| title |
Build Provenance: Lessons (so far) from Homebrew |
| date |
2024 |
| authors |
|
| conference |
SOSS Community Day NA 2024 |
|
| resources |
| label |
path |
Slides |
slides.pdf |
|
|
For the past 4 months, Trail of Bits has worked with OpenSSF funding and support on build provenance for the Homebrew package manager, the primary package manager for macOS and a source of hundreds of millions of monthly binary downloads. This talk provides an in situ analysis of work in progress, along with key achievements and challenges encountered. It includes a technical dive on Homebrew's architecture and why it is particularly amenable to build provenance, as well as takeaways for similar ecosystems.