extension icon indicating copy to clipboard operation
extension copied to clipboard

Published 20 hours ago verified publisher icon tahowallet

Homebrew install is not supported with nvm

Open puppycodes opened this issue 3 years ago • 4 comments

nvm installation isn't homebrew supported, initially I opened a pr but I realized we should probably update the macos-setup.sh to something that isn't piping curl to bash?

https://github.com/nvm-sh/nvm#installing-and-updating

Homebrew installation is not supported. If you have issues with homebrew-installed nvm, please brew uninstall it, and install it using the instructions below, before filing an issue.

puppycodes avatar Aug 13 '22 05:08 puppycodes

Does it not work or is it just unsupported? The simplicity of brew trumps them not wanting to answer questions about it imo, unless we run into issues with it.

Shadowfiend avatar Aug 13 '22 14:08 Shadowfiend

this is the only part that concerned me after reading the docs? but maybe an edge case

Homebrew makes zsh directories unsecure

zsh compinit: insecure directories, run compaudit for list. Ignore insecure directories and continue [y] or abort compinit [n]? y Homebrew causes insecure directories like /usr/local/share/zsh/site-functions and /usr/local/share/zsh. This is not an nvm problem - it is a homebrew problem. Refer https://github.com/zsh-users/zsh-completions/issues/680 for some solutions related to the issue.

yes it does work so perhaps its non-issue. Only other thing I can think of is that the brew list &>/dev/null wont catch a previously curl'd install and you'll get a double nvm complication, so maybe switching to command -v could be helpful

puppycodes avatar Aug 14 '22 05:08 puppycodes

https://docs.brew.sh/Shell-Completion#configuring-completions-in-zsh seems to be the recommended path here. Overall torn as it's good to be default friendly to a macOS install in our install scripts though, and since zsh is the default now...

But curl and go isn't really a strategy I enjoy, which is partly why I've leaned on homebrew so heavily in install scripts.

Hmmm 🤔

Shadowfiend avatar Aug 15 '22 02:08 Shadowfiend

One thing i've considered as an alternative (solving the reproducibility vs repeatability problem) is https://nixos.org. https://nixos.org/manual/nix/stable/ I love the idea, feels like the right amount of containerization with vagrant-esq builds https://nixos.org/guides/towards-reproducibility-pinning-nixpkgs.html#pinning-nixpkgs. In terms of security I believe Nix packages are checked against hashes to ensure they are unmodified which makes curl a lot more palatable

puppycodes avatar Aug 19 '22 18:08 puppycodes

Why wouldn't we simply remove the broken brew command and install nvm the recommended way?

tallysam avatar Feb 10 '23 16:02 tallysam

The answer, btw, is because curl-and-pipe is how you get pwned, and ideally you should do it when you know you're doing it as opposed to hidden behind an install script.

If we want to use nvm and install it this way, I suggest making the install script stop and warn the user it's about to pipe the specific URL on over.

Shadowfiend avatar Feb 15 '23 00:02 Shadowfiend

I agree that curl and bash is how you get owned. We don't want to take that kind of responsibility.

I suggest the following:

  1. A check in the install script for a valid nvm. If it fails then we bail out and point the user to the nvm instructions with our added security warnings.
  2. Update the README under the quick-start section. Place a similar piece of text about the nvm requirement and subsequent security warnings about curl-bash type installs.

tallysam avatar Feb 20 '23 22:02 tallysam