A trio of former GitHub executives and engineers have founded a new startup that brings the benefits of one of the most popular open-source package managers to the enterprise.
Workbrew, as the startup is called, emerges from stealth today with the mission of mitigating the risks of”shadow IT” practices, giving company admins and security teams centralized control and visibility into Homebrew deployments across the organization. To drive its commercial push, the startup has bagged $5 million in funding from developer-focused VC firm Heavybit, Essence VC, Operator Collective, and a slew of angels who include GitHub co-founder and ex-CEO, Tom Preston-Werner.
Designed primarily for MacOS, with support for Linux, Homebrew is a system-level, open-source package manager that makes it easier for developers to install and maintain software libraries, command-line tools (CLI), and other utilities. Developers are, of course, free to manually install this software themselves, but it can be a time-consuming endeavor, particularly if a given package has numerous dependencies that are required for it to run properly. Homebrew does all of this with a single command, sourcing all the relevant components and keeping them up-to-date automatically, which is why Homebrew and its ilk are sometimes dubbed “app stores for developers.”
Still, this creates a headache for organizations which, while keen to keep their developers happy and productive, are also cognizant of the security and compliance risks of giving their workforce unfettered access to the world of open source software. That is where Workbrew comes into the picture.
Founded in 2023, Workbrew is the handiwork of CEO John Britton (pictured above, right), COO Vanessa Gennarelli (pictured above, center) and CTO Mike McQuaid. Britton has contributed to Homebrew since 2014 and has held several senior roles at big tech companies, including as director of developer Marketing at GitHub, while Gennarelli was most recently senior director at GitHub’s education unit. McQuaid was formerly principal engineer at GitHub and is one of the longest-serving maintainers of the Homebrew project itself.
“We talked to companies of all sizes, from startups to large enterprises that are using Homebrew today, and we heard over and over again the same problem — as the number of devices increases in an organization, it’s difficult to deploy Homebrew in a consistent way,” Britton told TechCrunch.
Providing support and services for popular open-source tools is a tried-and-tested model — it’s what led IBM to dole out $34 billion for Red Hat, and countless startups have raised venture capital for products that enhance the utility of established community-driven projects. Homebrew makes for a good candidate to build services for since it has become an insanely popular tool since its inception in 2009, and is now installed on tens of millions of devices globally — it’s the gold-standard for package management on MacOS.
But transforming Homebrew from a tool loved by developers to one that’s enthusiastically embraced by teams is the challenge that Workbrew is focused on.
“Homebrew and its background serves individual developers — by choice, as an open-source project run by volunteers,” Gennarelli said. “What John, Mike and I noticed is the need to take it from single-player to multiplayer.”
Building on top
Workbrew essentially brings enterprise rigor to Homebrew deployments. It offers a free plan that doesn’t enforce any kind of restrictions in terms of user or device limits, and admins can deploy Workbrew using any mobile device management (MDM) software. They can also access a fleet dashboard that shows data on devices, packages, licenses, and more, with support for basic vulnerability detection.
Additionally, Workbrew also sports special integrations with MDM software such as Jamf, Kandji, Fleet and SimpleMDM, which includes automated inventory synchronizing — information such as the device owner and name are always the same in Workbrew and the MDM console. This is served in a $10/month pro plan, which includes other features such as remote management, policy enforcement and advanced security tooling.
There’s also an enterprise plan (with customized pricing) that offers service-level guarantees and ships with additional features, such as support for single sign on (SSO) and data residency via custom deployments.
Which plan a company prefers will very much depend on its size and the industry it works in, as some will have greater security and compliance requirements than others. Even within companies, certain teams might have to adopt a different security posture. Workbrew said it has been designed to be flexible to these needs.
Companies have the freedom to exert whatever level of access control they want, from highly restrictive all the way to an open-door philosophy, where no restrictions are actually enforced, but the company has visibility and control if required. The controls can also be very specific — if a user attempts to install a crypto miner, for example, the admin can stipulate if it’s blocked outright, an alert is sent, or a formal approval process initiates.
