README.md in backticks-0.4.0 vs README.md in backticks-0.5.0

- old
+ new

@@ -109,9 +109,21 @@ `echo Ruby lets me shoot myself in the foot` ``` If you do this, I will hunt you down and scoff at you. You have been warned! +## Security + +Backticks avoids using your OS shell, which helps prevent security bugs. +This also means that you can't pass strings such as "$HOME" to commands; +Backticks does not perform shell substitution. Pass ENV['HOME'] instead. + +Be careful about the commands you pass to Backticks! Never run commands that +you read from an untrusted source, e.g. the network. + +In the future, Backticks may integrate with Ruby's $SAFE level to provide smart +escaping and shell safety. + ## Development After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).