Homebrew install is not supported with nvm

[puppycodes]

nvm installation isn't homebrew supported, initially I opened a pr but I realized we should probably update the macos-setup.sh to something that isn't piping curl to bash?

https://github.com/nvm-sh/nvm#installing-and-updating

Homebrew installation is not supported. If you have issues with homebrew-installed nvm, please brew uninstall it, and install it using the instructions below, before filing an issue.

[Shadowfiend]

Does it not work or is it just unsupported? The simplicity of brew trumps them not wanting to answer questions about it imo, unless we run into issues with it.

[puppycodes]

this is the only part that concerned me after reading the docs? but maybe an edge case

Homebrew makes zsh directories unsecure

zsh compinit: insecure directories, run compaudit for list.
Ignore insecure directories and continue [y] or abort compinit [n]? y
Homebrew causes insecure directories like /usr/local/share/zsh/site-functions and /usr/local/share/zsh. This is not an nvm problem - it is a homebrew problem. Refer zsh-users/zsh-completions#680 for some solutions related to the issue.

yes it does work so perhaps its non-issue. Only other thing I can think of is that the brew list &>/dev/null wont catch a previously curl'd install and you'll get a double nvm complication, so maybe switching to command -v could be helpful

[Shadowfiend]

https://docs.brew.sh/Shell-Completion#configuring-completions-in-zsh seems to be the recommended path here. Overall torn as it's good to be default friendly to a macOS install in our install scripts though, and since zsh is the default now...

But curl and go isn't really a strategy I enjoy, which is partly why I've leaned on homebrew so heavily in install scripts.

Hmmm 🤔

[puppycodes]

One thing i've considered as an alternative (solving the reproducibility vs repeatability problem) is https://nixos.org. https://nixos.org/manual/nix/stable/ I love the idea, feels like the right amount of containerization with vagrant-esq builds https://nixos.org/guides/towards-reproducibility-pinning-nixpkgs.html#pinning-nixpkgs. In terms of security I believe Nix packages are checked against hashes to ensure they are unmodified which makes curl a lot more palatable

[tallysam]

Why wouldn't we simply remove the broken brew command and install nvm the recommended way?

[Shadowfiend]

The answer, btw, is because curl-and-pipe is how you get pwned, and ideally you should do it when you know you're doing it as opposed to hidden behind an install script.

If we want to use nvm and install it this way, I suggest making the install script stop and warn the user it's about to pipe the specific URL on over.

[tallysam]

I agree that curl and bash is how you get owned. We don't want to take that kind of responsibility.

I suggest the following:

1. A check in the install script for a valid nvm. If it fails then we bail out and point the user to the nvm instructions with our added security warnings.
2. Update the README under the quick-start section. Place a similar piece of text about the nvm requirement and subsequent security warnings about curl-bash type installs.