brew --prefix/--cellar pkg is not a read-only command anymore since homebrew 4.0.0

[kit-ty-kate]

brew doctor output

Your system is ready to brew.

Verification

• My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
• I ran brew update twice and am still able to reproduce my issue.
• This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

HOMEBREW_VERSION: 4.0.1-3-gc9fdce3
ORIGIN: https://github.com/Homebrew/brew
HEAD: c9fdce3e3c918e8e41ff753bcf17a5d2a2eff87a
Last commit: 33 minutes ago
Core tap origin: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 63589f1a8e3cd0b1d5ee7eb25275cedb731ef73d
Core tap last commit: 82 minutes ago
Core tap branch: master
Core tap JSON: 16 Feb 14:30 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 10
Homebrew Ruby: 2.6.10 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: 10-core 64-bit arm_firestorm_icestorm
Clang: 14.0.0 build 1400
Git: 2.39.2 => /opt/homebrew/bin/git
Curl: 7.86.0 => /usr/bin/curl
macOS: 13.2.1-arm64
CLT: 14.2.0.0.1.1668646533
Xcode: N/A
Rosetta 2: false

What were you trying to do (and why)?

Use brew --prefix pkg inside of a sandboxed environment using sandbox-exec (read-only file system)

What happened (include all command output)?

$ sandbox-exec -p '(version 1)(allow default)(deny network*)(deny file-write*)(allow network* (remote unix))(allow file-write* (literal "/dev/null") (literal "/dev/dtracehelper"))' brew --cellar openssl
Error: Operation not permitted @ apply2files - /Users/kit_ty_kate/Library/Caches/Homebrew/api/formula.json

What did you expect to happen?

With Homebrew 3.6 for years before, brew --prefix/--cellar has never tried to write in a cache file and worked fine inside a read-only sandbox.

With Homebrew 4.0 the same command now fails. The only way to make it work is to export HOMEBREW_NO_INSTALL_FROM_API=1

I’m not sure this is a wanted behaviour for this particular commands so I’m opening an issue to make sure this is an intended change.

Step-by-step reproduction instructions (by running brew commands)

$ sandbox-exec -p '(version 1)(allow default)(deny network*)(deny file-write*)(allow network* (remote unix))(allow file-write* (literal "/dev/null") (literal "/dev/dtracehelper"))' brew --cellar openssl
Error: Operation not permitted @ apply2files - /Users/kit_ty_kate/Library/Caches/Homebrew/api/formula.json
$ HOMEBREW_NO_INSTALL_FROM_API=1 sandbox-exec -p '(version 1)(allow default)(deny network*)(deny file-write*)(allow network* (remote unix))(allow file-write* (literal "/dev/null") (literal "/dev/dtracehelper"))' brew --cellar openssl
/opt/homebrew/Cellar/openssl@3

[Bo98]

--prefix should work after the first time the JSON file is downloaded and cached, which should happen after a brew update. Unless the formula you are passing doesn't exist in which case it might try to redownload.

--cellar however doesn't and I agree we should fix that.

[Bo98]

The only way to make it work is to export HOMEBREW_NO_INSTALL_FROM_API=1

Note that in a controlled script environment like is the case for you in opam, HOMEBREW_NO_AUTO_UPDATE is a better choice as HOMEBREW_NO_INSTALL_FROM_API may trigger a git clone.

[kit-ty-kate]

--prefix should work after the first time the JSON file is downloaded and cached, which should happen after a brew update.

Do you mean the command should work after two brew update back to back as requested when i opened this issue?
If so, there is a bug here as well as it doesn’t work.

Note that in a controlled script environment like is the case for you in opam, HOMEBREW_NO_AUTO_UPDATE is a better choice as HOMEBREW_NO_INSTALL_FROM_API may trigger a git clone.

I’ve tried and with HOMEBREW_NO_AUTO_UPDATE it still fails though.

[Bo98]

I’ve tried and with HOMEBREW_NO_AUTO_UPDATE it still fails though.

Ok, that stops the network request but not the file write because of a File.touch. I'll have a look.

Another thing I've noticed is aliases currently aren't handled the same (so openssl@3 should work but openssl currently doesn't). Will look at that too. I guess that's what you're seeing here with --prefix.

[Bo98]

4.0.2 should solve this: brew --prefix and brew --cellar no longer perform any file write or network calls if the formula is known to exist in the cache. In those cases, the command now takes like 50ms rather than a couple seconds. If the formula doesn't exist, it will fallback to the slower path (this is not a concern you'll likely need to worry about - or if it is then it's likely going to error anyway).

For other read-only commands (e.g. brew info), HOMEBREW_NO_AUTO_UPDATE has been updated to avoid file write and network calls, unless the cache doesn't exist (this shouldn't happen ordinarily).