Linux user since 2000 or so. Mandrake, Fedora, Debian, Ubuntu, and Gentoo, all heavily, with a little use of some other distros (Void, Arch, probably some others I'm forgetting about).
All around, Brew's my favorite package manager I've used. And yes, I started with Macports, so I've used that too.
You can 'rm /usr/local/bin/*' without sudo. Or replace /usr/local/Homebrew/bin/brew with something malicious. That's laughable and I don't know how it gets a pass from everyone.
... so? I can also rm most or all of my home directory without sudo, and that's far bigger problem. If this happened it would be a minor annoyance at worst. Also, this is 775 on my system, and most of the contents are 755, so it's not even true except for one of my users.
> Or replace /usr/local/Homebrew/bin/brew with something malicious.
If I go out of my way to make that globally writable, sure. I just checked mine, though, and it's not.
Unless you mean that a program running under my user could replace that file with something malicious without my knowing about it, but there are a bunch of other ways it could accomplish similar things if a malicious program is running under my account, so yeah, I'm gonna give it a pass on that. About the only thing it makes a little easier is putting malicious code in the hands of other users on the system if the compromised account has write access to that file, but hell, if the same thing happened on a Linux system the malware would probably have my sudo password and a ton of other even-more-important info before long anyway, so it's not like that's any better.
All around, Brew's my favorite package manager I've used. And yes, I started with Macports, so I've used that too.