’s an easy to miss message you see once! It also raises questions about the quality of the community that many of the people involved in that discussion are still there, ie., the person who added in gAnalytics originally.

$ brew install yolo

So now that we’ve got brew installed, what can you do? well, whatever you want! You don’t need to use sudo to actually install things! You’re a Power User, you know what you’re doing!7 Except when you don’t. We’ve all been there with an errant and disastrous off-by-one-keystroke command. For someone like me, using sudo is a little speedbump—a chance to make sure I’m sure. Brew, by making /usr/local (or /opt/brew on apple silicon) user writeable, hands you a RedBull and says ‘gun it.’

The question of whether or not it’s a risk in and of itself to make those folders user writable has been litigated enough already.8 I, obviously, think it’s a bad decision. More concerning is the fact that brew lets a lot of stuff in with what seems like little vetting. Hell, until 2021, you could get stuff automerged on github.

$ sudo port install sanity

So what’s my brilliant alternative? Well, duh, it’s MacPorts. Macports, which requires sudo. Macports, which deeply sandboxes its builds when installing from source.9 Macports, the one that has a small but tight-knit community of people who plain old give a shit in a way that the more corporate, emojified homebrew doesn’t.

yes, it requires a full Xcode install. Yes it will take up more space. yes, if you’re building from source it will pull in its own versions of whatever compiler you might need. But storage is cheap and you can do other things while xcode installs.

$ slip into some jorts

I’d be remiss if I didn’t also mention my friend june’s jorts system. jorts is beautiful and clever in its simplicity. Unfortunately, it doesn’t include a lot of things I use every day. But for a lot of people, I can imagine it’d might be enough.

There is a world in which I actually bother to fork jorts and run it using mercurial instead of git. but…only so many hours in the day.

edit: june mentioned quite rightly that the point of jorts is that she was tired of the shortcomings of pkgsrc, NetBSD’s ports system, hates the fact that brew doesn’t really manage dependencies very well (ie., it doesn’t track dependencies vs. requested packages), and as best I recall, disagrees with some of the choices MacPorts maintainers have made with packages she and I both use (e.g., MPV).

$ man -k ports

agree that Homebrew is terrible but Macports is too much and Jorts too minimalist? well, you have even more options!

  • pkgsrc which is NetBSD’s package manager but on MacOS and Linux
  • fink, the OG MacOS package manager which uses debian’s dpkg and apt on the backend. Pretty nifty but they’ve have trouble getting compatibility with > MacOS 10.15 working.
  • rudix which was brought to my attention today and looks pretty cool, unfortunetely it seems to be in decline, when judging by Github commits.

$ tldr post

Homebrew has sketchy security practices and runs google analytics by default. MacPorts doesn’t. Even if Macports doesn’t have everything I might want, the tradeoff between occasionally ‘just’ installing something with cargo or pip is fine.

$ exit 0

Just like Mercurial, MacPorts “lost.” That is to say, like git and fucking github, homebrew is so dominant that it is hard to imagine a world where it isn’t the default for 99% of people. For the short to medium term, it probably will be that way.

But fuck that. Use jorts. Use MacPorts.

a better world is possible.

see also

  1. well, Ruth asking me to expound on what I mean by “stop using homebrew jfc” ↩︎

  2. Tested on a 2014 MacMini running MacOS 12 ↩︎

  3. no, it’s not a joke: docs.brew.sh/Analytics ↩︎

  4. Void’s popcorn system dumps out a big JSON file, MacPorts has a little bit tidier system for stats ↩︎

  5. Somewhat ironically, popcorn is written in Go which is probably (read: almost certainly, it’s Google, after all) going to add in telementry ↩︎

  6. Saagar Jha’s blog post summarizes this debate nicely. ↩︎

  7. even if brew did require elevating permissions, I wonder what percentage of homebrew users have have NOPASSWD set in their /etc/sudoers file ↩︎

  8. eg., “how Homebrew invites users to get pwned”, this Stack Exchange discussion or this one ↩︎

  9. yes, MacPorts does have binary releases too. ↩︎

annoyed! also furious!

I’m really annoyed!

people need to stop.

I’m annoyed by the software puritans who go on about “JavaS’creep” or “Micro$haft.” About their special browser extensions that they run in their fork of Firefox 27 that “protect” them from non-AGPL3 Javascript. It’s not browser fingerprinting or ads or whatever that’s the problem, it’s the particular software license!

I’m annoyed by the people—who use Arch, by the way—telling me how awful I am for primarily using MacOS (they dual boot Windows just for the games oh….and all of the things that still don’t have good Linux or *BSD equivalents).1 2

I’m annoyed by the tech bro “hardcore” Elon Twitter types, I’m annoyed by the people who look down on you if you’re not running Elastic Search with Kubernetes for some Rust webassembly POS. Or Elixir. Or worse.

I’m annoyed at the people in my own profession who insist that to display well formatted text on a screen you need a heavy duty Rails application, Postgres, Solr, and 5MB of Javascript to render a post the size of this one. “Modern” web development wasn’t the original cause of global climate change but it’s certainly not helping the situation.

I’m furious at the fact that you can’t buy a piece of electronics or install a piece of software without first wondering how that company is trying to make more money from your use of that product. I feel like an ass for saying this, but sometimes I watch in horror as people open apps on their phones which are really just wrappers that load their websites but with more efficient tracking built in.

But mostly I’m just furious about more or less everything.

[22:45:53] anelki@redfox /home/anelki
> covidate

   Today is...Friday, March 1000, 2020 at 22:45:54
   Let's make it a ✨great✨ day!

   Truly, we have learned nothing.

generated with covidate

  1. it is the year of our lord 2022 and Linux still can’t easily manipulate goddamned PDFs. No, ghostscript (gs(1)) does not count as ’easy.’ No, annotating something in evince(1) does not count. edit 2022-11-26: to be clear I just want what MacOS’ Preview can do, I’m not looking for a feature-to-feature Acrobat replacement.

    No, LibreOffice Draw does not count.
    No, opening a PDF in Inkscape does not count.

    If I wanted to add to my problems, I’d try and install a sound card err try to maniuplate a PDF, try to find something more fun to do. ↩︎

  2. FWIW I’m writing this on a Thinkpad T460s running Void Linux—where I am also a package maintainer. ↩︎

On leaving the WMATA Riders' Advisory Council

It pains me to have had to bid adeiu to the WMATA Riders’ Advisory Council. At last week’s WMATA Board meeting, Chair Paul Smedberg elected to terminate my service after a single two year term. I regret it very much.

What follows below is an email I sent to members of the Arlington County Board on Sunday. As I doubt I’ll actually get a reply, I’ve decided to just post it here as it was an attempt to summarize why the RAC is important and more necessary than ever.

Dear Board Chair De Ferranti and Board Members Cristol, Garvey, and Karantonis:

I am writing to you all as the now former Chair of WMATA’s Riders’ Advisory Council (RAC).

In case you all are unfamiliar, the RAC exists to represent the interest of WMATA riders across the region, reporting directly to WMATA’s Board of Directors. I applied to join the RAC in December of 2018, shortly after the Board attempted to eliminate it. The Board appointed me in February of 2019. I was elected to serve as Virginia’s Vice-Chair in March of 2019.

As the child of a transit planner, my dad showed me how transit policy disproportionately affects lower-income families for better or worse. As director of planning at a municipal transit agency and later as a consultant working to establish community transit systems in rural and semi-rural Midwestern cities, he took the public input process seriously. I did more of my homework in community meetings and city council hearings than I did at home. I tried to bring the same determination to do right by riders (and in turn benefit WMATA) when I joined the RAC.

Instead of eliminating the RAC, the Board agreed to a series of reforms which included the appointment of a Board member to strengthen the dialog between the two. Your colleague and former WMATA (and NVTC) board member Christian Dorsey ‘served’ as first and to-date only Board Liaison. I place ‘served’ in quotation marks because he never attended a RAC meeting in person and after a few months of calling into our meetings and speaking for a few minutes before disconnecting the call ceased any further participation. Since June of 2019, the RAC had only one meaningful exchange with any board members: a meeting with Chair Smedberg in September of 2019.

During my term on the RAC and service as the Vice-Chair and Chair, I made it a priority to build on the work done by my predecessors to raise the RAC’s profile and make it an active participant in regional discussions about WMATA and transit policy. Lacking the promised guidance from the Board and determined to do right by the riders we represent, what choice did we have?

As the pandemic has raged on, it has become evermore clear how necessary a vocal, thoughtful, and diverse rider body is. Listening to essential workers I have come to see weekly, their frustration and fear is plain. WMATA has now passed four FY21 budgets and their failure to clearly communicate what changes each budget involved and when it takes effect has left them scrambling. People reliant on WMATA to get them from e.g., Suitland (Prince George’s County) to Virginia Square to work high risk hourly jobs for appallingly low wages in the midst of a uncontrolled global pandemic deserve far better.

Neither my former RAC colleague (and leading transit policy expert) Dr. Katherine Kortum or I were given a reason for why we were not reappointed to the RAC (see these stories from The Post or WAMU/DCist). I proudly stand behind every action I took and every statement I made. My only regret that WMATA’s Board and Staff were unwilling to engage with the same level of good faith that I attempted to engage them with. As Arlington’s elected leaders and members of the NVTC, I respectfully ask that you work with your colleague Paul Smedberg to establish meaningful powers for the RAC to solicit feedback from riders in semi-official ways (e.g., a booth near a Metrorail station entrance or convene a public listening session as has been done in the past) and the ability to request (and receive) written responses from WMATA staff on specific matters. We should not need to discuss filing a PARP (ie., FOIA) request to obtain what should already be public information.

Prior to the pandemic, WMATA had made encouraging progress reversing its ridership decline. But it had only achieved these gains in spite of itself. This region deserves so much better.

very sincerely yours,

anelki