In fb310c5 sandboxing was turned on for non homebrew taps, breaking the phusion tap because we cache the user's download token for passenger enterprise in their home dir. How can I disable the sandboxing or keep the cache somewhere allowed?

You'll need to configure phusion to use /usr/local/var/phusion (i.e. #{var}/phusion) or similar, or move whatever needs access to $HOME into a step the users run after installation, and mention it in the caveats.

That won't work it has to be available at the point when the curl user/password are resolved and var isn't defined at that point. See: https://github.com/phusion/homebrew-passenger/blob/master/Formula/passenger-enterprise.rb#L6-L22

It looks like you'll need to rely on the PASSENGER_ENTERPRISE_TOKEN environment variable. Note that environment filtering will remove access to that soon as well (HOMEBREW_ENV_FILTERING=1 will soon be the default), though you may be able to escape that filtering by renaming the variable HOMEBREW_PASSENGER_ENTERPRISE_TOKEN.

That can't be cached for the users though. Since we can't write to their dotfiles since those are in the home dir.

Right, they'll need to set it in their profile. But you can later cache it in #{var}/phusion once it exists.

It only matters while fetching the tarball, so there's no point in putting it somewhere that can't be read while doing so.

Basically the formula and tap only exist to allow the users to avoid having to edit their env. If that is no longer a value of homebrew's we'll probably have to pull the formula & tap since it won't offer any benefit any more.

That may well be the case.

That's too bad. I like homebrew, but almost every time I interact with this project user-hostile behaviour is justified by the decisions of just a few people, and that makes me sad.

That's because the bulk of the work on Homebrew the package manager is done by just a few people.

Additionally, this is definitely not user-hostile behaviour, quite the opposite. We're making it so users can install from any tap without fearing that it will write random files to random places on their filesystem. This is a valuable security feature. It's a pain for tap maintainers to have to adjust to, I agree, but the writing has been on the wall for a few years for this, I'm afraid.