Homebrew: Trust System and Testing Infrastructure Improvements

Transcript

Good morning, this is your Homebrew development briefing for June 2nd, 2026.

The dominant theme today is preparing Homebrew's tap trust system for upcoming breaking changes. Three related pull requests tackled trust warnings, configuration paths, and documentation. PR 22503 moved trust warnings from fatal errors in brew doctor to non-fatal preinstall diagnostics, clearly signaling that explicit trust will become mandatory in Homebrew 6.0 or 5.2. PR 22508 fixed a critical issue where test-bot couldn't write trust data to the correct config directory, causing setup failures. PR 22506 added missing documentation for the trust JSON file path, addressing user confusion about where trust policies are stored.

The second major focus was stabilizing testing infrastructure. PR 22502 resolved a particularly tricky issue where the Vernier profiler was causing child processes to hang by injecting Ruby options into nested Homebrew commands. The fix introduces fork guards and switches to spawn-based process creation during profiling. Two Sorbet type-checking adjustments followed - PR 22498 enabled recursive checking in CI for broader coverage, while PR 22509 strategically disabled it for performance-critical tap audits and readall operations.

Several smaller reliability fixes rounded out the batch. PR 22505 prevents brew reinstall from failing when previous runs leave stale backup directories behind. PR 22510 eliminates a confusing silent wait period in brew upgrade when using the ask flag. PR 22474 adds new auditing for formula install steps, specifically flagging legacy post-install patterns.

What's next: The trust system changes suggest Homebrew is moving toward stricter security defaults that will require explicit user consent for third-party taps. Developers should expect the current warning-based trust model to become enforcement-based in the next major release.

That's your Homebrew briefing. We'll be back tomorrow with the latest changes.