Installing a (read: many) custom vim plugins and color scheme and screen version and etc… stops being fun about the third time you have to log into a nameless server. That being said, there are some settings that I absolutely cannot live without; `j=gj` being a good example in vim.
IMO your dot files are only useful to share if they are usable with the default software of the place you’ve shared them to. Otherwise they become a prison that forces you to install all your special versions and plugins and scripts and etc. on the other hand, I felt like making my dotfiles easy to share forced me to use as many default settings as possible, which in the long run saves me a lot of time and energy.
“The only zen you’ll find on a mountain top is the zen you brought with you” is one of my favorite sayings, and in a weird way I find it fitting here. If you learn to love the default settings then every server feels like home.
jauntywundrkind · 9m ago
With neovim, you have pretty good profile copy-ability. The app convention is very nice too, for isolation.
Using something like astrovim provides a very nice framework for declaratively bringing in and bringing together a very nice environment too. Great start, good patterns, the impressive `lazy` managing plugins under the hood.
Mason is one other core bedrock components of good neovim dx. It's the main library in the neovim galaxy for bringing in lsp servers and debug adapter protocols. It mostly just works, gives great out of box debug-ability. There's like a mini `mise` running, powering the plugins you bring in.
firefax · 38m ago
I thought the appeal of vi was it can mostly be used "as is" vs emacs being infinitely customizable? The folks I know who use vi do so because they are at their core, sysadmins, and something simple and consistent is valued.
finaard · 1h ago
That's why you don't use vim, but Emacs with tramp.
wafflemaker · 1h ago
If they don't know, they can't be sad about what they're missing. You're just sticking fingers in the wound.
Anybody who would like a decent text editor around vim key-bindings uses Emacs in evil-mode already.
dotancohen · 36m ago
Emacs is a great OS, infinitely extensible. The only thing it's missing is a decent text editor.
BoorishBears · 56m ago
Nano.
Ezhik · 1h ago
I honestly just can't vibe with the "don't customize because you'll log into other servers" thing.
To me it feels like getting told to not put nice shelves in my home because other buildings don't have them.
justonceokay · 1h ago
It completely depends on your work environment. My experience has been doing a lot of admin work and working with distributed databases. I probably spend a third of my day in servers that are not mine. So for me it just doesn’t make sense to make a lot of configuration changes, especially changes that will end up in my muscle memory.
Now my personal computer does have much nicer color schemes and a few plugins for code dev that I don’t carry around. But even then I try to use the defaults in my IDEs and browsers, because at this point I’m on work computer number.. 11? Configuring it is starting to get old
treve · 1h ago
Seems like a great opportunity to learn a bit about automating this set up. Really not hard to upload a .vim directory on a remote server for example.
bshacklett · 1h ago
The better place to spend time might be the automation of operational tasks on those servers so that logging in isn’t necessary in the first place. Then you don’t have to leave your home environment and you can run whatever custom editing configuration you want. Of course the other upsides to that automation overshadow this a bit.
bongodongobob · 1h ago
Nah. Other people need to use them too. You just don't do that kind of stuff managing a fleet of servers. Keep it standard. Automation is yet another thing to manage and maintain. I keep all of my servers completely standard.
jclulow · 1h ago
Surely you can put your own dotfiles into your own account on that machine, though, without impacting other people?
skwirl · 1h ago
Not when everyone logs in as ec2-user.
exe34 · 1h ago
That's horrific!
mystifyingpoi · 1h ago
> Automation is yet another thing to manage and maintain
But supposedly you already have an automation that you maintain your standard servers with. Adding an Ansible role that puts .vimrc into $HOME surely isn't that much of a maintenance burden?
mystifyingpoi · 1h ago
> Configuring it is starting to get old
That's exactly the opposite of my experience. Since all my dotfiles are in Github, configuring new system is just a git clone and copying a few files around. I don't even use any config manager, since I rarely get new computers. Takes a few minutes max per machine (plus maybe package installs like zsh if it's not there already).
baobun · 1m ago
> Takes a few minutes max per machine (plus maybe package installs like zsh if it's not there already).
Assuming you have internet and can access GitHub. Setting up internally accessible repos mirrors for that or bake it into an image is its own excercise, which you'd have to setup again for every site and isn't there on day 0.
Even so, "a few minutes per machine " builds up quickly if that happens multiple times per day and new airgapped sites are a regular occurence. That's not including the possibly larger cost of context-switching to "config mode" for every box.
I do have a few dotfile customizations I carry around for sites/boxes I bother with but at this point they're cut down and familiar enough that it takes me a few seconds to put those in place manually from memory.
spicycode · 58m ago
Same exp here, a simple clone and setup script sorts all this in a user directory.
inanutshellus · 1h ago
The original statement was "vim plugins" SO yeah you can have your fancy alias or whatever but I'm with the GP that adding a bunch of cool plugins that I get used to and then... perpetually can't use because 40% of my time is spent on remote machines I don't have admin on... ehh.. quickly becomes not worth it.
It's like when I tried to get used to a DVORAK keyboard when I'd spend my weekdays in a school computer lab...
exe34 · 1h ago
You don't need admin to install emacs packages..... I'm sure vim isn't dumb enough to require that?!
inanutshellus · 40m ago
For me it was that each plugin would have to go through a security approval process and that was not something they appreciated. (e.g. they have "real work" to do), whilst mapping `n` to `nzz` or setting the regexpengine to `0` well, yeah, go for it.
exe34 · 1h ago
So you spend two thirds of your day with an arm tied behind your back because one third of your day you will have to use the hand for groping in the dark...
I was thinking of exactly that. Or maybe, for an extreme version of this, one could create a Docker image with the whole dev environment, start the container at the login, bind mount / of the host somewhere and work from there. Then Ctrl-D and it's gone.
It's also super weird when people say this and then switch to another editor, then switch to something like vscode, which ignores the fact that using a souped-up local Vim and a minimal remote one is the same situation... you're getting a different experience local and remote.
pkghost · 1h ago
It's bananas!
If the claim these folks make is "time spent struggling through a default config on an unfamiliar machine" > "time saved by crafting an workshop to fit your mind", then we are not the same.
(Probably, the dividing line here is time spent coding vs time spent managing infra.)
tetha · 1h ago
Also, if you have useful nice shelves that make your fridge aka postgres run better, why shouldn't we work on putting that on servers to make all fridges run better? Also, having a comparable and shared admin experience is a big deal in a team.
Like sure, if you need to quibble about red or yellow prompts, eh. But if there is a good log colorizer or analyzer that makes an expert better at handling the system, or some aliases that make a system easier to manage - I want this deployed for _all_ admins on _all_ relevant systems.
And sure, all code running on a server is a security topic. But then let's figure out a way to run your favorite tools through the software security pipeline and then deploy it to systems. Sure, I dislike installing the latest js-based npm fad on a database for a minor advantage, but if there is some well-aged tool from the postgres space... I'd probably rather work to have it.
dotancohen · 30m ago
> I want this deployed for _all_ admins on _all_ relevant systems.
Another user above mentioned that his most important config is mapping j to gj. That would drive me nuts. When lines are so long that they wrap, I want j to go to the next line, not the next however-wide-the-terminal-is. On the off chance that I ever want that, I have gj right there at my literal fingertips.
You're never going to find a config that everybody is happy with. If that were the case, then there would be no need of config at all.
taude · 1h ago
it's going to depend on whether you're a software dev or a sre/ops person.
speerer · 1h ago
"Free and easy
That's my style
Howdy-do me?
Watch me smile
But fare-the-well me
After a while
'Cause I gotta roam
And any place I hang my hat is home"
dotancohen · 30m ago
Burma shave
LordDragonfang · 1h ago
This is the main reason that, even though I know I'd enjoy zsh, I stubbornly stick with bash. It's because I know that I will be extra frustrated when I have to log into any of the number of machines that I have to do real work on that don't have it already set up.
anyfoo · 1h ago
That’s like saying: “This is the main reason that, even though I know I’d enjoy a nice car, I stubbornly stick with a run-down PT Cruiser without radio and air conditioning. It’s because I know that I will be extra frustrated when I have to take an Uber.”
I personally use zsh and do not want to miss it on my own machines. I however do log in onto machines that sometimes do not even have bash (yeah it’s rare nowadays, but it exists), and I adapt just fine. It’s not super pleasant, but not using zsh on my machines would be less pleasant.
acheong08 · 44m ago
Try fish. It has good defaults and don't require any configuration. I install it on every server I log into as my first instinct
VirusNewbie · 1h ago
dotfiles are pretty easy to move to a new server, no?
m463 · 1h ago
no. simple but complicated.
does the same .bash_profile/.bashrc work on different linux versions? what about macos? and now macos no longer uses bash. And what about saving .bash_history? and on and on.
there is a whole industry of shell scripts that try to help with this.
alisonatwork · 3h ago
The first UNIX account I ever got was on a BSD, and the first thing I saw in the first file I learned how to open was:
# A righteous umask
umask 22
I'll never forget those lines because they seemed so mysterious and cool. And they informed my philosophy on how the internet should be. People should be able to see other people's stuff by default. It's nice for us to be able to learn from one another. It's harder to rely on the honor system for privacy nowadays, but I still think "share by default" is a noble ideal.
That said, I also am unsure how best to overlap aliases and configs that are sensitive to my workplace with my everywhere config. Maybe I should have a .employer file that I source if it's there, but something about including that into my everywhere config feels decidedly not righteous.
r3trohack3r · 2h ago
Not just the internet but communities too. High trust societies are great to live in, digitally and physically. Leave the doors unlocked, leave keys in the ignition, leave valuables on the table when you walk away.
But high trust societies only work when the price of ongoing admission is not violating that trust.
When you accept/tolerate/expect the violation of trust the doors lock.
lcnPylGDnU4H9OF · 2h ago
> leave valuables on the table when you walk away
I actually do this somewhat frequently at my local game shop. Thousands of dollars' worth of Magic: The Gathering cards (because I bring multiple decks instead of just the one I'm playing) in my backpack left behind as I go to get some water or something.
> high trust societies only work when the price of ongoing admission is not violating that trust
Indeed, the reason I feel comfortable doing that is I know that nobody wants to be banned from going to that store (and they would be). In this context, the community is small enough that rumors would likely circulate at other local shops and they might also become a bit of a pariah at those other places they could play.
inanutshellus · 1h ago
... but dude, we're talking about how you configure VI and ... bash. Like... guys. Calm down.
inanutshellus · 35m ago
... to follow myself up...
I went ahead and looked in my .vimrc and lo and behold there's a "security issue" in it:
if $USER != 'root' " Modelines let you specify format rules for a file within the file
set modeline modelines=5 " e.g. "// vim: tabstop=20 : shiftwidth=20" (or something actually reasonable)
else " They can be a security vulnerability (unlikely) so we don't enable for root
set nomodeline
endif
... so yeah... I guess there's some concepts worth being extra sensitive about... but even still, surely y'all can handle this stuff.
mh- · 1h ago
> unsure how best to overlap aliases and configs that are sensitive to my workplace
I have a .zshrc that sources .zshrc_mh, .zshrc_$employer, etc. That way my .zshrc is always a shareable config of sane defaults, and weird/opinionated aliases can go in my _mh, stuff particular to my employer goes in the other one, so forth.
