Except that git is used specifically by users who are downloading and compiling software.

And at this point the first instruction for any OSX user who downloads and compiles anything is "Install Homebrew"

The Homebrew installation process uses the system git.

Yes, but if Homebrew is malicious, you'd have more problems than a specially-crafted repository that exploits a git vulnerability. You are installing something that has all user access rights.

You _could_ get recent git by some other means prior to installing homebrew. Anything short of compiling from source wouldn't require ever installing XCLT.

Yep, since Homebrew requires the Xcode Developer Tools to be installed (which of course includes the outdated Git).

Can you inunstall XCode again once you have installed a compiler, toolchain, and git via Homebrew?

You can just install the command line tools without xcode. From those tools, most can be replaced with their homebrew versions so you only need them for bootstrapping. But if you want to do hardware- or OS X related development, you will need to keep the tools around. CUDA, for example, needs clang et. all.

They don't take much space, though, and the toolchain is treated a bit better by Apple than utilities like git, vim etc.

I don't know about homebrew, but macports has clang and other toolchain stuff, so I think it might be possible to uninstall Xcode after installing all necessary tools through macports?

Except for those who have used it and refuse to use it again.

There are prebuilt binaries of up to date git distributed via .pkg. The yeast infection that is Homebrew is unnecessary

That's kind've harsh. What's the issue? Homebrew was about the best option that's existed on OSX for a few years now I thought...

Personally I use MacPorts.

The dependency management is a joke, compile-by-default means it's slow as hell.

Most commonly-used dependencies are bottled (precompiled) these days.

Except the dependency management solution is terrible, unless you want to compile everything yourself.

For example: https://github.com/Homebrew/legacy-homebrew/issues/35995

I look forward to your release of something better

So your world view is that only those with a competing solution are allowed to identify issues in something?

If you're going to be that snarky and nonconstructive about it, you're going to get snarky and nonconstructive comments back. Or at the very least, you're not going to inspire any thoughtful and interesting observations from anyone.

Xcode is distributed and released over the AppStore and can be rev-ed at any frequency, independently of the OS; Apple's update model not does prevent an expedient update.

Perhaps the main cause for delay is the associated QA efforts to make sure that other components in the stack which depend on git don't break in the case that git has broken binary compatibility (i.e. changed its public interface).

If things are tied up in QA, that is a problem in and of itself, because relevance is an important quality for a security bugfix to have. If my system is compromised today, it will do me little good that the bugfix Apple ships next month was tested extensively for compatibility with Xcode.

It is too late for there to be an expedient update from Apple. The vulnerability was disclosed to oss-security over a month ago, on March 15[0]. SUSE had a patch out the next day[1]. By March 24, Debian, Ubuntu, Red Hat, CentOS and Oracle had all issued fixes.[2]

[0]: http://www.openwall.com/lists/oss-security/2016/03/15/5

[1]: http://lists.opensuse.org/opensuse-security-announce/2016-03...

[2]: http://www.securitytracker.com/id/1035290

I should clarify that I don't know why an update hasn't been pushed. I was only speculating why it might be taking so long.

Git is not part of the default configuration on OS X. You need to install XCode first.

I'd argue that the the OS X user who use git are a subset of Mac OS X users. In fact, a similar subset to that which uses Homebrew...