Homebrew! Part Deux

06 March 2019

Interviewed by The Changelog

We’re talking with Mike McQuaid about Homebew 2.0.0, supporting Linux and Windows 10, the backstory and details surrounding the security issue they had in 2018, their new governance model, Mike’s new role, the core team meeting in-person at FOSDEM this year, and what’s coming next for Homebrew.

Show transcript

0:00 Bandwidth for Changelog is provided by Fastly.
0:02 Learn more at Fastly.com.
0:04 We move fast and fix things here at Changelog because of Rollbar.
0:08 Check them out at Rollbar.com.
0:09 And we're hosted on Linode cloud servers.
0:12 Head to linode.com slash Changelog.
0:14 This episode is brought to you by DigitalOcean.
0:17 DigitalOcean is the simplest cloud platform for developers and teams
0:22 with products like droplets, spaces, Kubernetes, load balancers, block storage,
0:27 and pre-built one-click apps.
0:29 You can deploy, manage, and scale cloud applications faster
0:32 and more efficiently on DigitalOcean.
0:34 Whether you're running one virtual machine or 10,000,
0:37 DigitalOcean makes managing your infrastructure way too easy.
0:41 Get started for free with a $100 credit.
0:43 Head to do.co slash Changelog.
0:46 Again, do.co slash Changelog.
0:49 All right, welcome back, everyone.
0:58 This is the Changelog, a podcast featuring the hackers, the leaders,
1:02 and the innovators of software development.
1:04 I'm Alex Dekowiak, editor-in-chief here at Changelog.
1:07 Mike McQuaid is back talking about Homebrew 2, supporting Linux and Windows 10,
1:12 the backstory and details surrounding the security issue they faced last year in 2018,
1:16 their new governance model, Mike's new role,
1:19 the core team meeting in person at FOSDEM this year,
1:23 and what's coming next for Homebrew.
1:24 Mike, we're back again, man, and it's been a while, right?
1:32 It's been a few years, right?
1:34 Time flies.
1:35 You got Homebrew 2 out.
1:36 You got some new governance stuff happening.
1:39 We actually almost caught up with you, I think, July of last year around the security thing.
1:44 So there's lots to cover, but where do you think we should begin?
1:47 Should we begin with the security thing, or should we begin with the latest updates to Homebrew?
1:51 Yeah, let's start on the downer and then finish with the upper.
1:55 Let's go there then.
1:56 So we actually wanted to kind of news hack it,
1:59 but it just didn't work out to get both you and the security researcher on the show,
2:03 but you're here instead, so tell us what happened.
2:06 Yeah, so basically we got a security disclosure through our HackerOne.
2:10 It's actually been a really nice setup since we kind of moved to that.
2:13 Previously, we had just, you know, oh, we'll create an issue or send us an email or whatever,
2:17 and people suggested that we kind of get set up on HackerOne,
2:19 and it's kind of a responsible disclosure platform thing,
2:22 and it's free for open source, and that's kind of worked pretty well for us.
2:25 So yeah, basically late July last year, a researcher identified that Jenkins,
2:31 which is what we've used for Homebrew CI and building our binary packages,
2:35 had been leaking a token.
2:37 Unfortunately, that token actually gave him push access to some repos.
2:41 So that was obviously relatively terrifying.
2:45 We managed to, obviously, the bonuses of good disclosure is that, you know,
2:49 within a few hours, we were able to revoke the creds.
2:52 We were able to replace them and sanitize Anthony and Jenkins,
2:55 so this shouldn't happen in the future,
2:56 and also basically checked to see with the old credentials,
3:00 like what was possible and what wasn't.
3:02 And thankfully, like it actually wasn't as bad as initially feared,
3:06 because although it has to have kind of write access,
3:09 that particular credential, it didn't have actual like push access,
3:12 the given repos, and we were also able to verify with GitHub's supports help
3:17 and some auditing ourselves that it hadn't been used by anyone
3:20 during the period in which the scopes were elevated and which it had write access.
3:24 So basically, one of those ones were, you know, scary times,
3:28 but thankfully kind of all resolved.
3:30 So we kind of wrote it all up on our blog,
3:32 tried to let people know what happened, what the implications were,
3:35 and like what we were going to do moving forward,
3:37 and tried to move on since then and haven't had any other big slip-ups similarly since then,
3:43 The fellow's name was Eric Holmes, right?
3:45 That's the one, yeah.
3:46 That's the one.
3:47 We linked this up around the time of happening to ChangeLog News,
3:51 and the last question I think is kind of interesting,
3:54 and I'm kind of curious what you think about this.
3:55 He says,
3:56 if I can gain access to commit in 30 minutes,
3:59 what could a nation state with dedicated resources achieve against a team of 17 volunteers?
4:04 Yeah.
4:05 I mean, it's a great question, to be honest.
4:07 And, you know, I don't mean to scare people with this stuff,
4:10 but I mean, I'm very much of the belief that
4:13 unless you are a very high-level security professional
4:16 who has deep knowledge in this stuff,
4:19 if you're going against a nation state,
4:21 like it's more or less, you know, as they say, game over, man.
4:24 I'm, yeah, it's that side of things is scary.
4:28 But I think the thing with Homebrew, at least,
4:31 is that it has been designed such that,
4:34 and we kind of said this even at the time when we were kind of debating it as maintainers,
4:38 is that with stuff like this, you can,
4:40 there's vulnerabilities which can be introduced silently
4:43 and then you'd never really notice them and never really catch them.
4:47 And then there's vulnerabilities that you would notice.
4:49 And because we have everything built on top of Git
4:51 and because our CDN is immutable after 30 days
4:55 and because we have, like, I guess, a two-level kind of hashing structure,
5:01 even with our binary packages,
5:02 where we maintain the hashes for those packages
5:05 and the packages are maintained elsewhere on separate infrastructure,
5:09 that it means that the chances of someone like a nation state being able to compromise Homebrew,
5:14 I'm not basically a, you know,
5:16 if you have one of the relatively big superpowers trying to do something like that,
5:20 the chance that they could compromise Homebrew,
5:22 I feel it would be relatively high if they put their mind to it.
5:25 But the chance that they could do so without any maintainers or the community noticing,
5:29 that's something I'm not convinced about.
5:32 I feel like we would notice and we would be able to kind of spot that that had happened
5:36 and disclose that information and stuff like that.
5:38 Because I guess the other flip side of the open source community with stuff like this
5:42 is because we don't have, you know,
5:44 a relationship as volunteers with the government of countries that may want to do things like this,
5:48 we would not have any qualms in going posting on our blog
5:52 and pointing fingers at directly whom we believe has done something
5:56 and when they did it and why we think they did it and all that type of thing.
5:59 And I guess companies sometimes have a little bit more conflict there
6:03 because obviously there's commercial interests involved and blah, blah, blah.
6:07 It's an interesting thought experiment and you just kind of wonder, you know,
6:10 with open source software, it's the gift and the curse, right?
6:13 On the gift side, well, there's a lot more eyes on it.
6:16 The code is there.
6:18 You know, we use modern SCMs.
6:20 And so like you said, any sort of things going into the software coming out,
6:23 they're all in version control.
6:25 They're all publicly there.
6:26 There's lots of, I mean, there's 17 maintainers and there's your gift.
6:29 But the curse is that it's all open source, right?
6:31 And so there's, as a bad actor, there's a whole lot less poking at a black box
6:37 that you have to do because you aren't dealing with the final product.
6:42 You're dealing with the source code, you know, depending on what the project is.
6:45 And so it's just one of these things where, yeah, I mean, he got it done in 30 minutes.
6:50 That was really the thing that I think made this particular incident
6:54 just more interesting than other ones is because it was like, wow,
6:58 he set out to do it and 30 minutes later he had it.
7:01 And that's not much effort, right?
7:03 Yeah.
7:04 And I think the interesting thing from our perspective is that
7:07 others may well draw different conclusions,
7:09 but our perspective would probably be that it was an example of our weakness being exploited,
7:16 which is that, I guess, like other open source projects,
7:18 most of us would rather be writing code than doing system administration.
7:23 So as a result, like our, we have like a Jenkins instance.
7:26 And I mean, shout out to anyone working on Jenkins here.
7:29 They've been, you know, it's great software that we've used for a very long time,
7:32 but compared to what we're increasingly used to with, you know, say Travis CI and Azure Pipelines,
7:38 which is what we use now.
7:39 And, you know, a lot of these cloud tools were effectively keeping everything up to date
7:43 and keeping the configuration sane is not something you need to worry about yourself.
7:47 Whereas any of these sort of open source projects where you're installing the software yourself,
7:51 you're maintaining on that system, you know, getting the balance right between applying all the security updates in Jenkins
7:57 and then all the plugins, which then change behavior between versions.
8:01 So this was one of these annoying cases where it was an intersection between plugins,
8:05 where one plugin, which had previously, you know, filtered out the tokens, was updated,
8:09 and then that responsibility was delegated to another plugin,
8:12 which hadn't been configured to do it correctly and all this type of thing.
8:16 And it's kind of tricky because it slips through the cracks.
8:18 And our longer term solution that we're kind of working towards now is basically just get rid of any infrastructure
8:23 we have to maintain ourselves.
8:24 I mean, in an ideal world, we would all be on, you know, Travis and EC2 and Azure Pipelines,
8:31 and that would be the end of the day.
8:32 But unfortunately, again, the complexity of our project is that we have to build binary packages on macOS,
8:39 and there is not a freely available macOS hosting platform for building stuff at the scale that we need yet.
8:48 We're getting optimistic that there will be in future.
8:51 We've had some really good conversations with Microsoft about Azure Pipelines.
8:56 But right now, as of today, you know, we still need to maintain our own infrastructure,
8:59 which is, in this case, you know, the configuration of that infrastructure is the weak point.
9:03 So that's my number one goal on my list of stuff to do this year is to get us entirely onto other people's infrastructure for this stuff.
9:12 But again, I guess, like, it's one of those ones where I will do it by the end of the year.
9:17 I'm fairly confident, but I can't really be bothered.
9:20 And one of the tricky ones in Homebrew where if I don't do it, chances are pretty low that anyone else is going to step up and do this work.
9:28 In a more general sense, taking Homebrew specifically off the table and just thinking about open source security.
9:34 The trouble is, and, you know, we say it a lot on the show, and by no means, you know, a lot of people say that it's true,
9:40 but it's like from the security standpoint, you know, you have to bet a thousand pretty much, right?
9:45 You have to get, like, let me say it this way.
9:47 You only have to mess up one thing in order to have a threat vector.
9:51 And then that thing has to just be found, right?
9:54 Like, it's easier to find one hole in an armor than it is to, like, make an armor that's completely indestructible, has no holes.
9:59 And for open source, like you said, we'd rather be writing code than doing infrastructure.
10:03 It also can be, like, not your area of expertise, you know?
10:07 And maybe you're good at this thing, which made Homebrew successful.
10:11 Maybe you're not so good at that thing.
10:12 Maybe somebody else has more experience.
10:14 But even with the experience, people, mistakes are made.
10:16 So, for example, we've been cutting over some of our infrastructure here at changelog.com,
10:21 and all of our source code is open source, and we're on Concourse CI, and we're switching over to CircleCI.
10:27 I won't tell all the details of that experience, but I'll just tell you that we've rotated all of our keys lately
10:32 because mistakes, you know, are made.
10:35 And it's just kind of the unfortunate state of the world.
10:38 But the question becomes, like, on the large, you know, how do we engage in a battle as a community against bad actors,
10:49 whether it's nation states or security researchers, you know, what do we do that's sustainable?
10:55 I know we've been working on lots of tooling, you know, building and auditing into our package managers, for instance, that kind of thing.
11:01 But do you put any thought into this beyond Homebrew's yard?
11:06 Yeah, I mean, I think so.
11:08 I think there's been a few things through Homebrew that I've kind of learned that I think are more widely applicable.
11:13 I guess the first one is back to this, you know, the security disclosure on our blog and on HackerOne
11:19 and kind of working with the researcher to kind of have him publish his results.
11:22 I mean, of course, you know, one of the first things you try and learn when you're getting more senior as an engineer is, you know, you are not your code.
11:29 And if your code has problems, that doesn't mean your worth as an individual goes down.
11:33 But, you know, but the first thing when you get a vulnerability like this is you want it to not be true.
11:38 And you want, you know, despite everything that you know and believe about responsible disclosure,
11:42 you just want to hide the problem and have it go away, you know?
11:45 It's like an ego thing.
11:47 And again, I don't think there's anything wrong with people admitting that that's, you know,
11:51 it's a pretty natural reaction for you to have, you know, if you may.
11:54 You don't want that to be the case.
11:56 Exactly.
11:57 But I think, again, like that's one of the big things I think the open source community in general is good at,
12:02 is stepping up and being responsible and disclosing this stuff.
12:06 Like, because in this case, you know, the level of this vulnerability here,
12:10 like I'm sure that happened to a hundred companies around the world this year,
12:16 like almost an identical problem.
12:17 And are they going to write on their company blog that they disclose this?
12:20 Well, some companies will, and, you know, hat tip to them, but most won't.
12:24 And that's a problem.
12:25 I guess the other thing is that kind of somewhat ties on to what you were saying earlier is that,
12:31 you know, you need to just accept with some of the stuff that you're not going to have
12:35 the time and the resources for the open source projects that you would like to.
12:38 You know, again, if HomeRoo was a commercial company, you know,
12:42 I wouldn't hire me to do half the stuff that I'm doing because I'm not qualified.
12:48 And I know there's better people to do that.
12:50 And even on the coding end, you know, like if, you know, if me at work was to review my code quality
12:58 that I, you know, have on Homebrew, then I would probably be, you know, leaving lots of requested
13:03 changes all over the place.
13:04 Because at the end of the day, I don't have the time and the resources to do things to as high a standard
13:11 in open source always as I do when, you know, when we're getting issues that are affecting,
13:15 you know, whatever, like millions of people potentially, the onus is on fixing it right now.
13:21 And when you don't have lots of very smart coworkers around you who can help bounce ideas off
13:25 and it's just down to you, then it's like, well, you're not going to do it as well.
13:28 And I guess the final thing I thought, which again was a side effect in this case, but
13:33 is sometimes you can avoid some security issues by just not having all your eggs in one basket.
13:38 Like it's, for example, if GitHub, we have our binary packages hosted on Bintray and we also
13:45 download source packages from the original like sources that they, you know, whatever the
13:51 hosting company is for the original software.
13:53 And it would have been and was tempting in the earlier days to say, right, let's just double
13:59 down on GitHub, use all of their hosting options and everything like that.
14:02 And if we'd done that in this case, then that's when you lose one token and all of a sudden
14:06 they have the keys to everything in your castle.
14:08 Whereas in this case, you know, they, you know, even if you got into Jenkins, you wouldn't
14:14 have access to published binary packages.
14:16 You wouldn't have access to push to various repos.
14:19 Like, you know, things are separated between individuals.
14:22 And then there's actually even between individuals within the project, you know, you would have
14:27 to compromise a handful of specific maintainers to be able to get access to everything because
14:33 most maintainers are not granted access that they don't need.
14:35 I guess that would be a security thing that we've done for a while, which I guess I would
14:40 encourage other open source projects to do is that it's tough.
14:43 But when someone doesn't need, you know, if you've got someone in your project who maybe
14:47 was a big figurehead in the early days or whatever, and they haven't worked on the project
14:50 for several years, they should not have access to push to your repositories, in my opinion.
14:56 And it really stings, again, both sides to go and have to have that conversation about like, maybe you don't need the access here.
15:03 But again, I feel like that's the kind of responsibility side of things where if you, if you're not willing to revoke
15:09 people's tokens, then you're increasing the number of laptops that need to be increasing or decreasing.
15:14 One or the other.
15:15 Basically, yeah, you have a bunch of laptops in the wild.
15:17 If someone steals that and it's not encrypted, then you are giving people access to push to those repos.
15:23 And again, it depends on your release model and your verification model and things like that, like how big a deal that would be.
15:28 But certainly for some projects, that would be a big deal.
15:30 Well, the good thing about this security incident, though, is it was best case scenario, right?
15:34 It was a security researcher.
15:36 White hat hacker.
15:37 You know, and you were able to, even though it was shameful, you were able to disclose it quite well because, you know, in the end, no packages were compromised
15:47 and no actions actually required by the incident.
15:50 So it was a researcher and not a bad actor.
15:52 Yep.
15:53 That's at least one, you know, wipe the brow because it could have been bad.
15:58 I think that's a nice thing with the open source community in general as well is that we, you know, if you go out your way to do things properly on the security side, then you generally, you know, even the kind of gray hats in the middle are not going to get a lot of kudos from going and really making idiots of an open source project who are trying to do the right thing with this stuff.
16:17 You know, whereas all of a sudden they've, this is a case where, again, get the ego involved and all of a sudden they've,
16:23 we kind of try and make out to the security researcher that, you know, he made a mistake and we change things from underneath them.
16:29 And, you know, and he writes a blog post and we get into a, he said, he said, she said type thing on Twitter about, you know, calling each other names.
16:36 Then all of a sudden that's when you can see potentially in future security researchers being like, well, you know, these folks at homebrew think they're so great.
16:44 We're going to take them down a peg or two.
16:45 So I think, you know, there's a certain amount of humility that needs to be involved there when you're dealing with people who know a lot more about a subject area in this case, you know, security than you do, you know, and being kind of grateful that those people are willing to kind of go the right way and, and help you out there rather than try and, you know, make fools of you.
17:03 Did you end up having like a personal conversation with this person or did you end up just like black on white email texting?
17:11 Like what was the, what was the kind of crossover there?
17:13 Yeah, no, it was just through, so we just chatted with them through, um, hacker one through the, uh, through our kind of security disclosure tool.
17:22 Um, and that's kind of the main way we have the conversation there.
17:25 And I think it maybe went to kind of our personal emails kind of chatting there as well.
17:28 Cause we've wanted to kind of coordinate the blog posts and all that type of thing.
17:32 So, uh, the other fun, I guess, aside with open source as well, is that like this, this all happened during, uh, my, um, paternity leave.
17:41 GitHub is very generous in that you get five months paid paternity leave.
17:45 And so I was off and my wife had gone back to work and I was with my, off with my first and, uh, I was his kind of sole care provider at that time for a three month period.
17:55 And yeah, and this happened more or less slap bang in the middle of it.
17:57 So like I put him down for a nap and was like frantically trying to sort of write this stuff up and, you know, sort those things out and being like, please, please, we man just stay asleep.
18:09 That's funny.
18:10 So, and I guess that's again, congrats by the way.
18:12 That's terrible though.
18:13 Thank you very much.
18:14 Yeah.
18:15 That's terrible.
18:16 Congrats.
18:17 You know, on the kid, of course.
18:19 And that's terrible to have to deal with that during paternity leave, you know?
18:22 Well, the question, did he stay asleep the whole time?
18:24 Yeah.
18:25 I mean, he, yeah, he, he's a good sleeper and we've been very lucky on that front, but yeah, but
18:29 like, um, yeah, it's, it's kind of, again, it's, it's nice because the security researcher, I feel like with the kind of delays around the blog post and stuff like that,
18:39 that, um, you know, we didn't publish the blog post quite as quickly as we would have liked to because of stuff like this.
18:44 And I feel like he was fairly understanding when I was like, yo, I'm on paternity leave, please, like, give me a chance to write this up and stuff.
18:52 Um, but yeah, but again, that's the flip side of open source projects, you know, is that people who are involved with, you know, we, this is the 10th calendar year I've been involved with Homebrew, you know, and people go from being, you know, young singletons living by themselves with plenty of free time to, you know, balancing kind of family life.
19:08 And multiple children and all that type of stuff.
19:10 And, you know, it's good because, you know, you get new people on board who are younger and more energetic and have more free time than you do.
19:18 But at the same time, it's the flip side of, well, that's why you don't maybe have the time to do everything as well as you could.
19:25 And that's why, in my opinion as well, like I'm even more increasingly now, like pushing on, no, we can't kind of have more systems and more apps that we're going to have to maintain.
19:34 We want to be able to use other people's infrastructure.
19:37 So we're not worrying about having to manually run anything, you know, to keep, keep the lights on and in Homebrew's case.
19:44 This hacker one site is cool.
19:47 And I think it's a, it's a, it's a necessary thing to really bring together two disparate communities.
19:52 I mean, when you talk about security researchers and open source developers, in my experience, and you guys can tell me yours, there doesn't seem to be too much overlap.
20:02 There's a few people who kind of play in both pools, but it seems like there's a somewhat strict divide there in those two communities and really to all of our disbenefit.
20:14 That's not even a word, but you know, to our harm, I guess there's to say, because there's a lot that we have to offer in terms of open source developers to security researchers and vice versa.
20:23 And so anywhere that we can create places that we can come together and collaborate and they can, you know, hack on our code and we can fix things as, as they find problems.
20:33 Those are things that are necessary.
20:35 Just thinking about some of the stuff you're saying, what happens at GitHub, there's a lot of best practices.
20:40 You know, you're, you're mentioning principle of least power and defense in depth.
20:43 There's a lot of things that we can do as developers that really mitigates the problem, you know, similar to like, well, if I get hacked, at least they don't have root access.
20:52 Like there's no, you know, God mode immediately.
20:55 So we can do things that help mitigate when there are breaches.
20:58 But if we don't have those things taught to us or explained to us or reiterated or example to us, you know, we just don't know what to do, how to do it well.
21:07 And so it's cool that they offer this free for open source.
21:10 And maybe think of, you know, proprietary companies and the advantage that they have is that they can actually offer cash for bugs, you know, or cash for vulnerabilities.
21:19 And as open source people, it's like, well, we're, you know, we can't even get any cash to, to buy a sandwich, let alone to fund some security audits.
21:27 Yeah, no, I mean, that's very true.
21:29 I completely agree.
21:30 And the other tricky thing, which, you know, doesn't come across on the public side is, you know, the signal to noise ratio on this stuff is, you know, it makes GitHub issues look bad in some ways.
21:40 Because you get so many people who are going and more or less, presumably copying and pasting the same report onto 20 projects.
21:47 Just, you know, you find a project that uses Jenkins and then you, you know, copy and do the same sort of inverted commas, exploit or whatever about something that's not actually an issue.
21:58 And, you know, there's various people saying that they've like, you know, owned our GitHub pages site and stuff like that.
22:03 And it's like, well, it's a static site.
22:04 So I'm not convinced you have actually, because there's nothing dynamic on that page whatsoever.
22:08 So unless, you know, you've somehow got access to GitHub servers, in which case they will probably pay you for that bounty.
22:14 So, yeah.
22:15 So it's, it's tricky kind of wading through all that stuff.
22:18 It's a lot of noise.
22:19 Yeah.
22:20 Just for the times where, you know, someone discloses something and you're like, oh, this is actually, you know, a legitimate problem.
22:26 And we should deal with this now.
22:28 But yeah, but again, that's a hard problem to solve.
22:31 Yeah, it is.
22:32 It's to be fair, like hacker one seems to have a good sort of reputational system under underlying it.
22:37 So you definitely don't see the same kind of bad reports more than one.
22:40 And you can actually, I guess, to your, your dark side showing if you get a really kind of crappy report from someone, then you can kind of flag it as basically being sufficiently negative that they take kind of a reputational hit in the system and stuff like that.
22:54 But, you know, you, you still feel like you're kind of, I guess, doing moderation slash being a recapture type situation.
23:03 So what's the advice then for maintainers out there that might find themselves in a similar situation?
23:09 Should they go to hacker one and get an account?
23:11 What's the, you know, what's your recommendation here?
23:14 Yeah.
23:15 I think I would still recommend going to hacker one and getting an account because it just, it's a workflow that I think makes more sense to security professionals really.
23:23 I guess it's in the same respect as like people might say, where should I create my open source project now?
23:29 And I would say GitHub and they might say, oh, well, I hear you get a lot of issues or drive-bys or whatever.
23:34 And it's like, yeah, that's, that's the case.
23:36 But at the same time, it's still the place where it's happening and the place that makes the most sense.
23:40 And as far as I can tell, like hacker one is the same, same sort of deal where it's, you know, it's not all rosy, but it's, it's definitely better than anything else I've found out there.
23:49 And it's, it seems to be, in our case, at least it seems to have really encouraged, really responsible disclosure from people who know what they're doing, who, as you said, wouldn't perhaps otherwise get involved.
23:58 So I feel like that's a sunny upland for us.
24:01 I just want to highlight this note on your hacker one page.
24:05 We'll link it in the show notes, hacker one.com slash homebrew in the exclusion section.
24:10 This just made me chuckle.
24:11 While researching, we ask that you refrain from, and one of them is social engineering, including phishing of homebrew maintainers or contributors.
24:20 It's just hilarious that you have to actually say that.
24:23 Yeah, so I, well, I think that was actually one of their templates is they have like a template of suggested exclusions.
24:30 But yeah, but no, like, or I copied and pasted that from other servers or whatever.
24:35 But yeah, like, I guess it's, it's, it's the same thing.
24:38 And I guess that's, that's definitely one where I feel like open source projects kind of maybe do warrant a little bit more sympathy.
24:45 Like, you know, if you, if you get in this situation where you're calling up open source maintainers at home for a social engineering attack, it's like, come on, just.
24:53 No break, let them have their evenings.
24:55 Hack our code, don't hack us.
24:57 Yeah, or at least socially engineer them during work time.
24:59 This episode is brought to you by Git Prime.
25:09 They just released a 52 page beautiful field guide called 20 Patterns.
25:13 This field guide is a collection of work patterns Git Prime has observed while working with hundreds of software teams.
25:18 And their hope is that you'll use this field guide to get a better feel for how your team works,
25:22 to recognize achievement, to spot bottlenecks, and also to debug your development processes with data.
25:28 You'll learn about long running PRs, flaky product ownership, scope creep, knowledge silos, and so much more.
25:34 Check the show notes for a link to download this field guide or learn more at gitprime.com slash changelog.
25:39 That's G-I-T-P-R-I-M-E dot com slash changelog.
26:00 So, Mike, the big Homebrew 2.0 started this month.
26:04 Shot up the charts and changelog news to number one quickly.
26:07 Everybody was super excited.
26:09 Of course, the huge announcement is the official support for Linux and Windows 10.
26:14 A little bit of an asterisk by the Windows support.
26:17 We'll talk about that.
26:18 But tell us about Homebrew 2 and the big release.
26:21 How was it received?
26:23 Yeah, so it's been really exciting.
26:24 It seems to have been received really well.
26:26 People have been really positive about it.
26:28 And it's a nice kind of like buzz in the community since doing so as well.
26:33 It's been a kind of funny thing.
26:35 It's been, you know, the difference, the distance between 1.0 and 2.0 has been, I think it was
26:40 two and a half years or something.
26:42 And then like 1.0 and original Homebrew was about, you know, seven years.
26:47 So it's definitely a slightly faster iteration.
26:50 But it feels like it's a kind of good balance between there was some kind of deprecations
26:56 and big changes we wanted to make that we've been kind of holding off on for a while.
26:59 But then also some kind of big kind of features in there at the same time, which, like you mentioned,
27:04 the kind of Linux stuff being a notable example.
27:07 So yeah, so that's been quite cool.
27:09 So there's been another project that's been running for quite a while now that was called
27:13 Linux Brew that was basically just a full-on fork of Homebrew to run on Linux.
27:18 And we have like the Homebrew project is sort of, you know, we've kind of had a little
27:25 bit of back and forth and been kind of collaborating with those folks a little bit for a while,
27:28 but maintaining our own independent forks.
27:30 And it's maybe about a year ago we sort of started thinking like, well, maybe we can
27:34 actually bring these projects together because the code's getting more similar and things
27:38 like that.
27:39 And I'd kind of started working a few years ago about trying to almost do a kind of proper
27:44 cross-platform port based on, I guess, cross-platform work I've kind of done previously in my
27:49 career and things like that to try and build nice abstraction layers so you don't just end
27:52 up with like if OS Linux, if OS Mac, like all of your code.
27:56 And so yeah, so basically we did that and we kind of got all the Linux code back into Homebrew
28:02 kind of done in a nice and a properly abstracted fashion.
28:05 And we'd actually been using running Homebrew on Linux for some of our CI stuff, you know,
28:10 stuff like uploading packages and generating our kind of package browser data and stuff like
28:16 that for a little while now.
28:17 So yeah, it kind of segued in nicely and it was fairly smooth and it's been a nice kind
28:22 of transition and selling point for Homebrew, I think.
28:25 So if you were on a recent version of Homebrew, would it auto upgrade you to 2.0?
28:31 Because I saw the news and I'm like, ooh, I want to go get it.
28:34 And then I did a, I don't know what I did, brew-b or I already had it.
28:39 It was the long story short.
28:40 So that's the sad thing that people end up with is that Homebrew, so our version numbers in
28:46 some ways are just like notifying people of what has changed underneath you while you
28:51 It's already there.
28:53 Yeah, exactly.
28:54 So we, when you run, like there's the brew update command, which will put you on the newer
28:59 But as of, well, since 1.0 actually, we've been running that automatically when you run
29:03 various commands like brew install, brew upgrade and things like that.
29:07 So you just get put on the newest version.
29:08 So if I guess like the slight downside to that is when people see, you know, like, oh, I don't
29:14 like to look at some of this stuff on 2.0, I'll stick on 1.9 and it's like, well, sorry,
29:17 you can't.
29:18 You're already on 2.0.
29:19 There's no going back.
29:20 So yeah, I mean.
29:22 There's no consumer choice here.
29:23 We know what's best for you.
29:25 And that's not the case for me at all.
29:27 I'm actually, I don't know if this says something about me or not, but I'm on Homebrew
29:30 1.8.6.
29:31 Oh, really?
29:32 Oh, this says a lot about you.
29:33 Well, yeah.
29:34 You might have disabled the auto-updater at some point.
29:36 That's a thing you can do.
29:38 Is that in the config then to do that?
29:40 Yeah.
29:41 So you set an environment variable and it's documented in the man page and then you have
29:45 to run brute updates manually.
29:47 So yeah, I mean, that's, I guess that sort of segues nicely that a lot of the things that
29:53 some of the changes we've made now and a lot of the kind of things that we've changed in
29:58 the last few years have been things which you could do before, but we're always just a
30:02 bit clunky.
30:03 So another big thing we kind of made in 2.0, which people have been kind of asking slash
30:08 complaining slash begging for years is we run kind of brew cleanup automatically.
30:12 So that was basically a command that goes and like cleans out like old versions that you're
30:18 not using anymore and kind of your cache and stuff like that.
30:20 And, you know, every, like literally it felt like every week we would have someone post
30:24 on Twitter and be like, oh yeah, I discovered this new command.
30:26 And I like, you know, it freed up like 25 gig of space on my desk.
30:30 And like every time I read that, I kind of winced a bit because I feel like, you know,
30:33 there's not a lot of software or at least a lot of software that I think is great where
30:38 you need to discover some hidden little setting to make it not slowly eat up your entire disk.
30:44 So yeah, so we've kind of changed that now.
30:46 And I guess like the update stuff, you know, by default now we just do that for you automatically.
30:52 We run it every 30 days.
30:53 We do like a full cleanup and then we do like the package that you've installed at install
30:57 time.