In the past I had a more complex loading system I used (and made) that worked out of ~/.zsh.d/, but I no longer bother with all of that.
twp · 3h ago
It's not a question of share everything or share nothing - with https://chezmoi.io you can choose exactly what you want to share:
* You can keep your entire dotfile repo secret by using any private git hosting, including your own git hosting or a private GitHub repo.
* You can keep individual files secret by using age or gpg encryption. If you repo is public, this only reveals the existence of the file, not its contents.
* You can keep individual parts of your dotfiles secrets, e.g. API keys, by encrypting them or storing them in your password manager. All popular password managers are supported.
Disclaimer: I'm the author of chezmoi.
kjuulh · 3h ago
Chezmoi has been a blessing to use. It is one of the only tools I've used that had been able to survive me neclecting it for months and then getting back to it. I'd love a more interactive diff when my dotfiles have driften too much. But otherwise it is perfect for my needs.
I used chezmoi briefly yeeeeeears ago, and I think it didn't have the 'encrypt only parts of the files' feature yet. I might test it again :)
lrvick · 1h ago
Professional security researcher here.
I would strongly discourage threat modeling with vibes.
Your post already reveals potentially the scariest things someone might learn if you published your dotfiles: that you use Homebrew, pip, etc as part of them. In doing so you are telling everyone you allow any internet rando to have remote code execution rights on your computer. To me that is like boldly saying you like privacy in the same breath as saying you never lock your front door or close your drapes.
Those package managers operate like Wikipedia where anyone can push whatever they want without signatures or vetting from poorly secured accounts without phishing-resistant 2FA etc.
At that point you already allow anyone capable of creating a few useful PRs to Homebrew, basic phishing, or sim swapping the ability to see and publish anything on your computer, so your dotfiles being public should be the least of your concerns.
Now you are probably thinking "There is no way tools that every smart person I know uses could be that wildly insecure"
Ask yourself if those same people have experience exposing and exploiting supply chain attacks. We all have blind spots, and almost everyone has a massive blind spot here and my team and I have exploited it many times in audits.
All said though, I personally publish my dotfiles because I am confident they are of more use to me and others public, and do not reveal anything useful to someone targeting me other than that I use some kind of Linux distro and neovim.
Any sensitive work I do is in offline stateless virtual machines deterministically built from a supply chain with high accountability and I do not use any dotfiles in those environments.
With good separation of concerns between yolo systems and hardened trusted systems, publishing information about either is perfectly fine. Almost no one has that kind of workflow separation though, usually accessing prod from their compromised dev macbooks.
diarrhea · 50m ago
This is extremely alarmist. If you are on Mac, developing anything at all with Python, those are going to be your tools. If you randomly guessed at developer setups, that is going to be one of the most common setups as well.
What's next, I use a computer so someone could just upload a virus somewhere in hopes I happen upon it, which would be dangerous?
I have dotfiles which not only specify Python, but also its version and some packages. That protects against typosquatting! I will never type those package names out manually again. And this is all in Nix (btw), so all hash-pinned!
lrvick · 37m ago
It is absolutely not alarmist. Seriously, go apply to be a Homebrew developer right now under an alias, make some useful updates for a few months, then submit a PR as another alias, and approve and merge your own changes from the first alias. After you get away with skipping code review a few times, now go switch a popular package that relies on abandoned sources to point to your fork that makes a few legitimate updates.
Now in a few months make an update that compromises the random number generator on every brew users laptop making it easy to covertly intercept and manipulate the traffic of any target however you want. Maybe for less chance of getting caught, target sysadmins or release engineers by targeting a niche tool many of them use and wait until they publish new ssh keys to github (which are always public!), that you can re-generate the private keys of since you know about their compromised entropy. Check for public dotfiles of your targets to pick the right niche tool. Now go collect database dumps or crypto from a pile of major companies. Easy money if you do not have ethics.
Seen these attacks in the wild many times, some at close range. A bored teenager could do this, and in fact attacks like this happen every day. And everyone just says pointing it out is "alarmist". People used to defend lead paint and asbestos too. Survivors bias is a hell of a drug.
I have done supply chain attacks along the lines of the above myself to prove the risk is very much real to my clients. It is expensive to fix so wanting the risk to be overstated is understandable, but it is actually super easy. Sometimes you can even get away with buying the expired email domain of a inactive maintainer so you can easily just take over their identity. Done this twice and I am no state actor.
Nix, by the way, is hash pinned, but you just blindly update those hashes when there are updates, right? Their code submission process is as yolo as Homebrew. Any rando can push whatever they want without multi-party code signing. I am the one that submitted the RFC to nix to fix this which was rejected as in the end they admitted they want a hobby distro and do not want the overhead and rigor needed for professional targeted environments.
This is why I was forced to abandon nix and get all my clients to abandon it, in favor of StageX which even as the founder I have no control of. It mandates deterministic builds and cryptographic signing by at least two well known keys of maintainers.
We do not point out risks unless there are solutions to mitigate them.
kernc · 3h ago
Too personal to share, but maybe too personal and important to share even with the members of the cloudy cartel, i.e. the Providers. Is exactly why I wrote myba that does full contents and paths encryption before syncing with the lapsable remotes ...
The moment I started syncing dotfiles between my work and personal computers, I know it was an error because very different reasons. Difficulty of maintaining different OS details (Linux vs MacOS). What if leaked a private key or a sensible path. What if a pushed to the wrong place or somebody made public the wrong repository...
When reading your comment something and idea came to mind about using something like sops to encrypt paths, passwords and keys. But I'll check yours first, so to avoid to construct a bunch of stuff that you've already done :D
thewisenerd · 3h ago
this reminds me of public repos of pass [1] i've seen in the wild
same issue of intimacy, the paths aren't encrypted.
I feel similarly. For me it’s less about my unique customizations and more about this paranoia of there being something remotely sensitive in my ssh configs or something… the idea of hostnames, ips, domains, etc “leaking” worries me.
I use chezmoi to manage my dotfiles, if anyone has any advice on how to handle these worries I am all ears. I would love to share mine, even to just be able to point coworkers at my config.
phailhaus · 4h ago
I get around that by sourcing a separate file in my config that I don't make public. Those are my company-specific settings.
twp · 1h ago
chezmoi includes secret scanning from https://gitleaks.io/ by default to catch when you accidentally add a file with a secret in it. To be even more confident, you should add gitleaks as a git hook to your repo however.
I think the key is that dotfiles are a different genre of (code) writing than production code, with different investment, different motivations, different pain points and histories, and a sensitivity to the author that's not required when analyzing production code. You're looking into someone's daily writings, not their polished releases.
I think the fear is scrutiny, rejection, mockery for something that clearly works for you and you don't ever expect anyone else to use. But also partly that it's exposure without much reward in return. All these feelings are normal and it's fine to share or not share them. Just please honour the authors of the dotfiles you read even if you wouldn't ever think to use code in the way they do!
QuercusMax · 2h ago
I'm sure I have stupid and weird stuff in my dotfiles. At one point I had bash set up so if I typed something like "gi tlog" it would fix it for me; this is obviously not something that everybody needs because it's due to my idiosyncratic typing-too-fast.
I've been using Unix systems since last century; my standard way to do a find-and-replace in a file is still 'perl -pi -e s/foo/bar/ filename.txt'; I've been writing that for 25 years and I'm unlike to stop any time soon unless perl stops working. I'm sure there's a better way to do this, but :shrug:?
nobleach · 3h ago
My dots are open to anyone who cares to view my GitHub. I do tend to keep employer specific aliases/stuff in an `.employer.zsh` file that is sourced by my main `.zshrc`. But my NeoVim config is completely open for inspection. I'm not doing anything all that extraordinary though. I don't share my dots on Reddit simply because I don't feel like using my real identity on that platform.
When it comes to consuming the dots of others, I just switched to AxOS for Linux... and am auditioning Celestia (https://github.com/caelestia-dots/shell). This means that in 3 months, my desktop will likely look like everyone else's. I probably won't even commit any of this as it's not really my stuff.
petepete · 1h ago
Similarly, I have two sets of dotfiles, a public one and a private one (hosted on my own server).
Somehow, 11 people have starred my public ones on GitHub.
Insanity · 3h ago
That actually looks pretty cool. Might have to play around a bit with Caelestia as well.
trostaft · 3h ago
Thanks for the reference, that looks incredible.
incognito124 · 4h ago
I truly appreciate people sharing their dotfiles, I learned so much about vim and zsh just by reading other people's configuration alone (and the occasional comments there).
Also, the quality of life improvements like `alias ..='cd ..'`, or mapping `l` such that it either opens a pager or lists a dir, depending on the argument. I'd never come up with those, and they're beyond useful.
Milpotel · 4h ago
Last one sounds interesting, could you share a link or snippet?
Joker_vD · 3h ago
I imagine it's something like
l() { if [ -d "$1" ] ; then ls -alFh -- "$1" ; else "${PAGER:-pager}" -- "$1" ; fi }
in the .bashrc
alexandroqc · 4h ago
I used to use chezmoi and had a great experience with it .It made it easy to choose exactly what I wanted to share. These days, I don’t have many devices, so I stopped using it. Still, it feels great when someone asks, “How did you set that up?” and I can instantly share my entire configuration through a GitHub repo.
dayjah · 3h ago
I found the syncing process in chezmoi to be so hard to mentally model.
I’d often change a file, forget that it was backed by the chezmoi store, later find myself trying to reconcile the differences, just so I could commit and share w/ another computer. nix + home-manager and snowfall lib, once over the multi month ramp up, have been such a breath of fresh air in multi system management
You just have to put some effort into separating your dotfiles into a generic layer and a customization layer. Done something like this with my dotfiles repo, which now triples as a generic archlinux customisation tutorial with hyprland and a description of the backup strategy that is tightly coupled with the configuration layout: https://github.com/gchamon/archlinux-system-config
wlindley · 1h ago
"...whenever 'a software' doesn't...." Ugh. "A software package" or "a piece of software" or perhaps "a program" but you don't have "one software" any more than you can have "one hardware" or "one information." Grammar, please!
But I do agree that secrets need to be handled carefully. Look at my list of `.gitignore`! But (I'm biased of course) I would recommend using Polykey to manage your secrets instead leaving any trace of things on disk.
Cu3PO42 · 3h ago
My dotfiles are public [0], but getting there was work. I went through everyhing to make sure I don't accidentally leak something, all secrets are managed separately, you don't accidentally distribute something violating its licence, etc.
I also feel the need to write docs for some things, that I never would if they were private (I haven't actually done that, I just feel that I should).
I get everyone who wants to keep them private, but I'm also thankful for everyone who made them public so others can learn from them.
[0] github.com/Cu3PO42/gleaming-glacier/tree/next
vkaku · 1h ago
I keep my DotFiles on my GitHub not without its embarrassments, this will help me backup and restore my tools and workflows on systems anywhere I want it to.
There's no knowledge shared here, just my own setup which can be barebones git cloned. Planning to add a curlbash installer here to help me set it up with a oneliner.
athorax · 4h ago
I feel similarly. For me I know it is because of my rejection sensitive dysphoria. The fear of someone seeing and judging something personal of mine is quite uncomfortable. I don't have the same issue with code I write professionally.
tasuki · 2h ago
> I don't have the same issue with code I write professionally.
Why not?
8n4vidtmkvmk · 5m ago
Code I write professionally is polished before I send it for review. Code/dotfiles I write for myself are full of all kinds of heinous hacks.
jacobsenscott · 1h ago
It takes a lot of discipline to keep secretes out of dotfiles. You should do that anyway, even if you have a private dotfile repo. Even if they aren't secrets per se - they can still be useful for social engineering. I don't understand why people think their configs are so special it is worth the risk.
pavel_lishin · 4h ago
I have two sets of dotfiles - public and private. I don't mind sharing my public ones - what do I care if someone on the internet thinks my tmux setup is non-optimal? But there are some things I do keep private, though they probably don't qualify as dotfiles, exactly - RSS subscription backups, some backup scripts that reveal filepaths I'd rather not have revealed, old outdated things like my znc, irssi, etc. configs...
JoshTriplett · 39m ago
My dotfiles have a massive .gitignore in them for all the things I don't want to share, or can't easily divide into shareable and non-shareable. The largest section in my .gitignore is:
# Some transient, some configuration files, but configuration files get written
# out every time, and not just the changed values. Some also contain
# machine-specific configuration, and private data.
It includes things like .config/libreoffice , which is a baffling combination of:
- backup copies of documents (which should go elsewhere)
- copies of icons from the icon theme (which should go elsewhere)
- log files (which should go elsewhere)
- piles of binary pack files, probably containing a mix of things
- configuration in XML form (potentially useful to version), but with embedded lists of recently opened files (private, should go elsewhere), including base64-encoded thumbnails.
sodapopcan · 1h ago
I'll never understand people not wanting to share their dots. Obviously you have to have a way to not share the private stuff of which there are many simple solutions, but I've learned so much from reading other peoples. To each their own, of course.
mystifyingpoi · 1h ago
I don't even know what the author means here. I put them public on GitHub, because I can clone them from anywhere and have my config on any machine. The approximate number of people, who read them and see what I did, is 0. I just "share" them for public and free backup.
Someone thinking that bash aliases can be "intimate" is a next level of nerdyness for me. Reminds me of "gay code" scene from Silicon Valley.
alkh · 2h ago
That's something I was a little bit conflicted about for some time. After using a few open source tools(shoutout to syncthing and linkding :)) and I realised that if you want to use something for free, sharing is the least you can do.
My dotfiles are private for now cause I need to clean some commits(I think I might have added some private info before) but I intend to publish them eventually
gknoy · 54m ago
> My dotfiles are private for now cause I need to clean some commits
I had to do similar. I ended up deleting the git history and just recreating it before pushing. The best thing was to add a dependency on `~/.secrets` or other similar un-tracked file, which is basically just a source-able script that defines things like API keys, private URLs, etc.
superzamp · 2h ago
I think it's even realistic to say that dotfiles are vulnerable to being used as a fingerprint mechanism by nefarious packages. One could easily create an inventory of github profiles <> dotfiles; then read local dotfiles when their package gets installed on a developer laptop.
meribold · 1h ago
Such a nefarious package could also read browser cookies, SSH keys, emails, photos, and a million of other things.
paffdragon · 1h ago
I once set out to share dotfiles as I set up a new workstation, but later removed the public repo. I realized I am often careless with that stuff, since it only lives on my machine and I am not managing them as public content, nor I want that extra overhead.
holman · 2h ago
I have like 7500 stars on my dotfiles over the last 15 years or so; it's definitely weird. It's kind of a different open source project entirely; the goal isn't really to make good software... it's to make good software for me. Most of the time in open source those overlap completely, but with dotfiles I'll get pulls that make sense, that can be helpful, but... at the end of the day they're my dotfiles and I don't really make large changes to them anymore. It's just a lot different from my other projects I manage.
That said, mine also started before things like Oh My Zsh popped up, which are better frameworks to share and collaborate on these things. I think frameworks like that are great, and I think seeing someone's more "intimate" dotfiles is helpful, too- you get a look at how someone sets up their environment, which tends to be private unless you're doing a lot of pair programming. So yeah, just interesting all around.
Insanity · 3h ago
I actually resonate with this as well, but similarly can't really explain why. I have my own set of dotfiles (one set for my 'home setup' and one set for my 'work setup').
They are versioned and stored on GitHub, and are actually relatively static at this point. And even though it's pretty standard stuff, I wouldn't feel comfortable sharing them publicly. Odd.
qiine · 3h ago
I was close to upload my full dotfile dir to github, telling myself it would be handy when I switch computers..
Then I realized that some of those config files reflected a lot about my systems and personal preferences... and it was only going to be ever more detailed, so I said NOPE making separate repos for my nvim config maybe and that will be it!
sorry.
tracker1 · 3h ago
You can always use a private repository for it. And, yeah, it's been very useful. I pushed a relatively straight forward config for Windows and WSL a few years ago, I really need to update it. I also want to get my Linux config done as well.
I mostly backup and restore from my NAS for my dot-files, and some of my ~/.config, though I need to nail that down a bit better, as ~/.config feels excessively bloated from a few apps.
fishbacon · 4h ago
I share my .emacs with people who ask. Not really for privacy, but because I would feel bad: If someone tried to use any of it and was not able to ask me what I was thinking.
