On the Floor
For a while, Bundler has had the ability to create binstubs in your projects. They're mock scripts that load your Bundler environment before running the command, allowing you to omit that tiresome
bundle exec: putting
./bin on your
$PATH means you can run
rake instead of
bundle exec rake.
Before Rails' fourth version, it was discouraged to check these scripts into version control. Now, however, it's encouraged. Binstubs can be very convenient and removing boilerplate is always a good thing.
./bin to your
$PATH presents a dangerous security vulnerability. Consider, for example, that you check out a repository with a
.bin/bundle script that runs
rm -rf $HOME &. When you try to run
bundle install, you'll delete everything inside your home directory!
Looking for an alternative, I came across the concept of trusted repositories in tpope's dotfiles. Instead of adding
./bin to your
$PATH, we can add
.git/trusted/../../bin by putting this in your
This is effectively the same as adding
./bin, but it only works if you've created the
.git/trusted directory. Since you can't possibly clone a project that contains that folder, it allows you to whitelist repositories by creating it. Now, we can manage this with git aliases:
git config --global alias.trust '!mkdir .git/trusted'
git config --global alias.untrust '!rmdir .git/trusted'
git trust in a new directory and you'll be able to run its binstubs. Run
git untrust to remove the flag. You can also create
~/.bundle/config with the following content to automatically create binstubs when you install your gems.