Feature Request: Allow subdirectories to opt-out of script execution.

[peterbraden]

Is your feature request related to a problem? Please describe.

Chezmoi runs files with the run_ prefix. However sometimes you have subdirectories where you don't want this to happen. A common example is if you use git submodules for vim plugins - any author of these could include a run_tests.sh or run_evil.sh and it would be executed next time you ran chezmoi apply.

Vendoring settings or configs is a pretty common pattern in dotfiles repos, and while chezmoi includes the option of using .chezmoiexternal.toml to include remote files, this isn't always an option.

Describe the solution you'd like

It would be great if there was a way to indicate that chezmoi should ignore file prefixes below a certain subdirectory. For example a prefix dot_vim/external_bundle/ or a sentinel file dot_vim/bundle/.chezmoiexternal.

[bradenhilton]

@twpayne Would it be feasible to add something like recursive_literal_*/noparse_*?

[twpayne]

Thanks for the feature request!

It's not just run_ scripts that are a potential security problem. If you're importing VIM plugins then any of these plugins can use vimscript's system function to run arbitrary commands on your machine. Fundamentally, if you're importing third-party files into your home directory you need to either trust or audit every change to that third-party code.

As you say, using .chezmoiexternal.toml does allow you to import third-party files without the danger of chezmoi executing run_evil.sh. I understand that in your case you prefer to use git submodules in your dotfiles repo, rather than either archive or git-repo externals.

It would be great if there was a way to indicate that chezmoi should ignore file prefixes below a certain subdirectory. For example a prefix dot_vim/external_bundle/ or a sentinel file dot_vim/bundle/.chezmoiexternal.

Would it be feasible to add something like recursive_literal_*/noparse_*?

Of these, I think the external_ prefix makes the most sense because:

• It maintains chezmoi's 1:1 mapping between entries in the source state and entries in the target state, whereas a .chezmoiexternal sentinel file does not do this.
• recursive_literal_* and noparse_* would have the same effect, but I think external_ expresses the same more concisely.

What I propose is:

• Add an external_ attribute that applies to directories only.
• When walking the source state, when an external_ directory is encountered, then add its sub-entries as-is. Specifically, this means not interpreting attributes (i.e. a file called dot_file becomes dot_file in the target state, not .file), interpreting permissions as-is (i.e. the file in the target state will only have executable permissions if the file in the source state has executable permission), no templates, symlinks in the target state must be symlinks in the source state, and so on.
• This also means that entries beginning with a ., e.g. .git and .gitignore will, by default, be included. The user can use a .chezmoiignore flie to exclude them.

How does this sound?