The usual answer is that I was not and we should change it.
I would also have to distribute a couple of novel go programs that I am not proud of if I was sharing it publicly.
jrockway · 3h ago
I've never felt that icky. I don't really have any secrets in my dotfiles, though I have in the past. In that case, I just encrypt the private stuff using my SSH private key (stored in 1password) and age (via sops-nix).
seethishat · 3h ago
They are private. Many people store env secrets (db conn strings, etc.) in .bashrc. It's meant to be a private place in your home folder for private things.
k_roy · 3h ago
They are really only private if you design it that way. There are numerous ways you could have access to those private parts of your bashrc, but still make the actual bashrc public.
That's coming from my kubernetes background though, and handling secrets this way is not something that people are always accustomed to.
nativeit · 3h ago
Aren’t the default permissions 644?
zahlman · 2h ago
Sometimes there are valid security reasons for this, after all. (Looking at you, .pypirc .)
jrm4 · 4h ago
RIGHT?
I could MAYBE see it if you were sharing your things on your personal blog -- but "github dotfile repos" feels wildly icky to me.
sodapopcan · 1h ago
How? What? It's not icky.
apwell23 · 4h ago
why? no one cares about your dotfiles 99% of time.
8n4vidtmkvmk · 10m ago
I put all kinds of weird stuff in mine. Where/who I stole the alias from. Maybe some swear words. Broken stuff. Jokey stuff. I don't want people judging me. It's like publishing the worst of your sketch book or something. People just don't need to see it.
Which really annoys me that everything is effectively public at my place of employment. I have to mildly censor myself all the time.
tylergetsay · 3h ago
I feel the same about my NixOS config despite the "open repo" model kind of being a default in that ecosystem
dayjah · 3h ago
Oh man… that “how normal is this thing of mine” feeling writing nix gives me is such a weird characteristic of the ecosystem.
I simultaneously don’t want anyone to see mine while desperately seeking affirmation that mine is not weird ^_^
Happy to hear I’m not alone!
tylergetsay · 3h ago
It makes me feel bad because I frequently will search github with "language:nix" to find usages, which is usually done in someones (sometimes the nixpkgs commit authors) personal config :')
awill88 · 4h ago
I feel similarly. There is virtually zero chance I’m going to clone and run someone else’s dotfiles. So the act of sharing them is a generous look into a developer’s toolchain and I’ve been inspired by others’ choices. So, if you know how, please share them!
pavel_lishin · 4h ago
I've never straight up cloned them, but my dotfiles have grown in large part out of some copy-and-pastes from other people's.
saagarjha · 1h ago
I keep mine public but sensitive data goes into another, private GitHub repo.
dcchambers · 2h ago
I split mine. I have public dotfiles and private. No need to share everything.
tootie · 3h ago
One trick I use is putting secrets in 1password and just including the 1password URLs in my checked in my sample dotfile.
luckydata · 3h ago
is there some sort of utility to automatically backup and retrieve dotfiles from github to keep different computers synchronized?
olddustytrail · 1h ago
Well, there is cron and git. I don't see why you need anything else.
IMO your dot files are only useful to share if they are usable with the default software of the place you’ve shared them to. Otherwise they become a prison that forces you to install all your special versions and plugins and scripts and etc. on the other hand, I felt like making my dotfiles easy to share forced me to use as many default settings as possible, which in the long run saves me a lot of time and energy.
“The only zen you’ll find on a mountain top is the zen you brought with you” is one of my favorite sayings, and in a weird way I find it fitting here. If you learn to love the default settings then every server feels like home.
Mason is one other core bedrock components of good neovim dx. It's the main library in the neovim galaxy for bringing in lsp servers and debug adapter protocols. It mostly just works, gives great out of box debug-ability. There's like a mini `mise` running, powering the plugins you bring in.
Anybody who would like a decent text editor around vim key-bindings uses Emacs in evil-mode already.
To me it feels like getting told to not put nice shelves in my home because other buildings don't have them.
Now my personal computer does have much nicer color schemes and a few plugins for code dev that I don’t carry around. But even then I try to use the defaults in my IDEs and browsers, because at this point I’m on work computer number.. 11? Configuring it is starting to get old
But supposedly you already have an automation that you maintain your standard servers with. Adding an Ansible role that puts .vimrc into $HOME surely isn't that much of a maintenance burden?
That's exactly the opposite of my experience. Since all my dotfiles are in Github, configuring new system is just a git clone and copying a few files around. I don't even use any config manager, since I rarely get new computers. Takes a few minutes max per machine (plus maybe package installs like zsh if it's not there already).
Assuming you have internet and can access GitHub. Setting up internally accessible repos mirrors for that or bake it into an image is its own excercise, which you'd have to setup again for every site and isn't there on day 0.
Even so, "a few minutes per machine " builds up quickly if that happens multiple times per day and new airgapped sites are a regular occurence. That's not including the possibly larger cost of context-switching to "config mode" for every box.
I do have a few dotfile customizations I carry around for sites/boxes I bother with but at this point they're cut down and familiar enough that it takes me a few seconds to put those in place manually from memory.
It's like when I tried to get used to a DVORAK keyboard when I'd spend my weekdays in a school computer lab...
If the claim these folks make is "time spent struggling through a default config on an unfamiliar machine" > "time saved by crafting an workshop to fit your mind", then we are not the same.
(Probably, the dividing line here is time spent coding vs time spent managing infra.)
Like sure, if you need to quibble about red or yellow prompts, eh. But if there is a good log colorizer or analyzer that makes an expert better at handling the system, or some aliases that make a system easier to manage - I want this deployed for _all_ admins on _all_ relevant systems.
And sure, all code running on a server is a security topic. But then let's figure out a way to run your favorite tools through the software security pipeline and then deploy it to systems. Sure, I dislike installing the latest js-based npm fad on a database for a minor advantage, but if there is some well-aged tool from the postgres space... I'd probably rather work to have it.
You're never going to find a config that everybody is happy with. If that were the case, then there would be no need of config at all.
That's my style
Howdy-do me?
Watch me smile
But fare-the-well me
After a while
'Cause I gotta roam
And any place I hang my hat is home"
I personally use zsh and do not want to miss it on my own machines. I however do log in onto machines that sometimes do not even have bash (yeah it’s rare nowadays, but it exists), and I adapt just fine. It’s not super pleasant, but not using zsh on my machines would be less pleasant.
does the same .bash_profile/.bashrc work on different linux versions? what about macos? and now macos no longer uses bash. And what about saving .bash_history? and on and on.
there is a whole industry of shell scripts that try to help with this.
That said, I also am unsure how best to overlap aliases and configs that are sensitive to my workplace with my everywhere config. Maybe I should have a .employer file that I source if it's there, but something about including that into my everywhere config feels decidedly not righteous.
But high trust societies only work when the price of ongoing admission is not violating that trust.
When you accept/tolerate/expect the violation of trust the doors lock.
I actually do this somewhat frequently at my local game shop. Thousands of dollars' worth of Magic: The Gathering cards (because I bring multiple decks instead of just the one I'm playing) in my backpack left behind as I go to get some water or something.
> high trust societies only work when the price of ongoing admission is not violating that trust
Indeed, the reason I feel comfortable doing that is I know that nobody wants to be banned from going to that store (and they would be). In this context, the community is small enough that rumors would likely circulate at other local shops and they might also become a bit of a pariah at those other places they could play.
I went ahead and looked in my .vimrc and lo and behold there's a "security issue" in it:
... so yeah... I guess there's some concepts worth being extra sensitive about... but even still, surely y'all can handle this stuff.I have a .zshrc that sources .zshrc_mh, .zshrc_$employer, etc. That way my .zshrc is always a shareable config of sane defaults, and weird/opinionated aliases can go in my _mh, stuff particular to my employer goes in the other one, so forth.
In the past I had a more complex loading system I used (and made) that worked out of ~/.zsh.d/, but I no longer bother with all of that.
* You can keep your entire dotfile repo secret by using any private git hosting, including your own git hosting or a private GitHub repo.
* You can keep individual files secret by using age or gpg encryption. If you repo is public, this only reveals the existence of the file, not its contents.
* You can keep individual parts of your dotfiles secrets, e.g. API keys, by encrypting them or storing them in your password manager. All popular password managers are supported.
Disclaimer: I'm the author of chezmoi.
I would strongly discourage threat modeling with vibes.
Your post already reveals potentially the scariest things someone might learn if you published your dotfiles: that you use Homebrew, pip, etc as part of them. In doing so you are telling everyone you allow any internet rando to have remote code execution rights on your computer. To me that is like boldly saying you like privacy in the same breath as saying you never lock your front door or close your drapes.
Those package managers operate like Wikipedia where anyone can push whatever they want without signatures or vetting from poorly secured accounts without phishing-resistant 2FA etc.
At that point you already allow anyone capable of creating a few useful PRs to Homebrew, basic phishing, or sim swapping the ability to see and publish anything on your computer, so your dotfiles being public should be the least of your concerns.
Now you are probably thinking "There is no way tools that every smart person I know uses could be that wildly insecure"
Ask yourself if those same people have experience exposing and exploiting supply chain attacks. We all have blind spots, and almost everyone has a massive blind spot here and my team and I have exploited it many times in audits.
All said though, I personally publish my dotfiles because I am confident they are of more use to me and others public, and do not reveal anything useful to someone targeting me other than that I use some kind of Linux distro and neovim.
Any sensitive work I do is in offline stateless virtual machines deterministically built from a supply chain with high accountability and I do not use any dotfiles in those environments.
With good separation of concerns between yolo systems and hardened trusted systems, publishing information about either is perfectly fine. Almost no one has that kind of workflow separation though, usually accessing prod from their compromised dev macbooks.
What's next, I use a computer so someone could just upload a virus somewhere in hopes I happen upon it, which would be dangerous?
I have dotfiles which not only specify Python, but also its version and some packages. That protects against typosquatting! I will never type those package names out manually again. And this is all in Nix (btw), so all hash-pinned!
Now in a few months make an update that compromises the random number generator on every brew users laptop making it easy to covertly intercept and manipulate the traffic of any target however you want. Maybe for less chance of getting caught, target sysadmins or release engineers by targeting a niche tool many of them use and wait until they publish new ssh keys to github (which are always public!), that you can re-generate the private keys of since you know about their compromised entropy. Check for public dotfiles of your targets to pick the right niche tool. Now go collect database dumps or crypto from a pile of major companies. Easy money if you do not have ethics.
Seen these attacks in the wild many times, some at close range. A bored teenager could do this, and in fact attacks like this happen every day. And everyone just says pointing it out is "alarmist". People used to defend lead paint and asbestos too. Survivors bias is a hell of a drug.
I have done supply chain attacks along the lines of the above myself to prove the risk is very much real to my clients. It is expensive to fix so wanting the risk to be overstated is understandable, but it is actually super easy. Sometimes you can even get away with buying the expired email domain of a inactive maintainer so you can easily just take over their identity. Done this twice and I am no state actor.
Nix, by the way, is hash pinned, but you just blindly update those hashes when there are updates, right? Their code submission process is as yolo as Homebrew. Any rando can push whatever they want without multi-party code signing. I am the one that submitted the RFC to nix to fix this which was rejected as in the end they admitted they want a hobby distro and do not want the overhead and rigor needed for professional targeted environments.
This is why I was forced to abandon nix and get all my clients to abandon it, in favor of StageX which even as the founder I have no control of. It mandates deterministic builds and cryptographic signing by at least two well known keys of maintainers.
We do not point out risks unless there are solutions to mitigate them.
https://kernc.github.io/myba/
Some things are better public. Some are not ...
The moment I started syncing dotfiles between my work and personal computers, I know it was an error because very different reasons. Difficulty of maintaining different OS details (Linux vs MacOS). What if leaked a private key or a sensible path. What if a pushed to the wrong place or somebody made public the wrong repository...
When reading your comment something and idea came to mind about using something like sops to encrypt paths, passwords and keys. But I'll check yours first, so to avoid to construct a bunch of stuff that you've already done :D
same issue of intimacy, the paths aren't encrypted.
[1] https://www.passwordstore.org/
I use chezmoi to manage my dotfiles, if anyone has any advice on how to handle these worries I am all ears. I would love to share mine, even to just be able to point coworkers at my config.
I think the fear is scrutiny, rejection, mockery for something that clearly works for you and you don't ever expect anyone else to use. But also partly that it's exposure without much reward in return. All these feelings are normal and it's fine to share or not share them. Just please honour the authors of the dotfiles you read even if you wouldn't ever think to use code in the way they do!
I've been using Unix systems since last century; my standard way to do a find-and-replace in a file is still 'perl -pi -e s/foo/bar/ filename.txt'; I've been writing that for 25 years and I'm unlike to stop any time soon unless perl stops working. I'm sure there's a better way to do this, but :shrug:?
When it comes to consuming the dots of others, I just switched to AxOS for Linux... and am auditioning Celestia (https://github.com/caelestia-dots/shell). This means that in 3 months, my desktop will likely look like everyone else's. I probably won't even commit any of this as it's not really my stuff.
Somehow, 11 people have starred my public ones on GitHub.
Also, the quality of life improvements like `alias ..='cd ..'`, or mapping `l` such that it either opens a pager or lists a dir, depending on the argument. I'd never come up with those, and they're beyond useful.
I’d often change a file, forget that it was backed by the chezmoi store, later find myself trying to reconcile the differences, just so I could commit and share w/ another computer. nix + home-manager and snowfall lib, once over the multi month ramp up, have been such a breath of fresh air in multi system management
But I do agree that secrets need to be handled carefully. Look at my list of `.gitignore`! But (I'm biased of course) I would recommend using Polykey to manage your secrets instead leaving any trace of things on disk.
I also feel the need to write docs for some things, that I never would if they were private (I haven't actually done that, I just feel that I should).
I get everyone who wants to keep them private, but I'm also thankful for everyone who made them public so others can learn from them.
[0] github.com/Cu3PO42/gleaming-glacier/tree/next
https://github.com/guilt/DotFiles
There's no knowledge shared here, just my own setup which can be barebones git cloned. Planning to add a curlbash installer here to help me set it up with a oneliner.
Why not?
- backup copies of documents (which should go elsewhere)
- copies of icons from the icon theme (which should go elsewhere)
- log files (which should go elsewhere)
- piles of binary pack files, probably containing a mix of things
- configuration in XML form (potentially useful to version), but with embedded lists of recently opened files (private, should go elsewhere), including base64-encoded thumbnails.
Someone thinking that bash aliases can be "intimate" is a next level of nerdyness for me. Reminds me of "gay code" scene from Silicon Valley.
My dotfiles are private for now cause I need to clean some commits(I think I might have added some private info before) but I intend to publish them eventually
I had to do similar. I ended up deleting the git history and just recreating it before pushing. The best thing was to add a dependency on `~/.secrets` or other similar un-tracked file, which is basically just a source-able script that defines things like API keys, private URLs, etc.
That said, mine also started before things like Oh My Zsh popped up, which are better frameworks to share and collaborate on these things. I think frameworks like that are great, and I think seeing someone's more "intimate" dotfiles is helpful, too- you get a look at how someone sets up their environment, which tends to be private unless you're doing a lot of pair programming. So yeah, just interesting all around.
They are versioned and stored on GitHub, and are actually relatively static at this point. And even though it's pretty standard stuff, I wouldn't feel comfortable sharing them publicly. Odd.
Then I realized that some of those config files reflected a lot about my systems and personal preferences... and it was only going to be ever more detailed, so I said NOPE making separate repos for my nvim config maybe and that will be it!
sorry.
I mostly backup and restore from my NAS for my dot-files, and some of my ~/.config, though I need to nail that down a bit better, as ~/.config feels excessively bloated from a few apps.
The usual answer is that I was not and we should change it.
I would also have to distribute a couple of novel go programs that I am not proud of if I was sharing it publicly.
That's coming from my kubernetes background though, and handling secrets this way is not something that people are always accustomed to.
I could MAYBE see it if you were sharing your things on your personal blog -- but "github dotfile repos" feels wildly icky to me.
Which really annoys me that everything is effectively public at my place of employment. I have to mildly censor myself all the time.
I simultaneously don’t want anyone to see mine while desperately seeking affirmation that mine is not weird ^_^
Happy to hear I’m not alone!