Adding instructions on how to update Git to 1.9.5 for Windows, closing a security hole.

[mikedao]

On December 18, 2014, it was announced that Git clients on Windows and OS X suffered from a security vulnerability that allowed for the possibility of remote code execution. More details here.

The problem is that RailsInstaller is seldom updated. The current version still ships with version 1.9.4 of Git. (1.9.5 is the updated version without the vulnerability.)

I've reworked the documentation for the installfest adding instructions on how to update Git from 1.9.4 to 1.9.5. I chose to install 1.9.5 over 1.9.4. The reasoning was that installing RailsInstaller without Git causes some scripts to fail until Git is then installed. Inserting a step to overwrite the old version of Git in C:\RailsInstaller\Git seemed to be the least complicated way to get it up to date, requiring the fewest number of additional steps as well as the least complex steps possible.

I tested this solution using a Windows 8 VM provided by Microsoft. The steps for Windows 7 should be the same.

All rake tests pass, and I also edited a line in the updating Rubygems step for clarity.

[tjgrathwell]

Seems reasonable...

How does the system behave if you just install the newer version of Git to the default install path? Does the C:\Program Files\ Git win? What if you install Git before installing RailsInstaller? Does RailsInstaller use the already-present Git? I expect that students might accidentally miss the directory-changing step, so it would be nice to do things in the most foolproof way possible.

Those images look like they were saved with an extremely high JPEG compression level, do you mind re-creating them as PNGs? They might end up smaller overall anyway.

[mikedao]

• If you install the newer version of Git to the default path, the Rails command prompt will not see it, it has its path set to the one inside C:\RailsInstaller\Git 1.9.4 wins in this case. This can probably be overridden, but it's a step I don't think we want to have attendees do. Modifying the install path is the lesser of two evils here.
• If you install Git (1.9.5) first into the default directory, C:\Program Files\Git, 1.9.4 wins.
• If you install Git (1.9.5) first into C:\RailsInstaller\Git, it gives you an error stating the directory cannot be written to, even though it is created at this step. If you try again, it will say the directory exists and ask if you want to install to it anyway. When running RailsInstaller, it first complains that C:\RailsInstaller exists. Going ahead and installing anyway, 1.9.5 wins. I was not expecting that to happen at all.

So, worst case scenario, the attendee has Git 1.9.4 which is no worse than how things were, and can be easily rectified by uninstalling Git and then reinstalling it in the correct location. Best case scenario, they have Git 1.9.5.

I've replaced the JPGs with PNGs, and modified the windows.step files to reflect this. All tests continue to pass, and I've checked the content locally.

[tjgrathwell]

Sounds good. Could you squash the two commits together and re-push?

[mikedao]

Commits squashed!

[tjgrathwell]

Sounds great, redeployed!

Hopefully someday a new version of RailsInstaller will come out for Windows so we can get rid of the Git and Rubygems upgrade steps 🌞