30:58 But again, you can turn that off as well.
31:00 So whenever we kind of change stuff like that, we do try and make it so it's still possible
31:04 to kind of sit and maintain the kind of previous workflow you had.
31:08 But I'm a big believer in, I guess, being on an Apple platform in general.
31:14 I'm a big believer that the defaults should be really good.
31:17 You should focus the defaults on the most sensible behavior for the majority.
31:22 And if that means occasionally kind of having to break or alter backwards compatibility, then
31:28 that's worth it for the silent majority of people who do not want to have to read the
31:33 documentation to have the tool work the way they expect it should work.
31:37 And as I say, yeah, provide opt out.
31:40 So the people who kind of would rather it stuck around the old way, they can go and read the
31:44 man page, settle a setting, read the release notes, whatever, and then they get that.
31:49 And but yeah, but people don't always necessarily see it that way.
31:54 I think that's definitely the sensible way of doing it.
31:57 And I appreciate the opt out because as somebody who enjoys running brew cleanup every once
32:02 in a while and just clearing up space, you know, it feels like you just cleaned your room or
32:06 something, you know, having it not have such an impact might, you know, hurt my psyche.
32:11 So I might go, I might go turn that off so I can run it myself.
32:14 But I'm starting to have flashbacks of our previous conversations.
32:17 So I think we actually talked about brew update running automatically on our last call with
32:22 you a couple of years back and maybe I feel like maybe Adam, we should go back and listen
32:28 to that because you might've actually turned it off while we were talking about it on that
32:32 Cause I think you remember talking about being able to opt out of that back then.
32:35 I was Googling while we're talking here too.
32:37 I'm going to read something that Mike had actually said in, it looks like October, 2016
32:41 is documented in the man page.
32:42 And instead of opting out, he recommends, Mike, you might remember saying this, you recommend
32:47 setting the time period between checks to a higher value instead of opting out.
32:52 So I do that myself.
32:53 So by default, if you don't run, if you basically run brew install, it'll run brew update every
32:58 60 seconds effectively.
33:01 If what, and that doesn't mean it will, you know, do updates.
33:04 It means that it will check and see if there's any updates on GitHub.
33:07 And, and obviously some people will find that that can slow things down or whatever.
33:11 But again, we have, we want to have the default for the people who don't read the docs and
33:16 don't want to tweak things really, really low.
33:18 Because that brew update change, for example, back in 1.0, like dramatically reduced the
33:22 number of support requests we would get where there was, where the response is, we fixed
33:27 that 10 minutes ago, run brew update.
33:29 And so now we don't get those issues anymore, basically.
33:32 And the people who want to disable it can still disable it.
33:35 But yeah, but I personally have that set to, I can't remember what it is.
33:38 It's like, you know, a few hours or something like that.
33:41 So it's not running all the time and it just runs kind of periodically, but that's kind of
33:46 And then I still, if I'm doing development, sometimes I'll just, you know, set the environment
33:50 variable temporarily in a shell and then I can go and know that it's never going to run.
33:54 Let me just heap a little praise on you and the homebrew community, because as we talk
33:59 about this, I'm just now thinking about it in time spans.
34:02 And I have been a happy homebrew user for years now.
34:06 I don't even know how many years.
34:07 And I will just say that it's one of the only tools that I rarely think about in terms of,
34:14 I don't know, effort.
34:15 It's just like, I use it.
34:17 It works.
34:18 I enjoy running brew cleanup.
34:19 It updates itself.
34:22 It's been like a rock in my life.
34:24 Like, I just haven't had any, like, I don't know, homebrew is acting up again.
34:27 Like, I can't even think of a time.
34:28 I have some issues once in a while with like upgrading Postgres specifically, but that's
34:33 a Postgres thing and not really a homebrew thing.
34:35 And in fact, whoever is working on that formula has improved it lately so that they help you,
34:39 you know, they hold your hand through the data migration more than they used to, which
34:43 I appreciate because I don't do those migrations often enough to have those things memorized.
34:46 But aside from that, which I, again, is a Postgres thing, it's pretty much just works.
34:52 Is that your experience, Adam?
34:53 I mean, I feel like, I feel like a lot of people have that experience and it's nice having
34:58 some software that just works because a lot of software just doesn't work that well.
35:01 I want to echo what you're saying too, because I feel the same way.
35:05 I mean, so much so that whenever I start a new machine, I'm using a version, my own forked
35:10 version of ThoughtBot's laptop project on GitHub and just because I have different needs than they do.
35:16 But I mean, it's basically just brew installs, you know, some versions of homebrew being involved.
35:22 And if it weren't for that, then it'd be a lot of manual bash.
35:26 Especially with Cask, right?
35:27 Yeah.
35:28 You do all your installs, all your apps install through Cask now.
35:30 Yeah.
35:31 There's a couple of apps that I for sure install every single machine.
35:34 So I just do that between the Mac Apple Store.
35:38 I think it's mass, I believe is the command.
35:40 Mac App Store, yeah.
35:42 So I mean, between homebrew itself, Cask and mass, it's pretty seamless to just start a new
35:50 machine up.
35:51 And literally, like, I just run a command and minutes later, the machine's ready.
35:55 Yeah.
35:56 Well, I may make your life even better now because I'm going to do a shout out to another
36:01 project that I created, which was, it's a little project called Strap that replaced the
36:07 boxing project at GitHub.
36:08 So basically, it's the same sort of thing you were talking about there for setting up your
36:13 And so it's really kind of minimal, I guess, like the kind of laptop script.
36:17 It's like basically just a small bash script.
36:19 But it will generate your GitHub tokens for you and stuff as well.
36:23 But the cool thing about Strap, I guess, in comparison to the laptop script or kind of
36:29 box and stuff like that, is that it doesn't actually install really any software for you.
36:34 It just installs stuff that you can use to install other software.
36:37 So it installs like Homebrew for you and the Xcode command line tools and kind of enables
36:44 like full disk encryption.
36:46 But then I was thinking about it and I was like, OK, well, I want to have some level of
36:49 user customization.
36:50 And what's a cool way of doing that?
36:54 So like the next step beyond that is because it sets up your GitHub tokens and you kind
36:59 of get it going through GitHub and it goes and looks for if you have a repo called, say,
37:06 github.com slash Mike McQuaid slash dot files, then it will clone that automatically for you.
37:10 And then if you have a script slash setup file in that repo, it will run that automatically
37:15 And then if you have a, have you, if you guys come across Homebrew bundle as well, that's
37:20 the other thing that kind of ties into this ecosystem.
37:22 So, so that's the other effectively half of this system.
37:26 So it will then, if you have a brew file in your dot files repository or a Homebrew brew
37:32 file repository, then it will run Homebrew bundle on your brew file as well.
37:37 And what does Homebrew bundle do so that you can use that independently of strap.
37:40 This is a separate project.
37:41 That's kind of part of the kind of Homebrew ecosystem.
37:44 And what that lets you do, it's basically a ripoff of a gem file and kind of bundler,
37:49 which was originally created by Andrew Nesbitt, this thing, Homebrew bundle.
37:53 It was called Broodler originally.
37:55 But it basically, what it lets you do is specify a gem file like syntax kind of Ruby, but without
38:03 the versions basically, because we can't kind of pin everything to versions.
38:06 And you can have it automatically install all your Homebrew taps, which is kind of third
38:10 party repositories, all your Homebrew packages.
38:12 It can set start services for you if you want them to as well.
38:16 It can also install all your Homebrew casks.
38:19 So things like Google Chrome, Java, Firefox, et cetera.
38:22 And it can also install everything from the Mac app store for you.
38:24 So say you're kind of one password and things like that.
38:26 So for me, when I, I have this kind of set up in my dot files repo on GitHub, so I can just
38:32 run a single like strap script and it will go and do all this stuff for me.
38:36 Automatically on my, on my laptop when I run a single script, basically.
38:39 And the nice thing is that stuff is all, I'm able to kind of share the files I use and it's
38:44 all kind of open source as well.
38:45 So people can see like what my, what my setup is and my brew file and things like that.
38:51 And because I'm incredibly, sorry, in fact, this is, this is a good kind of geek cred extension
38:56 to that.
38:57 So I was kind of looking forward to running this again because I had some issues with my
39:02 MacBook Pro and Apple were replacing the keyboard.
39:05 So they gave me a learner laptop and they said, when you get your laptop back, it's going
39:08 And then they gave it back to me and it wasn't wiped.
39:11 And I was actually like so disappointed that I wasn't going to do this again.
39:14 I voluntarily wiped my work laptop just to kind of go through the whole, I was like, right,
39:20 I'll do my, you know, like back in the days of windows where you had to wipe it every few
39:25 Yeah.
39:26 I was like, yeah, I'm just going to have a fresh install and have a clean run.
39:30 Cause I'd gone and like tweaked all my, all my scripts to be even more kind of smooth
39:35 and polished.
39:36 And so I made, I made a little script as well that like pulls all my, so it'll pull like
39:40 my SSH keys out of one password and stuff and then like dump them in the right place
39:45 on disk and stuff like that.
39:46 So I need to enter my one password like once and then it pulls out all my SSH keys and my
39:50 GPG keys and my kind of bin tray and GitHub tokens and things like that.
39:54 And it's cool.
39:55 Cause again, the script is all open source, but it's all pulling like private encrypted
39:59 credentials.
40:00 Yeah.
40:01 It doesn't matter if you have access to everything in the script.
40:03 So yeah.
40:04 So that's my, my, my happy place is just automating things completely unnecessarily.
40:09 I definitely spend more time on the script.
40:11 Well, I was going to just say that because I, first of all, this is super cool and a total
40:16 geek cred on this.
40:17 But the reason why I've never used these, even cause Adam's talked about ThoughtBots, what's
40:23 Bootstrap or laptop?
40:24 Laptop.
40:25 And I looked at Boxing.
40:28 I just feel like it's kind of a Yagney thing where it's like, you're basically putting
40:33 a lot of work into automating something that you do like maybe once every few years, maybe
40:38 I thought the same thing though, until, uh, you know, you have a few machines or you get
40:45 a new machine, you know, not long after you prepare to do this again.
40:48 And so when you go on the, you go on the annual update scheme with, no, I mean, I think I've
40:55 probably had three laptops in the last six years.
40:57 Maybe it's, maybe it's less than that.
40:59 I feel like it's not that much, not that often of a new machine, but I've gone from laptop
41:03 to desktop though.
41:04 Cause I have slightly different needs than you do.
41:06 So, you know, where I have to do more audio stuff and video stuff.
