Automatically create .gitignore to protect private files

[jasikpark]

If you were to backup your shallow-backup to github, it would be important for dotfiles/.ssh to be added automatically to .gitignore, and, in my opinion, packages/installed_apps_list.txt would be as well, because that's more related to private device use than development use.

I would say that backing up to Github should be a public action, and therefore the data from the shallow-backup that is sent should all be very public information.

Of course, users can edit the .gitignore file all they want, but it should be communicated to them that they are potentially uploading sensitive information to the public internet.

For example, here's my shallow-backup on github:
https://github.com/jasikpark/caleb-jasik-shallow-backup

[alichtman]

I would say that backing up to Github should be a public action, and therefore the data from the shallow-backup that is sent should all be very public information.

100% agreed. Let's make this as safe as possible. The defaults should be designed with two things in mind:

1. An average user may not be able to push to a private repo.
2. An average user may not understand what needs to be kept private and what can be public.

in my opinion, packages/installed_apps_list.txt would be as well, because that's more related to private device use than development use.

Now that I think about it, there might be some security concerns with making the list of software you have downloaded public. Let's say there's a vulnerability disclosed publicly in abc v12.3 software that also happens to be available for download on Homebrew. An attacker can now search GitHub for users that have (or, had at one point) installed the vulnerable version of that software and target them explicitly.

For that reason, I think the only "public by default" items we should have are dotfiles (.zshrc, .vimrc, etc) and fonts.

Implementation Plan

Every time a user goes to back up, we should ask if it's a private backup or a public backup. If public, we should create a dotfile protecting important files from being uploaded to github. I'm thinking the text for this dotfile should go in a constants file (#67).

[jasikpark]

That's very true. What would probably work best is to rework it where the generated folder has the backed up data divided into public and private folders, with explicit instructions for how to back up just the public one to github or the whole backup to a private storage solution

[alichtman]

Ok, that's a cool idea, actually.

with explicit instructions for how to back up just the public one to github or the whole backup to a private storage solution

I do want this to be fully integrated into the tool. No shell commands or outside interaction should be necessary. The way I'm imagining this at the moment is:

PROMPT FOR: (New) Backup path?
PROMPT FOR: Automatic git backup? (Y/N)
      If yes, PROMPT FOR: Privacy settings
PROMPT FOR: What to back up?

Broke this issue out into #79. The feature isn't fully implemented yet, but the only part I'm missing is the "public/private" separation. I added automatic .gitignore creation in the PR referenced here, so I'm closing this.