Open dsernst opened 9 years ago
I'll have to give this some more thought, but I think I like the idea (thanks for suggesting it!). My only concern is that someone could have a complex, manually-configured .gitattributes
setup that prevents the line added by git-crypt
from working (.gitattributes
is a rather complex beast and different .gitattributes
files can interact in undesired ways). I suppose git-crypt
could run git check-attr
on the file after appending to .gitattributes
and display an error if the attribute didn't take effect.
Ah, got it.
Just to offer more context— I was showing git-crypt
to a friend, and they were expecting to need to do git-crypt add
(to match git add
). They thought that was more intuitive, and were confused by the .gitattributes
syntax.
On the other hand, this is powerful stuff we're talking about! And it might be unwise to make it too easy to encrypt things. This current workflow ensures the user puts some thought into it before they accidentally encrypt everything (and then lose their private key :unamused: )
What about always prepending new file's line before any non-comment line in .gitattributes
? Naively it seems that it should work for 99% cases.
Making the .gitattributes
file is quite cumbersome and error-prone.
At the moment it is the most difficult part of using git-crypt
correctly: one has to (1) make sure it exists before the encrypted file
is ever staged; (2) get the syntax right; (3) remember to update it for
all new encrypted files.
I find that the easiest way is using a standard dir like
$project_root/crypt/
, doing a one-time .gitattributes
edit for that
directory only, and then using symlinks into "the crypt" for any files
that are encrypted. This way I just drop them into crypt/
and
everything is already handled, but this is not ideal (it's an
implementation detail). A mechanical way to automatically add files to
.gitattributes
(possibly with a git-crypt add
) would be much better
and avoid some risk of accidentally committing cleartext.
I don't see how this could be dangerous or affect existing patterns if
the full repository path is specified in .gitattributes
. An exact
pattern will not match anything else. If somebody wants to do things to
every file in a repo with a broader pattern, they will simply not use
git-crypt add
. The user can determine, just like they already do, but
with the "yes I want to encrypt" case made much easier.
How would you feel about adding a command to more quickly add new items to git-crypt?
For example:
git-crypt add foobar.txt
(or alternatively:git-crypt encrypt foobar.txt
) would be like runningecho "foobar.txt filter=git-crypt diff=git-crypt" >> .gitattributes
The aim here is for a simpler way to use
git-crypt
with less chance to screw up the syntax when adding new filters to.gitattributes