2.0 KiB
Apps that bundle malware
Unfortunately, in the world of software there are bad actors that bundle malware with their apps. Even so, Homebrew-Cask has long decided it is not a gatekeeper (macOS already has one) and users are expected to know about the software they are installing. This means we will not remove casks that link to these apps. We have several reasons for this, summarised in a comment on issue #21399.
Within that context, we would still like for users to enjoy some kind of protection while minimising occurrences of legitimate developers being branded as malware carriers. We feel removing casks is an ineffective band-aid and the issue needs to be tackled earlier in the chain: at the macOS level.
If an app that bundles malware was not signed with an Apple Developer ID and you purposefully disabled or bypassed Gatekeeper, no action will be taken on our part. When you disable security features, you do so at your own risk. If, however, an app that bundles malware is signed, Apple can revoke its permissions and it will no longer run on the computers of users that keep security features on — we all benefit, Homebrew-Cask users or not. Note that for the time being, Homebrew-Cask will not quarantine download files. See issue #22388.
To report a signed app that bundles malware, follow these steps:
- Go to Apple’s Bug Reporter and report the app that bundles malware. Be as precise as possible about how you know it bundles malware, and what steps reproduce your conclusions. Be sure to include relevant URLs, such as the app’s homepage.
- Make the report public at Open Radar.
- Submit a pull request with a
malwarecaveat.