Hacker News new | comments | show | ask | jobs | submit login

I am less interested in legit and more interested in how they extended git to make it so all their new commands worked.



This can be done in two ways:

1. Git aliases.

You can add configuration to git so that git subcommands invoke arbitrary commands:

https://git.wiki.kernel.org/index.php/Aliases

This is what legit does, here:

https://github.com/kennethreitz/legit/blob/develop/legit/cli...

2. Any executable in your path named 'git-foo' can be invoked by 'git foo'.

Neat, huh? It's a useful way to create your own workflow scripts without having to touch your git install.


You don't need to extend git; the git command "git $FOO" just runs the command git-$FOO; git-commit, git-add, etc. are the binaries that do a lot of the work. In this case, I imagine they install binaries like git-sync, git-graft, etc. when you run "legit install".


Is this a vulnerability in some way? Like could I replace someone's git-add binary to expose private source code? It scares me that someone can change my git behavior so easily.


If someone can replace your `git-add` binary or put their own in a directory earlier in your $PATH, they can do the same with `git`, `ls` or any other program.


If someone's running an executable you give them without knowing what it actually is, their security is already lost. So yeah, that's a problem, but nothing specific to Legit or git.


How is that any different than replacing any other binary in your filesystem?


https://github.com/kennethreitz/legit/blob/develop/legit/cli...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: