Also, don't delete them after that. This means that `brew postinstall`
becomes a way to easily reinstall configuration files for any formula
without needing any changes to any bottles or requiring a reinstall.
If HOMEBREW_CELLAR (or HOMEBREW_PREFIX) are children of
HOMEBREW_REPOSITORY it’s important to deny write to the repository and
enable write to the Cellar/prefix afterwards.
If we have a HOMEBREW_REPOSITORY and HOMEBREW_PREFIX mismatch (now the
default) then we can block access to the whole of HOMEBREW_REPOSITORY
rather than just the HOMEBREW_LIBRARY and `.git`.
Also enables sandbox for --interactive and --debug use of install
and test, using automatic retention.
Closes#66.
Signed-off-by: Andrew Janke <andrew@apjanke.net>
Long term it would be nice to sandbox everything that writes to DerivedData
but it is essentially a cache directory of sorts.
The downside of allowing stuff to write there particularly is that DerivedData
is notoriously bad at getting cleaned up, so if you do a lot of Xcode-using
installations very quickly, you can chew your disk space up.
ClosesHomebrew/homebrew#43276.
Signed-off-by: Dominyk Tiller <dominyktiller@gmail.com>