41:09 So I tend to need a more higher power machine.
41:12 So having this iMac and then also laptop makes me need to set up more often than I would
41:19 say, you know, twice as much, you know, twice as much as you do.
41:21 Twice as much.
41:22 That's true.
41:23 So Mike, tell us why I'm looking at strap and we'll definitely link this up.
41:26 We'll probably log this on change.
41:27 Now that we found it.
41:28 It's good.
41:29 Why is there a, you're logging it right now?
41:31 No, I'm not.
41:32 Why is there a deploy to Heroku button for a command line script?
41:36 Yeah.
41:37 I haven't, I'm just perusing the readme.
41:39 So clue me in here.
41:40 Can you just run this from a website kind of thing?
41:42 So basically the, the Heroku thing works for, remember I said earlier that it will set up
41:49 your GitHub tokens for you.
41:50 So that's basically so it can do that.
41:52 So the script, it's just a script, but this is something I stole from Boxing, which is
41:56 the, um, when you download that bootstrap script, it gets you to log into GitHub so it can then
42:03 generate tokens so it can set up all your GitHub access for you.
42:07 So basically when you run that script, that gives the script the ability to talk to GitHub.
42:11 And it also means that you don't need to do the whole initial like, basically you log into
42:16 GitHub once through your browser and then it sets up all your kind of, after that you can
42:20 do a Git clone of a private repo and it will kind of work as long as the strap application
42:25 kind of has access.
42:26 So that's, I guess, to answer the question of like, why you, I mean, I, I love, I'm one
42:32 of those people who I, I love spending an hour writing a script to yeah.
42:36 Do make a five minute task less boring.
42:39 But like the flip side, well, this was, it was actually, I ended up kind of maintaining
42:44 some of the internal software they use at GitHub to go and, um, like set up new developers
42:50 machines.
42:51 And this was basically way more sense.
42:53 Yeah.
42:54 So this was the motivation for this.
42:55 And since we've moved to this kind of new system, it seems to be, um, saving a lot of
42:59 people time.
43:00 And again, the homebrew bundle thing, it's actually got a few different use cases.
43:03 So one is the, I want to set up all the software on my machine, but then there's also the, the
43:09 kind of classic one that always bugged me was, uh, in the read me of a project that says,
43:13 okay, so before you try and set up the server, you need to brew install X, Y, and Z.
43:18 And I always thought that that was kind of, I kind of, my attitude is like put stuff into
43:22 code if you can, rather than documentation.
43:24 So instead of that, now the little boot scrap script, instead of saying run brew install
43:31 whatever you can run brew bundle in that repository, once you've checked it out, and then it will
43:36 know to set up, say my SQL elastic search, start those services, um, if they're not already
43:41 running and if they are running, then it kind of verifies that they are, that they are and
43:45 So I guess I see it as well as being like a project bootstrap tool as well for dependencies
43:51 that are on the Mac app store or in homebrew cask or in, um, in homebrew itself.
43:57 We could definitely, we could definitely use that.
43:59 The, the laptop project uses the bundle command as well.
44:03 It, it uses brew bundle dash dash file, and this is all in a, in a bash script.
44:08 Yeah.
44:09 And then it embeds it in it.
44:10 So it's, it's still using that same kind of concept that you're talking about, Mike.
44:14 And that's the thing that makes me happy about this.
44:16 Cause again, that's when I worked on, uh, when I was working on boxing, boxing was very
44:21 much kind of more of a kind of monolithic system.
44:23 And the thing that makes me happy with the way that we kind of built this solution that
44:28 replaced this at GitHub is, you know, it is kind of, in my opinion, the more Unixy, uh,
44:33 way of doing things in that you build a bunch of tools, which all interoperate nicely and
44:38 you create a system from combining those tools.
44:41 But it means if anyone says like the laptop project that, oh, well, one part of this tool
44:45 chain looks neutral to us and the other parts don't, then they can still get all the benefits
44:49 of that one part of the tool chain and they can still kind of be part of that ecosystem.
44:53 And I feel like that, you know, is makes things better for everyone really.
44:57 When you have kind of segmentable tools that combine together rather than having like one
45:02 big monolithic system that you can't really swap bits in and out of.
45:11 So this episode is brought to you by Raygun Raygun recently launched their application performance
45:26 monitoring service APM, as it's called.
45:28 It was built with a developer and DevOps in mind, and they are leading with first class support
45:34 for .NET apps and also available as an Azure app service.
45:39 They have plans to support .NET Core, followed by Java and Ruby in the very near future, and
45:44 they've done a ton of competitive research between the current APM providers out there and where
45:48 they excel is the level of detail they're surfacing.
45:51 New Relic and AppDynamics, for example, are more business oriented, where Raygun has been
45:57 built with developers and DevOps in mind.
46:00 The level of detail they're providing in traces allows you to actively solve problems and dramatically
46:05 boost your team's efficiency when diagnosing problems.
46:08 Deep dive into root cause with automatic link back to source for an unbeatable issue resolution
46:13 workflow.
46:14 This is awesome.
46:15 Check it out.
46:16 Learn more and get started at Raygun.com/APM.
46:18 So, Mike, we mentioned the support for Windows and Linux, and I said there's an asterisk by the Windows
46:19 support.
46:20 Mostly because you had a few people out there saying this isn't real Windows support.
46:25 Um, because it's Windows subsystem for Linux.
46:26 Can you tell us what that means?
46:28 You know, are there things that are running out there that are running out there that are
46:32 running out there that are running out there?
46:33 Yeah.
46:34 So, Mike, we mentioned the support for Windows and Linux, and I said there's an asterisk
46:44 by the Windows support.
46:45 Mostly because you had a few people out there saying this isn't real Windows support.
46:49 Um, because it's Windows subsystem for Linux.
46:52 Can you tell us what that means?
46:53 You know, are there things missing?
46:55 Is it, you know, do you, do you consider it official Windows support or, or what's your
47:00 perspective on that?
47:01 So that was, that kind of came from the Linux proof folks, basically, who did a bit of work
47:06 to kind of get that stuff working.
47:08 But it mostly kind of worked out of the box.
47:10 So if you're unfamiliar, Windows 10 ships with a thing that's called Windows subsystem
47:15 for Linux.
47:16 I don't believe it's installed by default.
47:17 You can enable it.
47:18 It's kind of a developer tool thing.
47:19 And basically it gives you a full Ubuntu environment, uh, on your Windows machine.
47:24 And the really cool thing about it is it's not like, you know, transparently running a
47:28 VM in the background, but it's actually running native Linux binaries through, uh, I can't
47:33 remember exactly how it works under the hood, but it's some, some sort of like kernel Cisco,
47:38 uh, mapping.
47:39 Um, I guess in, in a vague way, it seems to be a little bit like wine.
47:43 If any of you familiar with that.
47:44 Um, but in, in reverse and at the kernel level, I believe.
47:48 And it's easier for Microsoft to do that, obviously, because they can see what the
47:52 Linux Cisco interface is because it's all open source.
47:55 And they've been involved with, uh, Linux development in the last few years and stuff
47:58 like that.
47:59 Um, so yeah, so it's basically a way of running native windows, Linux stuff on your Windows
48:04 machine.
48:05 Um, so as a result, you can run Linux brew under that.
48:09 Um, and then when Linux brew joined homebrew, then you can run homebrew under that as well.
48:13 So it's one of our kind of officially supported platforms more or less because it's just a
48:18 relatively simple, um, way of being able to kind of run homebrew on a windows system.
48:23 Uh, and in terms of, yeah, I would agree.
48:26 It's not, I used to do kind of proper, some native windows development in the past.
48:30 And it's certainly not that it's not a native windows package manager for that.
48:35 You have kind of things like you get and chocolatey and things like that.
48:38 Um, but if you kind of want to be able to kind of dabble in things that are in the homebrew
48:43 ecosystem, uh, and try them out on a windows machine, uh, without having to spin up a Linux
48:49 VM or a Mac VM or whatever, then it's a way of doing that.
48:52 So does it have a completely separate formula?
48:55 I'm assuming the formula have to work differently.
48:57 Yeah.
48:58 So the formula are separate between Linux and, uh, Mac for homebrew anyway.
49:04 So there's a, um, repository homebrew, homebrew core, which is all the homebrew, uh, is all
49:10 the homebrew packages.
49:11 And then there's a repository homebrew Linux brew core.
49:14 Now, as of, I think two days ago, it used to be Linux brew homebrew core.
49:18 So like flip some stuff around.
49:20 Um, yeah, so that basically has all the Linux packages separately.
49:24 And the reasoning for that is that it's on the formula level, which is the, our name for
49:29 the package description files.
49:30 It's a lot harder to do that stuff.
49:32 I talked about earlier with kind of making things nice and clean and having separation.
49:36 You end up with having a lot of, if Mac, if Linux, um, and basically like it's as a result,
49:41 those have kind of evolved a little bit more separately.
49:44 So on windows, it ends up uses using the Linux, um, under the windows, windows subsystem for
49:50 Linux, it ends up using the Linux, uh, versions of the formula for a package.
49:54 Gotcha.
49:55 So there aren't, there's effectively two pieces of software.
49:58 There's not separate windows ones.
49:59 There's homebrew and Linux brew, but they're all under one parent at this point, but there
50:04 aren't three.
50:05 It's not as if you separately went out and implemented windows.
50:07 It just is coming along quote unquote for free because of the windows subsystem for Linux.
50:12 Exactly.
50:13 And I think there were a few tweaks that kind of make it run a little bit better, but yeah,
50:17 it more or less came for free.
50:18 So have you seen a lot of a pickup from the Linux and the windows side or there, are there,
50:24 are there, are there issues and bug reports coming in that are new to homebrew too?
50:30 Or was it already happening with Linux brew?
50:33 And so it just kind of a, a merging of these two projects.
50:36 Yeah.
50:37 So I guess I noticed a few more Linux issues than I used to because it used to be separate
50:41 repositories.
50:42 And now for the package manager part, at least it's all the same repository now.
50:45 Um, but yeah, I mean, they kind of, their analytics on the Linux side of things, they've seen
50:50 a big uptick, uh, since homebrew and Linux brew kind of joined together in that way.
50:56 So that's kind of been cool.
50:57 And it's, it's been, it's been interesting in general, just seeing and people kind of learning,
51:02 like, why would you use Linux brew and stuff like that?
51:04 Which is in some ways, that's a question where that's the one you, you tend to get the most
51:08 with the, the Linux support is, well, why do you do this?
51:11 And why would you not just use app get?
51:12 Um, which is a valid question because I still, despite being the homebrew project leader,
51:17 consider, uh, app get to be a superior package manager in very many ways.
51:21 Um, and basically the reasoning is the original motivation of the, a lot of the people who
51:27 work on Linux brew actually is because they, if you have access to the package manager on
51:32 a Linux system, then great.
51:33 And a lot of people are thinking kind of from the developer perspective of, you know, I'm a
51:37 dev, I have my own system.
51:38 I set out myself, I'm running Linux on my system, you know, like I don't have a workplace
51:43 who is, you know, not letting me install things through the package manager, but some people
51:48 do have that.
51:49 And a noticeable group is, you know, people who are running on big Linux supercomputing
51:54 clusters.
51:55 They have access to run stuff on that system, but they often do not have access to root on
51:59 that system or the package manager on that system.
52:01 So the way they kind of generally have to build their own software is they just build stuff
52:06 in their home directory by themselves, um, without really any support.
52:10 And Linux brew has allowed some of those folks to be able to have an actual package manager
52:14 that they can use and they can just install stuff in their home directory.
52:18 Or if they want to use Linux brews binary packages, then they can.
52:22 I've been informed.
52:23 This is an, a lot easier ask.
52:25 They can say, Hey, can you set up a new user on that system?
52:27 It doesn't need to be root, uh, a new user called Linux brew.
52:30 And then all the binary packages are kind of built, um, so that they can be used on their
52:35 home Linux brew.
52:36 Um, and then the system administrator can kind of set that up and they can go and then benefit
52:40 from some of the binary factors as well.
52:42 Hmm.
52:43 What about the brew file with the bundle?
52:45 Is that something that's only on the Mac side?
52:47 I assume there's definitely like the cask stuff and the other stuff wouldn't be available
52:51 on the Linux side, but would you at least be able to have a project with a brew file?
52:56 That's, you know, lowest common denominator so that somebody on Linux and somebody on Mac
53:00 could both use the same brew file and get their setups going.
53:03 Yeah.
53:04 I mean, I think you could, as you say, it would have to be lowest common denominator because
53:07 there's some stuff that doesn't work on the next side.
53:10 It would effectively be just setting up homebrew third party repositories, taps and installing
53:15 homebrew packages formula.
53:16 But yeah, it's not officially supported by us in homebrew bundle, but I would imagine it would
53:20 probably works, I guess, thinking of the way the code behaves.
53:24 Okay.
53:25 So what about the team?
53:26 So this Linux Brew seemed like it was its own deal and now it's part of homebrew.
53:30 So is there a merging of teams and communities or these people that were already involved
53:34 with the homebrew community in the first place?
53:36 Yeah.
53:37 So, I mean, there's, I guess, two Linux Brew maintainers came across specifically to homebrew
53:42 as kind of part of the, well, I guess, somewhat pre the merge.
53:46 There's two people who are like our main maintainers, Mishka Popov and Sean Jackman.
53:52 But then we have a few other kind of maintainers who are kind of in and out of Linux land and
53:56 stuff as well.
53:58 And so, yeah, so it's been good, actually.
54:00 I feel like it's injected a lot of energy into the project because Linux Brew probably
54:04 has a disproportionate number of, I guess, like the Linux ecosystem in general, I would
54:08 say a disproportionate number of contributors and, in our case, maintainers as well for the
54:14 size of the ecosystems.
54:16 So, yeah.
54:17 So it's been great having more people get involved with the project and more people who
54:20 have been running their own independent open source project in Linux Brew's case for quite
54:25 a few years in the homebrew wider ecosystem.
54:28 So they kind of come into homebrew with the understanding of what it's like to run a project and triage
54:35 issues and, you know, interact with other maintainers and stuff like that.
54:38 So, yeah, no, they've been invaluable.
54:39 Well, going a little further, there's been some changes to governance.
54:42 There's been a first ever in-person meetup paid by Patreon donations.
54:47 Take us down the road of like this very first in-person meetup and what's kind of come down
54:51 the pipe in terms of governance and your roles even changed a bit, right?
54:56 Yeah, yeah, no, it has.
54:57 So we've been kind of talking in homebrew for a little while about how best to kind of govern
55:02 the project.
55:03 So I guess in a brief kind of history through, it was originally kind of Max Howell, the original
55:08 kind of creator, and he got some other maintainers on board, such as myself.
55:12 And then he dropped away from the project.
55:14 And then there was kind of a goal to sort of just run it all like, I guess, as a complete
55:19 flat hierarchy for a while.
55:21 But as is the case with companies as well, like generally, you kind of need a little bit
55:24 more structure than that we found.
55:26 So I sort of somewhat unilaterally declared myself lead maintainer after checking with other
55:31 people that would be fine a few years ago.
55:34 And then kind of we've, you know, there's been a few, and if you kind of troll through the
55:39 homebrew issue trackers, you can kind of see some of it.
55:41 There's been a little bit of tension with that on occasion because, you know, people don't
55:46 necessarily agree with, you know, understandably that you have someone who's in a position of
55:51 authority with no clear way of removing them if they stop working on the project in future
55:57 or start to abuse their authority or whatever.
55:59 So we kind of talked for a while about, you know, in future, trying to have some better
56:02 sort of governance model and maybe looking at some of the older, more senior open source
56:08 projects than us and seeing how they do some of this stuff.
56:11 And then I guess as a result of that, again, as you mentioned, we've kind of had a reasonable
56:16 amount of money coming in through Patreon now.
56:18 And we're part of Software Freedom Conservancy and I've had some donations through there.
56:22 So we kind of thought, well, like something which we can do with that money is that would
56:27 be kind of valuable is have a bunch of homebrew maintainers kind of come together and meet
56:31 up.
56:32 And 14 of us kind of all came to Brussels around the time of FOSDEM because it's a kind
56:37 of big open source conference that is free to attend as well.
56:41 So we got there and then we had the day after FOSDEM was over.
56:45 We basically just rented a meeting room in a hotel and all kind of got together and, you
56:49 know, had lunch and dinner and had a basically kind of what you guys called it when the not
56:56 to be too grandiose when the founding fathers all met together to come in the plot.
57:01 Yeah.
57:02 Yeah.
57:03 So, yeah.
57:04 So we ended up not necessarily knowing what we were going to talk about before, but it ended
57:09 up being mostly about kind of governance of the project.
57:12 And yeah, and it was super valuable.
57:14 I think we kind of managed to etch out kind of in that meeting, the sort of the outlinings
57:19 of a structure for the project.
57:22 Shout out to John Chang specifically, who had kind of written up a lot of stuff and kind
57:27 of come into the meeting with, you know, a really, really decent draft of what to do.
57:31 And then we kind of iterated on that a little bit during the day and then iterated on it
57:35 more kind of in private.
57:37 And then we opened a pull request on homebrew on our kind of main repository to kind of solicit
57:42 contributions on that as well.
57:44 And then, yeah, after a week of that being open, we kind of merged that through.
57:47 So what that actually means is that we now have a bit more structure than we had before.
57:51 We have a lead maintainer role has gone away and been replaced with a project leader, which
57:57 maybe sounds a little bit like two things that are exactly the same.
58:01 But the difference is the project leader role.
58:04 I was elected into that position and stood for election.
58:07 And I will be if I want to, I will stand again next year.
58:12 And then there will be another election.
58:13 And anyone else who stands will have a platform if they wanted to.
58:18 And then we can see effectively who gets elected by basically by the members to be in that position.
58:25 So we have a governance document that explains kind of how this all works.
58:27 Now we have a project leadership committee and a technical steering committee of which I'm currently on all three.
58:33 But again, the nice thing is in future that's changing.
58:36 So I cannot be on all three.
58:39 And so not me specifically, but you basically cannot have a role that is on all three places.
58:45 And we're also having this idea of members of Homebrew as well, where if you have someone who isn't a maintainer, maybe isn't involved as much with the code side of Homebrew or has been involved with Homebrew for quite a few years, then they can get kind of nominated and join as a member.
58:58 And then they can kind of vote on some of these kind of elections in the future and get involved with the project on the administrative side without necessarily needing to or wanting to get involved with it on the technical side.
59:08 Have you laid any of this out in documentation by any means?
59:12 I know I've seen the latest to a document.
59:15 So there is governance.
59:16 Yeah.
59:17 So if you check out the docs.brew.sh site, then right at the bottom of that page, there's a Homebrew governance document, which kind of lays all this out.
59:24 It's kind of vaguely legalese language.
59:27 It's fairly readable, but it's not, you know, it's not great kind of super fun reading, but it does explain kind of how this stuff all works and how people are elected and not and how often.
59:37 And how often these meetings happen and stuff like that.
59:40 So that's kind of worth the read of your if you're interested in this stuff.
59:44 And it's nice as well, because it's as well as being like bringing some elections into things and policy and stuff, which is, again, nice for me kind of to be, you know, I think it's nice for me and it's nice for the community to have me actually be kind of elect the role kind of and have the majority of people agree that, you know, obviously they think that I'm doing a good job.
1:00:05 And they kind of support me doing that for the next year.
1:00:08 But it's also kind of, as I said, with putting limitations on what people can do, it's going to be end up reducing our bus factor as well.
1:00:17 Sorry for increasing our bus factor.
1:00:20 I can never remember which way around that is.
1:00:23 But basically, it's going to make it much easier for us in future to have things not be too centralized on an individual because we have these committees, we have a leadership position, and it's clearly defined what the roles of each of them are and the responsibilities are and that you can't basically be responsible for everything.
1:00:39 And I feel that that's going to be a really positive thing in future.
1:00:40 And it's also, as we mentioned earlier, I think this happening at the same time as the kind of Linux merge has brought in a bunch more people who have kind of been enthusiastic and have been helped and got involved with that process.
1:00:54 So there are people in the technical committee and the project leadership committee who have come from that Linux brew merger.
1:00:59 So that's kind of been a nice positive thing from that as well.
1:01:03 Maybe an interesting takeaway here too is, I guess, now having an annual general meeting, which puts a little bit more pressure on the need for, I guess, finances, which is good for Patreon, that you've got that.
1:01:14 But then you also mentioned software, Freedom Conservancy.
1:01:18 I'm just kind of curious what your thoughts are on funding this project and how you all look at, you know, attaining funding and maintaining that and the needs for funds to do things like this.
1:01:30 Yeah, that's a good question.
1:01:31 And I think this has been, you know, our funding has got to the level that we've been able to afford to pay for flights for people to kind of come to stuff like this.
1:01:40 So, you know, we have people coming from Canada, people coming from India to this meeting and that's been kind of really, really great.
1:01:46 But then obviously the amount of funds we get limits or permits what we're able to do with the project.
1:01:55 So it would be great to have kind of a future where we could hire potentially people to work on aspects of homebrew, maybe the infrastructure stuff we've mentioned before, full or part time.
1:02:04 But at the moment, we still very much have, you know, an amount of money that pays for flights once a year.
1:02:11 But we don't have an amount of money that pays anywhere near kind of a reasonable salary for someone with money left over as well.
1:02:17 So, yeah, so kind of increasing our funding is kind of a goal for the future.
1:02:22 And hopefully as well, the more we're able to be transparent about what we've spent the money on and how that's kind of all broken down, the more we'll be able to solicit more funds and know that people know that it's not just going to a black hole.
1:02:37 It's going to these specific things.
1:02:38 And there's a there's going to be a blog post incoming at some point in the future where we'll write up what we did at this meeting, who met, who was there, what we talked about.
1:02:49 We've got all the minutes and stuff like that.
1:02:51 And I also want to detail in that blog post, like how much we spent and why we felt that that was a good use of money as well, because we don't we don't have the exact breakdown of everything now.
1:03:01 So it's kind of still waiting and kind of working with software from Conservancy to kind of get that information.
1:03:05 But again, that's the nice thing about open source is you can afford to be more transparent about this stuff than you you would be as a business.
1:03:12 And also then it might be in future that there's opportunities where I've spoken to people at large tech companies before who've said, you know, if you just want us to give you X amount of money, particularly in something like Patreon, that's very hard for us to do.
1:03:25 Whereas if you want us to kind of pay for flights for 10 people, that's actually really easy for us to do.
1:03:30 So this stuff may also open doors in future for us being able to ask for more specific financial commitments or donations from companies in a way that makes it easier for them to give money to us rather than just, you know, something like, you know, I know if you're, as I say, if you're a massive tech company, getting a line item approved from finance or whatever to sign up to Patreon with a corporate credit card and give a certain amount every month is, you know, it's not easy.
1:03:57 That's that's a system that is built around the assumption that most of the donations will come from individuals from the goodness of their own heart.
1:04:03 And while that is great, and I'm all for that, I think we need to the open source of sustainability stuff.
1:04:08 We need to try and figure out ways of making it easy for the big tech companies to give to you because, you know, they get they get villainized to a certain extent.
1:04:17 And some of that is legitimate, I think, but then some of it is just like, you know, you're not making it easy for them to give you money.
1:04:23 And you need to figure out, as I guess the charitable sector has kind of worked out for quite a while that, you know, it's as much about meeting them where they're at and making it as easy as physically possible for them to give you what you want, rather than saying, you know, this is how I accept money.
1:04:37 And you need to kind of meet me where I am.
1:04:40 How's that play out then for an entity?
1:04:41 Does homebrew have a legal entity?
1:04:44 You know, is this patron connected to a person?
1:04:48 What's the state of things there?
1:04:50 Yeah, good question.
1:04:51 Yeah, so that's what the Software Freedom Conservancy basically is.
1:04:54 So they are a umbrella organization that provides a 501c3 in the US, which to those of us who aren't in the US, that basically is a US charitable organization that means organizations can donate to them tax free.
1:05:09 They also provide legal services where homebrew to get sued as an organization, say, and they provide a certain amount of kind of just being a legal entity that can own things and have bank accounts and such like.
1:05:24 So that's basically our Patreon money and all our previous kind of money from our Kickstarter and stuff that has gone to Homebrew Freedom Conservancy, who goes and kind of manages all our funds on our behalf.
1:05:35 And in some ways they work like a little company for us, which is great.
1:05:39 So, for example, with the way we have all the kind of homebrew money in a bank account and we have a sum of how much we have and people have, you know, able to donate to the Software Freedom Conservancy.
1:05:49 And that goes straight to us if they kind of say that that's for homebrew.
1:05:53 But at the same time, when we book flights, we kind of, you know, we don't just book all the flights on homebrew's credit card.
1:05:59 We can go and they have kind of an expense policy and you go and reimburse that way.
1:06:04 And it's kind of it sounds like it would be nicer to put things on a credit card.
1:06:07 But as the person who would probably be having to book that, I'm glad that there is more kind of responsible oversight with this stuff.
1:06:14 And the nice thing with this Freedom Conservancy is that they don't really specify anything about the technical running of your project beyond the fact that you need to have some sort of leadership committee.
1:06:23 So they basically let you run the project how you like.
1:06:26 And then they focus more on the kind of legal and financial side, which is great for us and for me, because that's the side of things that we're just doing the copyright and stuff like that then.
1:06:36 Yeah.
1:06:37 Yeah, we don't do copyright assignment or anything like that in homebrew.
1:06:40 And because, yeah, I don't know why we don't or why we do.
1:06:46 But that that ship I've sailed a long time ago.
1:06:49 OK.
1:06:50 Well, switching gears slightly, I'm recalling the last time you were here a couple of years back, we were talking about you recently added analytic tracking to homebrew with opt out.
1:07:00 And it was a bit of a controversy.
1:07:01 So we discussed that last time.
1:07:03 And I remember on that call us saying it would be cool if you opened up the data for the community to see since it's, you know, our data, I guess, in the first place.
1:07:12 And since then, you've done that, which is awesome.
1:07:16 We'll link up some of the analytics in the show notes.
1:07:19 I thought it would be fun here.
1:07:21 Have either of you looked at the install stats recently in terms of formula installed, Adam or Mike?
1:07:29 Yes.
1:07:30 I look at them pretty recently.
1:07:32 Oh, you're killing me.
1:07:33 Yeah.
1:07:34 Like, Adam, you just looked at it before the call.
1:07:36 I guess prep.
1:07:37 It's part of this.
1:07:38 All right.
1:07:39 It ruins my game.
1:07:40 I was going to have us guess why I can still guess.
1:07:42 Come on.
1:07:43 Let's play the game.
1:07:44 OK, let's play the game.
1:07:45 So 90 day install events.
1:07:48 OK, so we'll take turns.
1:07:50 Mike and then Adam.
1:07:51 Mike might have these memorized.
1:07:52 Maybe this is like on a dashboard above your bed or something at home, but hopefully not.
1:07:57 Top installed formula over the last 90 days.
1:08:01 Try to hit in the top 20.
1:08:03 But try to hit number one.
1:08:04 What do you think?
1:08:05 What's the most installed packages?
1:08:06 I'm going to be pedantic because I know how the analytics work to start with.
1:08:09 So are we going for install events or install on request events?
1:08:13 Install events.
1:08:14 What's the difference?
1:08:15 So the difference between that.
1:08:16 Should I go the other way?
1:08:17 No, no.
1:08:18 I guess it's interesting the difference because if people are looking at these, it might help
1:08:22 to explain.
1:08:23 So the install events is if I install a package and it pulls in a dependency, then the package
1:08:28 and the dependency are both install events, whereas only the package I specifically request
1:08:33 is an install and request event.
1:08:35 Oh, OK.
1:08:36 So let's do them both.
1:08:37 We got time.
1:08:38 So let's start with the overall install formula, install, overall install events.
1:08:42 So this means either you asked for it or it's a dependency, which means, you know, it's infrastructure.
1:08:47 So that will change the results for sure.
1:08:49 But what do you think some of the top packages here or formula?
1:08:52 You get to guess one and then Adam gets to guess one.
1:08:54 We'll do a family feud style.
1:08:56 OK, well, I'll guess the easiest one for us, which is.
1:08:58 Survey says.
1:08:59 Open SSL.
1:09:00 Open SSL.
1:09:02 So you.
1:09:03 Yeah, you got number one.
1:09:04 So sorry, Adam, but you already lost.
1:09:05 Oh, geez.
1:09:06 Not fair.
1:09:07 He runs this project.
1:09:08 OK, but you know, you can still hit up there number high.
1:09:10 So what do you think Adam?
1:09:11 I'm going to base mine based on our most popular page on changelaw.com.
1:09:15 I think you know what that is.
1:09:16 So the changelaw installing node.
1:09:18 So I would I would assume that node is probably the top somewhere.
1:09:21 Oh, that's right.
1:09:22 Yes.
1:09:23 Node is number five.
1:09:24 So very good.
1:09:26 Let's go one more time each and we'll switch.
1:09:28 Then we'll switch to the other events.
1:09:29 So, Mike, give us another one.
1:09:31 Try to hit in the top five.
1:09:33 Try to hit number two.
1:09:34 Python.
1:09:35 Python.
1:09:36 Close.
1:09:37 Number two still on the board.
1:09:38 So we have open SSL first.
1:09:40 Python third.
1:09:41 Node fifth.
1:09:42 So Adam, you could squeeze in there a number two if you can think of this.
1:09:45 I'm going with get.
1:09:46 Get.
1:09:47 Oh, I got to scroll way down to 15.
1:09:49 The correct answer was, as you should know, SQLite number two with 1.5, 1.35 million install events in the last 90 days.
1:09:59 Now let's go to formula install on request events and we might have very similar responses.
1:10:06 In fact, I won't make you guys guess.
1:10:08 I will tell you that it's the same packages, but they've kind of been moved around.
1:10:12 So node is number one.
1:10:13 Python number two.
1:10:14 Sneaking up there.
1:10:15 Number three.
1:10:16 W get followed by get.
1:10:18 And then fifth is yarn.
1:10:20 And so we see these are user facing tools.
1:10:22 Open us the cells a little further.
1:10:23 Yeah.
1:10:24 Trickles down to nine because most people are using that as a dependency, but I'm not most, but often.
1:10:29 All right.
1:10:30 Fun game.
1:10:31 Very cool.
1:10:32 Check those out.
1:10:33 I didn't know this was out here until recently.
1:10:34 Has this been out and available for a long time, Mike?
1:10:36 Uh, it's been, yeah, it's been available for, I don't know, maybe if I like it.
1:10:40 I know how long it's been.
1:10:41 Cause I remember building it when my, when my wife was heavily pregnant and we were on our
1:10:46 last vacation before my son was born.
1:10:48 And I felt, you know, I have to do this now because this is my last chance ever.
1:10:51 Um, yeah, so that, that was about, so you know exactly how old it is then.
1:10:55 Yeah, exactly.
1:10:56 Uh, yeah, no.
1:10:57 So about, about a year, um, in any form and probably about, you know, half a year and it's
1:11:02 about a year and it's current form probably.
1:11:04 Um, but yeah, no, so it's great actually.
1:11:06 I mean, it's been nice to kind of get that done because as you said, you know, and that's
1:11:10 what I hope for is make this stuff, um, open and we sort of live by that as well in that.
