Add only trusted projects' bin directory to $PATH #191

croaky · 2013-09-11T03:23:56Z

Assuming the binstubs for a project are in the local bin/ directory, you can
even go a step further to add the directory to shell $PATH so that rspec can
be invoked without the bin/ prefix:

export PATH="./bin:$PATH"

However, doing so on a system that other people have write access to
(such as a shared host) is a security risk.

rbenv/rbenv#309

JoelQ · 2013-09-11T13:47:45Z

@joshuaclayton Do you know if this breaks the Spring binstub?

joshuaclayton · 2013-09-11T14:05:24Z

@JoelQ this commit specifically does not, no, since it's only adding another directory to search when looking for binaries.

The original change stems from https://twitter.com/tpope/status/165631968996900865 and requires you call mkdir .git/safe in every repo (gem or Rails app) you trust. The path change finds .git/safe, traverses up two directories, and then adds bin/ from there.

mike-burns · 2013-11-20T14:18:41Z

I'm not opposed to this, but it will make setup more cumbersome. Perhaps something like this should go in bin/setup scripts:

print "Do you trust the ./bin directory for this project? [y/N] "
trusted = gets
if trusted.start_with?('y')
  puts "FileUtils.mkdir_p('.git/safe')"
end

(Maybe a check to make sure that .git/safe doesn't already exist before asking, too.)

jferris · 2013-11-20T14:49:01Z

If we add it to bin/setup, I think it would be fine to not prompt and just create the directory. You'd need to have ./.git/safe/../../bin on your PATH and run bin/setup before scripts were executable.

jferris · 2013-12-31T18:36:01Z

zlogin

@@ -21,3 +21,6 @@ export PS1='$(git_prompt_info)[${SSH_CONNECTION+"%{$fg_bold[green]%}%n@%m:"}%{$f

 # load thoughtbot/dotfiles scripts
 export PATH="$HOME/.bin:$PATH"
+
+# mkdir .git/safe in the root of repositories you trust
+export PATH=".git/safe/../../bin:$PATH"


Should this be in ~/.zshrc instead? Do we want this to run for non-login shells? @pbrisbin @mike-burns

To quote http://zsh.sourceforge.net/Intro/intro_3.html

.zlogin is not the place for alias definitions, options, environment variable settings, etc.; as a general rule, it should not change the shell environment at all. Rather, it should be used to set the terminal type and run a series of external commands (fortune, msgs, etc).

So no, don't change $PATH in here.

I do it in ~/.zprofile.

Upstream's intentions are vague (IMO), but because Arch (and Fedora/Debian) puts PATH manipulation in /etc/zsh/zprofile, which is sourced after ~/.zshenv (my preference), I have to do it in ~/.zprofile or ~/.zshrc. I chose ~/.zprofile because I was sick of getting command-not-found errors in non-interactive settings.

If we want this to be available in vim then we need to put it in ~/.zshenv, I believe.

I think that's true of MacVim on OS X, because of the way the environment is initialized. I'm not sure if that's specific to OS X or MacVim. Running vim from Terminal picks up the environment exported from the shell, so any config file is fine for terminal vim.

From Mike's link:

`.zshenv' is sourced on all invocations of the shell, unless the -f option is set. It should contain commands to set the command search path...

I mentioned ~/.zprofile because OSX may have the same feature/bug as Arch. If the system-level zprofile (/etc/zsh/zprofile) sets a PATH, it will clobber anything you do in ~/.zshenv since it's sourced after. I also like that ~/.zprofile is sourced less frequently so moving what you can there will speed up terminal launch, by however small an amount.

Neither zprofile nor zshenv seem to automatically work in OS X. exporting from the command line directly works. Any thoughts on how to get it to automatically work?

I have this in zshrc on OS X and it works fine from vim for me. Note that I have also applied this zsh-fix

croaky · 2014-01-17T00:38:22Z

I moved this to zshenv. Ready for re-review. /cc @jferris @pbrisbin @mike-burns

Assuming the binstubs for a project are in the local bin/ directory, you can even go a step further to add the directory to shell $PATH so that rspec can be invoked without the bin/ prefix: export PATH="./bin:$PATH" Doing so on a system that other people have write access to (such as a shared host) is a security risk: rbenv/rbenv#309 The `.git/safe` convention addresses the security problem: https://twitter.com/tpope/status/165631968996900865 Put this in `zshenv` because: http://zsh.sourceforge.net/Intro/intro_3.html > `.zshenv' is sourced on all invocations of the shell, unless the -f > option is set. It should contain commands to set the command search > path. Load `zshenv.local` config at the end of the file so that users can extend their `zshenv` needs in their personal dotfiles using `rcup`.

croaky · 2014-01-23T07:22:09Z

I'm trying a different approach and including rbenv in the commit in #215. It's exactly @derekprior's approach and is working for me with no zshenv or zshenv.local files. I'm able to run specs from vim as well.

mike-burns · 2014-01-23T10:10:04Z

@croaky I don't think I understand #215. It seems to be just like #191 (this PR), but limited only to rbenv?

croaky · 2014-01-23T16:37:37Z

@mike-burns In #191:

Loading .git/safe stuff is in zshenv
No rbenv

In #215:

Loading .git/safe bit is in zshrc
Adds rbenv
both .git/safe and rbenv bits wrapped in an "if rbenv exists" conditional

The rbenv part seemed related enough to try as a separate pull while keeping this version around to compare.

croaky · 2014-01-23T22:26:21Z

Merged #215 instead.

See: thoughtbot/dotfiles#191

This was referenced Sep 11, 2013

Add only the current project's bin directory to $PATH #188

Closed

Use Rails-recommended binstub for RSpec thoughtbot/suspenders#223

Merged

croaky mentioned this pull request Dec 31, 2013

Add binstubs to PATH #109

Closed

jferris reviewed Dec 31, 2013
View reviewed changes

croaky closed this Jan 23, 2014

croaky deleted the dc-bin-path branch January 23, 2014 22:26

ericboehs added a commit to brightbit/bin_setup that referenced this pull request Jan 29, 2014

Ditch direnv for thoughtbot's .git/safe in PATH

80f3edf

See: thoughtbot/dotfiles#191

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add only trusted projects' bin directory to $PATH #191

Add only trusted projects' bin directory to $PATH #191

croaky commented Sep 11, 2013

JoelQ commented Sep 11, 2013

joshuaclayton commented Sep 11, 2013

mike-burns commented Nov 20, 2013

jferris commented Nov 20, 2013

jferris Dec 31, 2013

mike-burns Jan 2, 2014

pbrisbin Jan 2, 2014

gylaz Jan 2, 2014

jferris Jan 2, 2014

pbrisbin Jan 2, 2014

croaky Jan 17, 2014

derekprior Jan 21, 2014

croaky commented Jan 17, 2014

croaky commented Jan 23, 2014

mike-burns commented Jan 23, 2014

croaky commented Jan 23, 2014

croaky commented Jan 23, 2014

Add only trusted projects' bin directory to $PATH #191

Add only trusted projects' bin directory to $PATH #191

Conversation

croaky commented Sep 11, 2013

JoelQ commented Sep 11, 2013

joshuaclayton commented Sep 11, 2013

mike-burns commented Nov 20, 2013

jferris commented Nov 20, 2013

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

croaky commented Jan 17, 2014

croaky commented Jan 23, 2014

mike-burns commented Jan 23, 2014

croaky commented Jan 23, 2014

croaky commented Jan 23, 2014