[Sandbox] Move TODOs to #939 and add some documentation.

bin/sandbox-pod

 #!/usr/bin/env ruby
 
-# TODO:
+# This bin wrapper runs the `pod` command in a OS X sandbox. The reason for this
+# is to ensure that people can’t use malicious code from pod specifications.
 #
-# * Check if we should be importing any other default profiles. E.g. `bsd.sb`.
+# It does this by creating a ‘seatbelt’ profile on the fly and executing the
+# given command through `/usr/bin/sandbox-exec`. This profile format is an
+# undocumented format, which uses TinyScheme to implement its DSL.
 #
-# * Use `literal` paths where possible, instead of `regex`.
-#
-# * How are we going to handle allowing processes like `git`, `svn`, and `hg`
-#   to work when they might be somewhere in a non-standard prefix?
-#
-# * Can we scope rules like file-read/file-write to specific processes? E.g.
-#   limit `git` to only those directories where any git operations should be
-#   performed, while allowing `xcodebuild` access to more directories.
-#
-# * Limit the scope of the rules where possible. E.g. `network-outbound` and
-#   access to the user home directory.
-#
-# * Installing docs with `appledoc` requires Apple Events and iirc, from a
-#   CoreInt episode, this is damn hard to do in a sandbox environment.
+# For more information see:
 #
+# * https://github.com/CocoaPods/CocoaPods/issues/939
+# * http://reverse.put.as/wp-content/uploads/2011/08/The-Apple-Sandbox-BHDC2011-Slides.pdf
+# * http://reverse.put.as/wp-content/uploads/2011/08/The-Apple-Sandbox-BHDC2011-Paper.pdf
+# * https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles
+# * `$ man sandbox-exec`
+# * `$ ls /usr/share/sandbox`
 
 if $0 == __FILE__
   $:.unshift File.expand_path('../../lib', __FILE__)