1:11:15 So because this is pulling data from Google analytics, you need analytics, Google analytics,
1:11:20 API key to access that data.
1:11:22 Uh, and me and the other maintainers don't even have an API key on our machines anymore.
1:11:28 So we, when we are consuming analytics data, we're consuming entirely the same public data
1:11:32 that everyone else does.
1:11:33 Um, and there's actually APIs on that site as well that you can pull this data programmatically,
1:11:38 which has been handy for people because both the analytics data, I don't know if the APIs
1:11:42 are used so much for that, but for the formula data, for example, you can query information
1:11:46 about a formula without having access to a Mac system.
1:11:49 So, and it's all, and the worst slash best part of this all is it's actually all on GitHub
1:11:55 pages.
1:11:56 So like you can hammer it as much as you like, and you're not going to cost us any money.
1:11:59 Um, and if you want to see pain in the world of codes, if you look at what it looks like
1:12:05 to build a JSON API on top of GitHub pages, then you will know great sadness.
1:12:11 Yeah.
1:12:12 I might go read that later.
1:12:13 Cause I, I like to know great sadness every once in a while, especially when I don't have
1:12:16 to write the great sadness.
1:12:17 I just enjoy the results.
1:12:19 Yeah.
1:12:20 We know homebrew two is fresh and it's new, but, uh, we have to ask you what's in the future.
1:12:26 Is there anything, anything that's not out so far or anything that's a fun plan that's
1:12:31 coming up that you can tease or mention?
1:12:34 Yeah.
1:12:35 It's funny.
1:12:36 So that there's no really big things that I can think of.
1:12:38 Like homebrew two for me was a funny experience because that was kind of the end of my, my list
1:12:43 of like things that I thought were really important that I wanted to kind of get built before.
1:12:48 Uh, so from my perspective, there's not the stuff I would like to see, but again, this is
1:12:52 kind of a bit more fun because it's dependent on the kind of community stepping up.
1:12:56 It has been talks for a few years about, uh, being able to show licensing information for
1:13:00 homebrew packages.
1:13:01 So you can query what to license each individual packages.
1:13:04 You could maybe say, I deliberately don't want to install.
1:13:07 I know this, some commercial, uh, organizations would find it useful to say, I just don't want
1:13:12 to allow say a GPL V three stuff to be installed at all.
1:13:16 Um, so yeah, we have someone who's sort of started finally a community effort to kind
1:13:20 of build up a groupings of all that kind of licensing information for packages.
1:13:24 And then when that reaches, um, kind of complete enough state, then we're going to go and we'll
1:13:31 merge that back into homebrew itself.
1:13:32 And this was the process that we kind of took for descriptions, adding them to packages back
1:13:36 when we did that, where we said, okay, if someone can go and effectively build up all the metadata,
1:13:40 when that's done, we'll then merge it back into the project.
1:13:43 Um, and yeah.
1:13:44 So we've got a guy who we tweeted about this the other day.
1:13:48 Um, and you can go and see there's an open help wanted issue in the homebrew brew repository
1:13:53 as well.
1:13:54 Who's building this stuff up.
1:13:55 So that would be a cool thing both to watch and also to get involved with.
1:13:58 I'll make sure we get that link for the show notes then.
1:14:00 So the listeners can check that out.
1:14:02 Uh, Mike, you know what?
1:14:03 It's, it's always good catching up with you.
1:14:04 And, and, uh, I think it's funny too, how you can earmark when things happened with homebrew
1:14:11 based on life events.
1:14:12 I think that's, that's a true sign of, you know, the life of a maintainer, you know?
1:14:17 And so as someone who uses the code that you've worked so hard to, to slave over all these
1:14:23 years and put this much effort into and, you know, all this stuff, I'm just so appreciative
1:14:28 of that because you make my life so much easier as a Mac user and getting my system up and running
1:14:33 as, as we talked about in the show.
1:14:34 So I appreciate that.
1:14:36 And I'm glad that, uh, even though you're on vacation, you can still, uh, put out a good
1:14:41 feature, which is appreciated.
1:14:43 Well, thank you very much.
1:14:44 And the nice thing about it for me is that, you know, believe it or not, it's still fun
1:14:48 for me to work on homebrew.
1:14:49 Uh, and that's, that's the thing is that it's still something in my free time that, you know,
1:14:54 maybe not as much as I used to both because of maybe homebrew growing up a little bit, but
1:15:00 also because my life getting busier.
1:15:02 But you know, there's definitely times where I'm at a weekend and my wife's out with my
1:15:06 kid for a little while and I've got free time to myself and I'm like, what do I feel like
1:15:09 doing the most right now?
1:15:10 Well, I feel like, you know, working on homebrew and that's the nice thing that I'm able to
1:15:14 do that.
1:15:15 And it's fun for me and get to kind of give back and have other people have something
1:15:19 useful at the end of it as well.
1:15:21 Well, Mike, we thank you very much for homebrew and the rest of the team that makes it
1:15:24 happen.
1:15:25 And also for your time.
1:15:26 Thank you.
1:15:27 Thank you guys.
1:15:28 Great job.
1:15:31 All right.
1:15:32 Thank you for tuning into this episode of the change log.
1:15:34 Hey, guess what?
1:15:35 We have discussions on every single episode now.
1:15:37 So head to change log.com to discuss this episode.
1:15:41 And if you want to help us grow this show, reach more listeners and influence more developers,
1:15:47 do us a favor and give us a rating or review in iTunes or Apple podcasts.
1:15:51 If you use overcast, give us a star.
1:15:53 If you tweet, put a link.
1:15:55 If you make lists of your favorite podcasts, include us in it.
1:15:59 And of course, thank you to our sponsors, the ocean hit prime and Reagan.
1:16:04 Also, thanks to fastly, our bandwidth partner, roll bar, our monitoring service and Linode,
1:16:10 our cloud server of choice.
1:16:12 This episode is hosted by myself, Adam Stachowiak and Jared Santo.
1:16:16 And our music is done by break master cylinder.
1:16:19 If you want to hear more episodes like this, subscribe to our master feed at change log.com
1:16:25 slash master, or go into your podcast app and search for change log master.
1:16:30 You'll find it.
1:16:31 Thank you for tuning in this week.
1:16:32 We'll see you again soon.
1:16:45 Practical AI is a show hosted by Daniel Whitenack and Chris Benson
1:16:48 about making artificial intelligence, practical, productive, and accessible to everyone.
1:16:52 You'll hear from AI influencers and practitioners,
1:16:55 and they'll keep you up to date with the latest news and resources.
1:16:58 So you can cut through all the hype.
1:17:00 As you were at the Thanksgiving table with your friends and family, were you talking about the fear of AI?
1:17:05 Well, I wasn't at the Thanksgiving table because my wife has forbidden me from doing so.
1:17:10 It's off limits for me, lest I drive her insane, because I never stop.
1:17:15 New episodes premiere every Monday.
1:17:17 Find this show at changelaw.com/practicalAI, or wherever you listen to podcasts.
1:17:21 The only other thing I would want to pull into the show, or not even the show, maybe just an after show.
1:17:28 I almost thought about this during, but I forgot until just like right there at the end was what keeps you motivated?
1:17:33 You know, like, yeah, there's so much work that goes into this.
1:17:36 Like, you know, you're on paternity leave having to write up this incident report.
1:17:40 I mean, that's sort of like one variation of motivation because you kind of have to at that point.
1:17:46 You've got some responsibility, but like, no one's making you make homebrew better.
1:17:51 And it's not like you're getting paid to do it.
1:17:53 You know what I mean?
1:17:54 Yeah, I guess that.
1:17:55 I mean, I think the thing for me is that it's actually kind of the opposite from what you said, bizarrely, where I wrote a blog post about this a little while ago.
1:18:02 Unfortunately, it's got a slightly flame-baity title because my brief stint in kind of the marketing organization at my company pointed out to me that, you know, flame bait is a good way of getting your links shared more.
1:18:14 And it was called open source maintainers owe you nothing.
1:18:18 And basically that was like, that's what keeps me motivated really is the fact that like, I don't act, I know, and I have strongly internalized the fact that I don't own anyone anything, you know, and the licenses that open source software is under state that quite clearly that if I release buggy codes, which destroys your computer, blows up your house, whatever, like that's, you've disclaimed all warranties on that.
1:18:44 And you've basically said that that's not in any way my fault or my obligation to deal with that in the license that you agree to when you use any open source software.
1:18:53 And so I think that kind of helps me a lot, actually, because, you know, most of the time people are decent, but there have been times in homebrew's history where I've closed a legitimate bug because the person who has reported it is unable to like maintain a conversation in a way that isn't extremely rude and extremely toxic.
1:19:09 And I can't do that at work.
1:19:11 I mean, thankfully, I don't have a deal with customers type role at my work anyway.
1:19:15 But, you know, if you're in a workplace and you're being paid by someone, you can't just decide, well, no, actually, I'm going to, you know, stop talking to this paying customer anymore unless you're kind of the one running the business, which I am not.
1:19:26 Whereas in open source, I can decide to do that.
1:19:28 I can decide at any point, right, well, I just, you know, opt out of this conversation.
1:19:33 I'm done here.
1:19:34 I'm moving on.
1:19:35 I'm going to do something else.
1:19:36 And I think particularly nowadays, it's kind of helpful to be.
1:19:39 And I think that's really been brought home with like having a family and kind of being aware of like my mood and things like that.
1:19:47 And my wife's really good at kind of pointing out if I'm particularly kind of happy or sad or whatever.
1:19:51 And I try and sort of like double down on that.
1:19:54 But I think it's been helpful with that because I have homebrew issues which kind of need to be fixed.
1:19:58 You know, they're not urgent priority, but they're relatively high priority that have sat on fixed for three or four months because I don't want to fix them.
1:20:04 And, you know, if someone else thinks that they're a big enough problem, then they'll fix them and I'll happily help them figure out how to fix them.
1:20:11 But I don't have to.
1:20:12 And they don't affect me.
1:20:13 So I'm not going to.
1:20:14 And again, that's for me, in some ways, the interesting thing about introducing more money into open source is, again, if homebrew was my full time gig and I was being paid full time to do that, then all of a sudden that would change.
1:20:26 And I would feel a sense of obligation that I would have to work on those things and I would have to fix these things.
1:20:31 Particularly if the people who were individuals or companies who were paying me were pointing out that these were the problems that they were experiencing.
1:20:38 Whereas the nice thing is I can say, well, actually, that one doesn't look very fun, so I'm not going to bother.