Hacker News new | comments | show | ask | jobs | submit login

I am less interested in legit and more interested in how they extended git to make it so all their new commands worked.

This can be done in two ways:

1. Git aliases.

You can add configuration to git so that git subcommands invoke arbitrary commands:


This is what legit does, here:


2. Any executable in your path named 'git-foo' can be invoked by 'git foo'.

Neat, huh? It's a useful way to create your own workflow scripts without having to touch your git install.

You don't need to extend git; the git command "git $FOO" just runs the command git-$FOO; git-commit, git-add, etc. are the binaries that do a lot of the work. In this case, I imagine they install binaries like git-sync, git-graft, etc. when you run "legit install".

Is this a vulnerability in some way? Like could I replace someone's git-add binary to expose private source code? It scares me that someone can change my git behavior so easily.

If someone can replace your `git-add` binary or put their own in a directory earlier in your $PATH, they can do the same with `git`, `ls` or any other program.

If someone's running an executable you give them without knowing what it actually is, their security is already lost. So yeah, that's a problem, but nothing specific to Legit or git.

How is that any different than replacing any other binary in your filesystem?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact