You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed that a lot of Casks do not contain the app version and checksum. I am concerned that:
The user installing an app will not know exactly which version is being installed
Checksum is there for a very good reason: ensure the integrity of the installer
a. Installer may be corrupted when in transit
b. Actual file on server is corrupted / compromised
c. Formula author is expected to verify that the downloaded file is working as expected, checksum is one way to ensure nothing is changed
The cask Formula ought to keep track of new app releases
I understand the need to use latest for version and no checksum, because certain installer has a fixed URL and filename. Developers releasing new versions simply replace the existing file on the server. In addition, some applications (example: Google Chrome) update itself within the application.
So what is a value for creating a cask if it simply downloads a file, and create a link to the application without tracking the version and verifying the integrity of the downloaded file, similar to a regular homebrew Formula? Without tracking versions, there a user will not be able to update an existing cask, unless a force install / uninstall-reinstall is used.
Some applications also have specific versions for different OS X releases. For example Deeper, 2.7.1 is for Mountain Lion, 1.4.9 for Lion, and so on.
Without Homebrew Cask
Homebrew Cask makes it very convenient to install an app from the command line. The downsides are:
My apps now live in 2 places: /Applications for manual installation and /opt/homebrew-cask/Caskroom for those installed by homebrew-cask
I don't know what is the exact version of application I am downloading/installing via homebrew cask
My applications can be updated within itself, and diverge from the homebrew-cask Formula
As a result, wouldn't it be better if I download the .dmg or .pkg and install it manually? If I am so inclined to use the command line, I can install an app using curl, hdiutil etc or open a file.
Proposed Direction
We want to make homebrew cask as simple for the user as possible, whilst leveraging the power of the upstream homebrew. Therefore I suggest creating a guideline for casks where:
URL -> mandatory
Homepage -> mandatory
version -> recommended
sha1 -> recommended
link or install -> mandatory
uninstall -> optional
Where applicable, a Cask should include the version and checksum.
The text was updated successfully, but these errors were encountered:
I noticed that a lot of Casks do not contain the app version and checksum. I am concerned that:
a. Installer may be corrupted when in transit
b. Actual file on server is corrupted / compromised
c. Formula author is expected to verify that the downloaded file is working as expected, checksum is one way to ensure nothing is changed
I understand the need to use
latestfor version and no checksum, because certain installer has a fixed URL and filename. Developers releasing new versions simply replace the existing file on the server. In addition, some applications (example:Google Chrome) update itself within the application.So what is a value for creating a cask if it simply downloads a file, and create a link to the application without tracking the version and verifying the integrity of the downloaded file, similar to a regular
homebrewFormula? Without tracking versions, there a user will not be able to update an existing cask, unless a force install / uninstall-reinstall is used.Some applications also have specific versions for different OS X releases. For example
Deeper,2.7.1is for Mountain Lion,1.4.9for Lion, and so on.Without Homebrew Cask
Homebrew Cask makes it very convenient to install an app from the command line. The downsides are:
As a result, wouldn't it be better if I download the
.dmgor.pkgand install it manually? If I am so inclined to use the command line, I can install an app usingcurl,hdiutiletc oropena file.Proposed Direction
We want to make homebrew cask as simple for the user as possible, whilst leveraging the power of the upstream
homebrew. Therefore I suggest creating a guideline for casks where:URL -> mandatory
Homepage -> mandatory
version -> recommended
sha1 -> recommended
link or install -> mandatory
uninstall -> optional
Where applicable, a Cask should include the version and checksum.
The text was updated successfully, but these errors were encountered: