Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't relocate Apple Silicon bottles for default prefix #19247

Open
1 task done
MikeMcQuaid opened this issue Feb 5, 2025 · 2 comments · May be fixed by #19384
Open
1 task done

Don't relocate Apple Silicon bottles for default prefix #19247

MikeMcQuaid opened this issue Feb 5, 2025 · 2 comments · May be fixed by #19384
Labels
features New features help wanted We want help addressing this

Comments

@MikeMcQuaid
Copy link
Member

Verification

Provide a detailed description of the proposed feature

We should avoid using e.g. @@HOMEBREW_PREFIX@@ etc. relocation replacements on Apple Silicon (and maybe Linux x86_64/arm64 but not/never macOS Intel).

These were needed initially because replacing /usr/local on macOS Intel was far too wide-reaching with too many false positives and negatives.

What is the motivation for the feature?

This would:

  • simplify and speed up pouring on our widest used platform(s)
  • potentially enable codesigning of homebrew-core packages for Apple Silicon (where we require cask code-signing anyway)
    • code-signing is broken by relocation

How will the feature be relevant to at least 90% of Homebrew users?

Increased speed and security for homebrew-core.

What alternatives to the feature have been considered?

  • Doing nothing
  • Having another tap that signs already-relocated bottles
@MikeMcQuaid MikeMcQuaid added features New features help wanted We want help addressing this labels Feb 5, 2025
@cho-m
Copy link
Member

cho-m commented Feb 25, 2025

Would this be specific to binaries (or bottles containing binaries)?

Mainly as we use placeholder in text files to create all bottles.

@MikeMcQuaid
Copy link
Member Author

@cho-m Yes, it should be binary specific and be indicated somehow in a bottle/tab/manifest so we don't break :all bottles. Anything that needs code signed would, by definition, not be possible to be :all.

samuelarogbonlo added a commit to samuelarogbonlo/brew that referenced this issue Feb 26, 2025
@samuelarogbonlo
Don't relocate Apple Silicon bottles for default prefix
78c3bf9 
This change skips the relocation process for bottles on Apple Silicon Macs
when using the default prefix (/opt/homebrew). Relocation was initially
needed for Intel Macs to avoid wide-reaching replacements with false positives,
but is unnecessary for Apple Silicon where the default prefix is unique.

Benefits:
- Simplifies and speeds up bottle pouring on Apple Silicon
- Potentially enables code-signing of homebrew-core packages
- Improves security by avoiding binary modification post-build

A --force-bottle-relocation flag is added for edge cases where
relocation might still be needed.

Fixes Homebrew#19247
@samuelarogbonlo samuelarogbonlo linked a pull request Feb 26, 2025 that will close this issue
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
features New features help wanted We want help addressing this
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't relocate Apple Silicon bottles for default prefix samuelarogbonlo/brew
2 participants
@MikeMcQuaid @cho-m