> Reminder that nothing in Homebrew has any signing or attempt at supply chain integrity. Now that they are moving away from clients using git, so even git commit signing is off the table now.
This is incorrect: Homebrew pins bottle and source installs to digests, meaning that you do have a strong integrity check each time you install a package.
Homebrew does not currently do code signing, which is not particularly abnormal for non-Linux-distribution package managers (ask yourself when you last verified a PGP signature from PyPI). There are some plans in progress to remedy that but, in its absence, HTTPS and package digests are both reasonable and no worse than standard practice in packaging.
This is incorrect: Homebrew pins bottle and source installs to digests, meaning that you do have a strong integrity check each time you install a package.
Homebrew does not currently do code signing, which is not particularly abnormal for non-Linux-distribution package managers (ask yourself when you last verified a PGP signature from PyPI). There are some plans in progress to remedy that but, in its absence, HTTPS and package digests are both reasonable and no worse than standard practice in packaging.