2

I'm currently starting to play around in the Terminal (MacOS), and learning to get the most out of it. I knew Homebrew was a very populair alternative package-manager on MacOS, so I decided to look into it.

I get the software installed, and everything is fine, and I can use it. But there is generally two things that I have a hard time figuring out.

Generally I can't wrap my head around where package-managers get their packages from? As an example if I were to download firefox on via APT or HB, where do their get the packages from?

apt-get install firefox
brew cask install firefox

When I go to Mozillas webpage and download Firefox I know they simply have the file on one of their servers, but is that also the case with the above? And in which case, is it the original developers server or maybe github as it seems to be with HB?

Also, when I download a file from the website, I generally know that Mozilla is a company with a good rep, and their files are safe. But how can I make sure the files I get via APT or HB is safe as well?

PS. I understand that it has something to do with the SHA keys that will have to match.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
LeeSwaggers
  • 23
  • 1
    And https://unix.stackexchange.com/questions/342222/how-does-linux-find-the-correct-location-of-a-software-package, https://unix.stackexchange.com/questions/317698/yum-install-http-is-this-safe – muru Nov 21 '18 at 01:52

2 Answers2

2

Maintainer of a software will pack the software as a certain format and upload it to a server which is designed to be accessible by all package manager users.

When you run package manager from your computer, it will connect to the server and download the package from the server to your computer then install it.

Homebrew, apt, pacman, dnf, AppStore, Google Play Store, Microsoft Windows App Store. They all work this way.

How can I make sure the files I get via APT or HB is safe as well?

Safe is not a well-defined concept. You ensure the bytes of file is created by trusted people, not altered by any other hacker.

Because you trust your package manager and its config file will connect the trusted server, and some sort of digital signature or HASH technology will ensure that you get the package created by trusted people.

炸鱼薯条德里克
  • 1,375
  • Okay I think I get what you're saying!

    But about the packages being "safe", I mean not altered or affected by malware. But I get what you saying here.

    Thank you for your answer!

     – LeeSwaggers Nov 21 '18 at 17:56
0

The macos has repos like linux, just setup differently. a .git folder will exist in each of your repositories so finding the location of them will give you all your repos.

find /Users/username -name ".git" -print
Michael Prokopec
  • 2,220
  • I actually read about this in some article. But that is not quite what I mean. What I mean is the "server-side" location of the files one is downloading, not so much as where the file storing this information is. – LeeSwaggers Nov 21 '18 at 17:57