In the most extreme case, a company can have a strict vetting policy, wherein every package a developer tries to install has to be scanned and recorded as part of an audit paper trail. This might be important for certain highly regulated industries with high compliance thresholds, where they may be required to show every single package that was installed on a specific device at a given time.
“The biggest thing that I hear over and over again from IT and security professionals is that they don’t know what they don’t know,” Britton said. “We make it easy for businesses to get a high-level overview of every single package installed, on every device across their entire fleet, including its version information and its vulnerabilities.”
A long time in the brewing
The fact that nobody has yet launched a commercial, enterprise-grade business off the back of Homebrew is something of a head-scratcher. The reasons for this, according to Britton, can be boiled down to three key factors that had to align at the right time to make it happen.
“The growth of the open-source project was a necessary first step, and the second stage was really about Homebrew’s structure as an open-source project. Over the years, it has become more formalized, better taken care of, which has led to the point where it’s now possible to do this,” Britton said.
Indeed, many open-source projects are often maintained by a single individual or loose collective, with little in the way of formal structure. Homebrew, for its part, has its own governance, with a committee and elections to decide who will lead the project. This stability and structure makes it easier to build a business on top, particularly when one of its founders — CTO Mike McQuaid — has been contributing to Homebrew from the beginning and leading the project since 2016.
This feeds into the third key component that Britton feels has been necessary to make a business like Workbrew possible: The right people being available at the right time, with the right ideas.
“This team is the perfect team to build this. The three of us worked together for close to 10 years at GitHub doing developer tools,” Britton said. “I worked at Twilio before [Britton was employee number 13], Vanessa worked on Scratch (visual programming language from MIT), and Mike’s been a contributor to Homebrew for 15 years. You need to have a very deep knowledge of how Homebrew works in order to solve these problems.”
The truth of the matter is, Britton and McQuaid had been discussing a potential business around Homebrew for the better part of a decade, and investors had also approached them at various junctures to see if they might want to build a business off Homebrew. But it never quite made sense, and McQuaid was also apprehensive about ruining a project that he’d put so much effort into.
“The project itself was not in a mature enough state. I’d been working on Homebrew for so many years, it’s very important to me,” McQuaid said. “And the problem was, nobody really had any idea what the actual business was to be here.”
But when their schedules aligned, Britton, Gennarelli and McQuaid got together and forged a path for what would become Workbrew. They were determined that this wouldn’t be some sort of “open core” business that would deplete the core project itself. It had to be about adding something to the mix that had hitherto been absent.
“Homebrew was in a good place with its own governance structure, and we could see what an actual business was here with a path to making a profitable company that is going to deliver a lot of value to people,” McQuaid said. “This is a separate entity — we are incredibly integrated with Homebrew; we use an unforked Homebrew, but we are not Homebrew. We are Workbrew.”
Workbrew entered public beta this August, bringing in around 20 customers who include expenses management provider Emburse and big data serving engine Vespa, which was spun out of Yahoo. While incorporated in the U.S., the company is fully remote — its first employee, who was also one of the most active Homebrew maintainers, is based in the Shetland Islands off the coast of Northern Scotland.
With a fresh $5 million in the bank, Workbrew says it’s planning to “rapidly scale” its platform, and will build deeper integrations with MDM software and more “developer-focused features.”
All of this will depend on one thing: the continued support of the core open-source project itself. It’s always challenging to find funding for such community projects, and we’ve seen an uptick in various equity-free initiatives of late, spanning fellowships, grants, and pledges.
Homebrew, for its part, has an annual budget of around $120,000, and has gotten by so far on donations through GitHub Sponsors and philanthropic efforts from big-name donors such as Airbnb and Bloomberg. That will have to continue for Workbrew to thrive.
“Homebrew is now this incredibly mature, sophisticated and self-sustaining entity,” Gennarelli said. “For Workbrew to succeed depends on Homebrew — we have a vested interest in the project succeeding. Our goals are aligned, but we are completely distinct — one is a non-profit, and we are a commercial entity.”