discussions VS HomeBrew

The question in that thread, and this later thread,[1] is how to know which keys are valid to sign a package.

For example: I go to release a new version and I've lost my private key, so I roll a new one -- this will happen often across npm's 1.3 million packages. Do I then ... log in with my email and update the private key on my account and go about my business? What process does npm use to make sure my new key is valid? Can a person with control over my email address fake that process? How are key rotations communicated to people updating packages -- as an almost-always-false-positive red flag, or not at all, or some useful amount in between? If you don't get this part of the design right -- and no one suggests how to in those threads -- then you're just doing hashes with worse UX. And the more you look at it, the more you might start to think (as the npm devs seem to) that npm account security is the linchpin of the whole thing rather than signing.

It's not just npm; that thread includes a PyPI core dev chipping in with the same view: "Lots of language repositories have implemented (a) [signing] and punted on (b) and (c) [some way to know which keys to trust] and essentially gained nothing. It's my belief that if npm does (a) without a solution for (b) and (c) they'll have gained nothing as well." It also has a link from a Homebrew issue thread deciding not to do signatures for the same reason -- they'd convey a false expectation without a solution for key verification.[2]

[1] https://github.com/node-forward/discussions/issues/29

Homebrew is a highly popular package manager on macOS and Linux systems, enabling users to easily install, update, and uninstall command-line tools and applications. Its design philosophy focuses on simplifying the software installation process on macOS, eliminating the need for manual downloads and compilations of software packages.

Homebrew - package manager for linux-based OSs.

Package Manager: Homebrew

Hopping from one distro to another with a different package manager might require some time to adapt. Using a package manager that can be installed on most distro is one way to help you get to work faster. Flatpak is one of them; other alternative are Snap, Nix or Homebrew. Flatpak is a good starter, and if you have a bunch of free time, I suggest trying Nix.

Are you using SQLite that ships with macOS, or SQLite installed from homebrew?

I had a different problem in the past with the SQLite that ships with macOS, and have been using SQLite from homebrew since.

So if it’s the one that comes with macOS that gives you this problem that you are having, try using SQLite from homebrew instead.

https://brew.sh/

Before we begin, make sure you have Homebrew installed on your Mac. Homebrew is a package manager that makes it easy to install software and dependencies. You can install Homebrew by following the instructions on their website: https://brew.sh/

I’m on MacOS and erlang.org, elixir-lang.org, and postgresql.org all suggest installation via Homebrew, which is a very popular package manager for MacOS.

I have always either installed Node from the installer provided by the Nodejs website or, via Brew in macOS. I have also used nvm in the past but did not know that there was a best practice to guide us.

A running Rails application needs a database to connect to. You may already have your database of choice installed, but if not, I recommend PostgreSQL, or Postgres for short. On a Mac, probably the easiest way to install it is with Posrgres.app. Another option, the one I prefer, is to use Homebrew. With Homebrew installed, this command will install PostgreSQL version 16 along with libpq:

On a macOS machine, you can use homebrew by running the command.