macstrap bootstraps a machine: it installs software via Homebrew, applies dotfiles, and downloads a prebuilt binary. Security reports are taken seriously.
Only the latest release (and main) receive security fixes.
Please do not open a public issue for security problems.
Report privately via GitHub security advisories ("Report a vulnerability"). You should get an initial response within a few days.
- Checksum-verified binary installs —
install.shdownloads release binaries and verifies them against the GoReleaser-publishedchecksums.txtbefore installing; if verification fails it falls back to the auditable shell engine in the cloned repo. - No secrets in the repo — identity, emails, and signing keys live in
machine-local chezmoi config; a gitleaks config and pre-commit hook guard
against accidental commits, and
macstrap securityaudits the local posture. - Previewable, reversible changes —
macstrap install --dry-runshows the plan;macstrap uninstallbacks up before removing. - Pinned, reviewed dependencies — Dependabot watches Go modules and GitHub Actions.
Reports about the one-line curl | bash installer, the checksum path, the
release pipeline, or anything that could make a fresh-Mac bootstrap execute
untrusted code are especially welcome.