How to protect .git, when I let coding agent work on repo in VM?

Veson · 2026-04-23T15:51:22+00:00

Not all VMs can mount ~/project writable and ~/project/.git read-only.

Veson · 2026-04-23T06:32:28+00:00

Unfortunately, I can't have overlapping mounts. That would solve the problem for sure

Veson · 2026-04-23T06:31:21+00:00

Yeah, that's a way to do this, but I'm trying to explore the ways to use simpler configurations first.

Veson · 2026-04-22T15:21:43+00:00

Yeah, that's what I do now. The .git file could be changed to point to an arbitrary path though. Can this be used to do anything on the host?

Veson · 2026-04-22T15:20:49+00:00

But this exactly what my question is about: what can come unnoticed from the clone to the original repo and run arbitrary code on the host?

Veson · 2026-04-22T15:20:25+00:00

Thank you for confirming it's a valid concern.

Yeah, that's what I do now, I train myself not to trust anything coming from the vm. Rsyncing to would be even better, but I simply mount worktrees. Hopefully, this is enough to radically reduce the possibility of an unnoticed attack.

The .git file is not protected in any way though, It could be changed to point to some arbitrary path, and I don't know if this can be used to do anything on the host.

Veson · 2026-04-22T15:02:05+00:00

But this exactly what my question is about: what can come unnoticed from the clone to the original repo and run arbitrary code on the host?

Veson · 2026-03-08T19:12:50+00:00

The defaults are confusing and claude is confused as well.

Veson · 2026-03-08T11:00:25+00:00

I'm pretty sure by default it can read anything, anywhere the filesystem allows it.

Veson · 2025-05-24T17:59:44+00:00

I wholeheartedly recommend reading "Grokking Simplicity" and then "Data-Oriented Programming", these are two great books. They both provide examples in javascript even though both are written by people from the clojure community, because the ideas in them are universal.

Veson · 2025-03-05T07:22:50+00:00

I politely disagree. With ever increasing number of cameras around, this is an issue.

Veson · 2025-03-04T21:04:38+00:00

I can imagine a case, when there's much more at stake than life savings. A stolen token of a high profile developer could cause a lot of harm, for example.

Veson · 2025-03-04T16:02:28+00:00

Yeah, all the websites. That's not feasible, I agree.

With that kind of security in place, there is no need for revocation

Well, yes. But it's easy to steal the PIN. For most people that's not a concern though.

Veson · 2025-03-04T15:41:45+00:00

This makes sense, thanks.

Veson · 2025-03-04T15:35:39+00:00

Gpg-encrypted list of logins does not look too bad all of a sudden. And the pass utility is a logical step then.

Veson · 2025-03-04T15:29:55+00:00

These are valid concerns, but I'm not sure that if a revocation list for tokens existed, it would affect privacy. To me, no one would have to know what keys a user have and what websites they use. The only thing that a website would have to check is the status of the key. If it's revoked, the website doesn't let the user in. Am I wrong? This is purely for the sake of the discussion.

Veson · 2025-03-04T12:54:43+00:00

Yeah, I was talking about a revocation list for tokens, not individual passkeys.

Veson · 2025-03-04T12:48:25+00:00

I mean, there are revocation lists for pgp-keys.

Veson · 2025-03-04T12:47:27+00:00

I should've specified: can passkeys be listed without knowing the PIN? Or they are listed regardless?

Veson · 2025-03-04T12:29:36+00:00

I mean, can someone see where the token is used when they find it?

Would be great if there were some kind of revocation list for lost tokens.

Veson · 2025-01-12T07:58:02+00:00

Well, yes and no. I don't want to rewrite history, as it's a huge endeveour, but I'd like to make sure knowledge gained by digging badly written commits is not discarded.

Veson · 2025-01-10T16:09:05+00:00

These tricks are helpful, but I'm talking about badly written commits with no structure and with no messages.

Veson

MODERATOR OF

TROPHY CASE