Homebrew 6.0.0 发布：第三方 Tap 需信任授权、JSON API 提速、Linux 沙箱全面对齐 macOS

{ "title_zh": "Homebrew 6.0：第三方 Tap 必须显式信任，JSON API 大幅提速，Linux 沙箱对齐 macOS", "body_zh": "# Homebrew 6.0：第三方 Tap 必须显式信任，JSON API 大幅提速，Linux 沙箱对齐 macOS\n\nHomebrew 在 6 月 11 日推出了 6.0.0，这是一次跨安全、功能和性能三个维度的版本迭代。其中最醒目的变动是第三方 Tap 的信任授权机制——它把过去「装了就算」的默认行为，改成了必须显式确认才能继续。对日常用 brew install 的人来说，这个改动会直接改变工作流。\n\n## 第三方 Tap：从「默认信任」到「显式授权」\n\n过去，当你执行 brew tap homebrew/cask-fonts 或任何一个第三方 Tap，Homebrew 会直接把它纳入评估范围，后续 brew install 搜索公式时会自动扫描所有已添加的 Tap。这意味着一个未经审查的第三方源，只要被 tap 过，就能影响你系统的软件列表——安全风险不言而喻。\n\n6.0.0 引入了显式信任授权机制：\n\n- 新添加的第三方 Tap 默认处于「未信任」状态，brew install 不会从中搜索公式。\n- 你需要用 brew tap --trust <tap-name> 显式授权，该 Tap 的公式才会出现在搜索和安装结果里。\n- 已信任的 Tap 可以用 brew tap --untrust <tap-name> 降级回未信任状态。\n\n这个设计把信任决策从「隐式默认」变成了「主动选择」。对团队管理来说，好处很明显——你可以在 CI 或共享配置里只信任经过审查的 Tap，避免有人随手加了一个来源就改变了全局行为。\n\n## JSON API 提速：查询从解析公式文件变成读缓存\n\nHomebrew 的 brew info、brew search 等命令过去每次都要解析所有公式文件（Ruby DSL），随着公式数量增长，冷启动耗时越来越明显。\n\n6.0.0 正式启用了 JSON API 作为默认数据源：\n\n- 公式和 Cask 的元数据被预编译为 JSON，存放在本地缓存中。\n- brew info、brew search、brew outdated 等命令直接读 JSON，不再逐文件解析。\n- 实测在公式数量较多的环境下，查询类命令的响应时间可以缩短 50% 以上。\n\n如果你之前在 CI 里用 HOMEBREW_NO_INSTALL_FROM_API=1 强制走旧路径，现在可以去掉这个环境变量了。JSON API 已经是稳定默认，旧路径只在极端调试场景下才需要。\n\n## Linux 沙箱全面对齐 macOS\n\nHomebrew 在 Linux 上通过 Linuxbrew 运行，过去它的沙箱隔离机制和 macOS 版本有差异——某些构建步骤在 macOS 上受限，在 Linux 上却可以自由执行，导致跨平台行为不一致，也留下安全隐患。\n\n6.0.0 让 Linux 侧的沙箱策略与 macOS 完全对齐：\n\n- superenv 沙箱在 Linux 上同样限制编译器的 include 路径、库搜索路径和环境变量注入。\n- 之前在 Linux 上能「蒙混过关」的构建脚本，现在会被沙箱拦截，需要显式声明依赖。\n\n短期来看，这可能导致某些第三方公式在 Linux 上构建失败——但长远看，对齐沙箱意味着公式作者必须正确声明依赖，而不是靠系统环境「碰巧能编译」。\n\n## 实操：升级到 6.0 后你需要做什么\n\n升级本身很简单，但升级后的行为变化需要你主动处理。\n\n### 升级 Homebrew\n\nbash\nbrew update\nbrew upgrade\n\n\n升级完成后，检查你当前的 Tap 列表和信任状态：\n\nbash\n# 查看所有已添加的 Tap\nbrew tap\n\n# 查看某个 Tap 是否已被信任（6.0 新增）\nbrew tap-info homebrew/cask-fonts\n\n\n### 信任你需要的第三方 Tap\n\n如果你之前添加了第三方 Tap，升级后它们可能处于未信任状态。你需要逐个授权：\n\nbash\n# 信任一个已有的 Tap\nbrew tap --trust homebrew/cask-fonts\n\n# 信任一个新 Tap（同时添加并信任）\nbrew tap --trust myorg/custom-tools\n\n# 取消信任（Tap 仍保留，但搜索不会覆盖它）\nbrew tap --untrust myorg/custom-tools\n\n\n### CI 环境的适配建议\n\n在 CI 中，建议把 Tap 信任步骤写进初始化脚本，避免构建因找不到公式而中断：\n\nbash\n# CI 初始化片段\nbrew update\nbrew tap --trust homebrew/cask-fonts\nbrew tap --trust myorg/internal-tools\nbrew install --formula myorg/internal-tools/deploy-cli\n\n\n如果你用 GitHub Actions，可以把它封装成一个 step：\n\nyaml\n- name: Setup Homebrew taps\n run: |\n brew update\n brew tap --trust homebrew/cask-fonts\n brew tap --trust myorg/internal-tools\n- name: Install dependencies\n run: brew install myorg/internal-tools/deploy-cli\n\n\n### 处理 Linux 构建失败\n\n如果升级后某个公式在 Linux 上构建报错，先检查是否是沙箱限制导致的：\n\nbash\n# 临时绕过沙箱构建（仅用于调试，不建议长期使用）\nbrew install --env=std <formula>\n\n\n正确做法是给公式补上缺失的依赖声明，然后提交 PR 给公式维护者。\n\n## 升级检查清单\n\n| 项目 | 操作 |\n|------|------|\n| Homebrew 自身 | brew update && brew upgrade |\n| 已有第三方 Tap | 逐个执行 brew tap --trust <name> |\n| CI 脆弱步骤 | 添加 brew tap --trust 到初始化流程 |\n| HOMEBREW_NO_INSTALL_FROM_API | 去掉该环境变量，除非你在调试 |\n| Linux 构建异常 | 用 --env=std 临时排查，补依赖声明 |\n\n6.0 的三个核心变动——Tap 信任授权、JSON API 默认启用、Linux 沙箱对齐——方向一致：让 Homebrew 的默认行为更安全、更可预测。短期会有适配成本，但如果你现在就把信任列表和 CI 脚本理清，后续维护反而更省心。", "title_en": "Homebrew 6.0: Third-Party Taps Now Require Explicit Trust, JSON API Speeds Up Queries, Linux Sandbox Aligns with macOS", "body_en": "# Homebrew 6.0: Third-Party Taps Now Require Explicit Trust, JSON API Speeds Up Queries, Linux Sandbox Aligns with macOS\n\nHomebrew released version 6.0.0 on June 11, covering security, functionality, and performance in one sweep. The headline change is the new trust-onboarding mechanism for third-party Taps—what used to be a silent default is now an explicit decision you have to make. If you run brew install on any regular basis, this directly reshapes your workflow.\n\n## Third-Party Taps: No More Implicit Trust\n\nPreviously, running brew tap homebrew/cask-fonts (or any third-party Tap) immediately folded that source into formula evaluation. Every subsequent brew install search would scan all tapped sources without distinction. An unvetted third-party repository could silently influence what gets installed on your machine—a clear security gap.\n\n6.0.0 replaces that with explicit trust authorization:\n\n- Newly added third-party Taps start in an \"untrusted\" state. brew install will not search their formulas.\n- You must run brew tap --trust <tap-name> to grant trust, after which that Tap's formulas appear in search and install results.\n- Trusted Taps can be downgraded with brew tap --untrust <tap-name>.\n\nThis flips the trust model from opt-out to opt-in. For teams running shared CI, the benefit is immediate: you can whitelist only reviewed Taps in your setup scripts, preventing an ad-hoc brew tap from altering the global formula pool.\n\n## JSON API: Queries Skip Ruby Parsing, Go Straight to Cached JSON\n\nCommands like brew info and brew search used to parse every formula file (Ruby DSL) on each invocation. As the formula count grew, cold-start latency became noticeable.\n\n6.0.0 makes the JSON API the default data source:\n\n- Formula and Cask metadata is pre-compiled into JSON and cached locally.\n- brew info, brew search, brew outdated read JSON directly—no per-file Ruby parsing.\n- In environments with a large formula set, query commands can be over 50% faster.\n\nIf you previously set HOMEBREW_NO_INSTALL_FROM_API=1 in CI to force the old path, you can drop that variable now. The JSON API is the stable default; the old path is only useful for deep debugging.\n\n## Linux Sandbox Fully Aligned with macOS\n\nHomebrew on Linux (Linuxbrew) historically ran a weaker sandbox than the macOS version. Certain build steps that were restricted on macOS could execute freely on Linux, creating cross-platform inconsistency and security gaps.\n\n6.0.0 aligns Linux sandbox policy with macOS:\n\n- superenv on Linux now restricts compiler include paths, library search paths, and environment variable injection the same way macOS does.\n- Build scripts that \"happened to work\" on Linux by leaning on ambient system paths will now be blocked—formulas must explicitly declare their dependencies.\n\nShort-term, this may break some third-party formula builds on Linux. Long-term, it forces formula authors to declare dependencies correctly instead of relying on the build host's environment to paper over gaps.\n\n## What to Do After Upgrading\n\nThe upgrade itself is straightforward, but the behavioral changes require follow-up.\n\n### Upgrade Homebrew\n\nbash\nbrew update\nbrew upgrade\n\n\nAfter upgrading, inspect your current Tap list and trust status:\n\nbash\n# List all added Taps\nbrew tap\n\n# Check whether a specific Tap is trusted (new in 6.0)\nbrew tap-info homebrew/cask-fonts\n\n\n### Trust the Third-Party Taps You Actually Use\n\nExisting third-party Taps may land in an untrusted state after the upgrade. Grant trust one by one:\n\nbash\n# Trust an already-added Tap\nbrew tap --trust homebrew/cask-fonts\n\n# Add and trust a new Tap in one step\nbrew tap --trust myorg/custom-tools\n\n# Remove trust (Tap stays added, but search skips it)\nbrew tap --untrust myorg/custom-tools\n\n\n### Adapting CI Pipelines\n\nAdd trust steps to your CI bootstrap so builds don't fail on missing formulas:\n\nbash\n# CI bootstrap snippet\nbrew update\nbrew tap --trust homebrew/cask-fonts\nbrew tap --trust myorg/internal-tools\nbrew install --formula myorg/internal-tools/deploy-cli\n\n\nFor GitHub Actions, wrap it as a step:\n\nyaml\n- name: Setup Homebrew taps\n run: |\n brew update\n brew tap --trust homebrew/cask-fonts\n brew tap --trust myorg/internal-tools\n- name: Install dependencies\n run: brew install myorg/internal-tools/deploy-cli\n\n\n### Handling Linux Build Failures\n\nIf a formula breaks on Linux after the upgrade, check whether the sandbox is the cause:\n\nbash\n# Temporarily bypass the sandbox for debugging (not for production use)\nbrew install --env=std <formula>\n\n\nThe proper fix is to add missing dependency declarations to the formula and submit a PR to the maintainer.\n\n## Upgrade Checklist\n\n| Item | Action |\n|------|--------|\n| Homebrew itself | brew update && brew upgrade |\n| Existing third-party Taps | Run brew tap --trust <name> for each |\n| CI fragile steps | Add brew tap --trust to bootstrap |\n| HOMEBREW_NO_INSTALL_FROM_API | Remove unless debugging |\n| Linux build failures | Debug with --env=std, then fix dependency declarations |\n\nThe three core changes in 6.0—Tap trust authorization, JSON API as default, Linux sandbox alignment—share a common direction: make Homebrew's default behavior safer and more predictable. There's short-term adaptation cost, but once you clean up your trust list and CI scripts, ongoing maintenance becomes simpler.", "seo_description_en": "Homebrew 6.0.0 requires explicit trust for third-party Taps, speeds up queries with a JSON API cache, and aligns Linux sandbox rules with macOS. Upgrade checklist included. }