Safer vibecoding via old hacker habits (opens in new tab)

(addxorrol.blogspot.com)

1 pointstdullien1d ago3 comments

3 comments

You can keep the git folder in your machine, then use sshfs to mount the remote into your directory where: project-root -.git/ -code/ <= remote/code

This way you don't have to give git access to the potentially unsafe server. Git hook attacks are still possible so disable those by defaultç

This is an unusual folder structure but works fine, let me know if there is anything iffy

tdullienOP1d ago

That's a clever and intriguing idea. I have to think through the security implications a bit though - I don't actually know much about how git operates with regards to hooks etc.

I'd imagine you lose the ability to have the coding agent do the commits for you? E.g. if you just mount the code directory, then an agent running on the remote side can't commit anything, right?

So you'd have to mount the .git directory from the remote side to then push?

blourvim1d ago

git will check the .git folder, find a hook, and run it where it is applicable. If you are cloning a remote repository may inherit you with malicious hooks. These hooks run before you git operations, for example it is useful if you want lint the code a certain way before pushing, it does it automatically.

You can disable this behavior globally. Yes, the agent should have no git access this way, however you could always do a local sub repository if you want to. You track your changes twice, but should work

j / k navigate · click thread line to collapse

3 comments

blourvim1d ago

You can keep the git folder in your machine, then use sshfs to mount the remote into your directory where: project-root -.git/ -code/ <= remote/code

This way you don't have to give git access to the potentially unsafe server. Git hook attacks are still possible so disable those by defaultç

This is an unusual folder structure but works fine, let me know if there is anything iffy

tdullienOP1d ago

That's a clever and intriguing idea. I have to think through the security implications a bit though - I don't actually know much about how git operates with regards to hooks etc.

I'd imagine you lose the ability to have the coding agent do the commits for you? E.g. if you just mount the code directory, then an agent running on the remote side can't commit anything, right?

So you'd have to mount the .git directory from the remote side to then push?

blourvim1d ago

j / k navigate · click thread line to collapse