Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make the .git/safe directory in bin/setup #282

Merged
merged 1 commit into from
Feb 19, 2014
Merged

Make the .git/safe directory in bin/setup #282

merged 1 commit into from
Feb 19, 2014

Conversation

croaky
Copy link
Contributor

@croaky croaky commented Feb 14, 2014

Our expected way of managing Rubies is with rbenv:

https://github.com/thoughtbot/laptop/blob/master/common-components/ruby-environment

We load rbenv and add .git/safe/../../bin:$PATH to our $PATH in:

https://github.com/thoughtbot/dotfiles/blob/master/zshrc

Loading rbenv in zshrc is recommended by the rbenv docs:

https://github.com/sstephenson/rbenv#basic-github-checkout

Assuming the binstubs for a project are in the local bin/ directory, we go a
step further to add the directory to shell $PATH so that rspec can be invoked
without the bin/ prefix:

export PATH="./bin:$PATH"

Doing so on a system that other people have write access to (such as a shared
host) is a security risk:

rbenv/rbenv#309

The .git/safe convention addresses the security problem:

https://twitter.com/tpope/status/165631968996900865

This zsh fix may be necessary for OS users in order to fix a bug:

https://github.com/thoughtbot/laptop/blob/master/mac-components/zsh-fix

@joshuaclayton
Copy link

👍

Our expected way of managing Rubies is with rbenv:

https://github.com/thoughtbot/laptop/blob/master/common-components/ruby-environment

We load rbenv and add `.git/safe/../../bin:$PATH` to our $PATH in:

https://github.com/thoughtbot/dotfiles/blob/master/zshrc

Loading rbenv in `zshrc` is recommended by the rbenv docs:

https://github.com/sstephenson/rbenv#basic-github-checkout

Assuming the binstubs for a project are in the local bin/ directory, we
go a step further to add the directory to shell $PATH so that rspec can
be invoked without the bin/ prefix:

    export PATH="./bin:$PATH"

Doing so on a system that other people have write access to (such as a
shared host) is a security risk:

rbenv/rbenv#309

The `.git/safe` convention addresses the security problem:

https://twitter.com/tpope/status/165631968996900865

This zsh fix may be necessary for OS users in order to fix a bug:

https://github.com/thoughtbot/laptop/blob/master/mac-components/zsh-fix
@croaky croaky merged commit 2ec7108 into master Feb 19, 2014
@croaky croaky deleted the dc-git-safe branch February 19, 2014 04:08
faun added a commit to faun/dotfiles that referenced this pull request Nov 4, 2014
@michaelmior
Copy link

This doesn't address the problem of other users having write access to your files. They can still create executables that will end up in your PATH. What this does solve is repositories you don't trust putting executables in your PATH by simply having a bin directory. The .git/safe convention forces you to "whitelist" repositories by creating the .git/safe directory (which cannot be created simply by cloning a repository).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants