Switch default Git setup to ssh=true?

[gdalle]

HTTPS authentification was deprecated by GitHub in 2021 in favor of SSH, so that the simple workflow given in JuliaNotes now fails. I don't know how GitLab and other platforms handle this, but maybe it would make sense to choose ssh=true as the default in the Git plugin? On the other hand it would require users to set up their SSH connection to GitHub, but that's a one-time cost that many have already paid.

Related:

• Add Julia compat to prevent CI failures on 1.0 m3g/JuliaNotes.jl#13

[oxinabox]

I think this is a good idea.
I think ssh as the most common way to authenticate everywhere now.
So is the better default.

I am note sure if I would consider this breaking.
In general the notion of what is breaking and not is not so well defined for user facing things as it is for API facing things.

[fredrikekre]

Where did you see this? Looks like https is the first thing they mention in the docs: https://docs.github.com/en/get-started/getting-started-with-git/about-remote-repositories. See also https://stackoverflow.com/a/11041782/5087136 for example, which suggests GitHub used to "strongly recommend" ssh, but this isn't the case anymore.

[gdalle]

I was imprecise: HTTPS per se has not been deprecated, but you can no longer just use your GitHub password for it. You have to create a personal access token and use that instead.
So while HTTPS cloning used to be simpler than SSH, this is no longer the case. In addition, HTTPS will require you enter your token every time, or use a credential manager.

https://docs.github.com/en/get-started/getting-started-with-git/why-is-git-always-asking-for-my-password

[gdalle]

This came up while trying to get students set up as quickly as possible with a new, functional repo

[fredrikekre]

But isn't that a lot easier than creating SSH keys (in particular on Windows)? Isn't there some VSCode plugin where you can just log in to GitHub and not have to worry about either token or SSH keys too?
I have no opinion here though, I never use this package, just thought I would chime in since you asked for feedback :)

[gdalle]

Thanks for chiming in! Windows is indeed a big blind spot for me, I don't know how SSH works there

[gdalle]

As for VSCode I don't know if the authentification mechanism of the GitHub extension allows you to bypass the need for a personal access token (HTTPS) or private/public key (SSH).
I think you still need to do the Git setup separately, and VSCode is just a wrapper:

• https://code.visualstudio.com/docs/sourcecontrol/github#_authenticating-with-an-existing-repository
• https://code.visualstudio.com/docs/sourcecontrol/faq#_i-keep-getting-git-authentication-dialogs-whenever-vs-code-is-running

[nsajko]

On Github, the username&password Git auth still works, you just use the Github-generated token instead of your password. Personally I do it like that because it prevents me from having to manage SSH keys in addition to passwords. The token system is also convenient because a Github user may choose a very fine-grained set of capabilities to bestow upon a token before it gets generated. I don't think Github supports this for SSH keys?

Asymmetric crypto (SSH keys) is the better practice security-wise, in theory. I'm not, however, sure the advantages matter in practice, for Github specifically, because I have to refresh my login on github.com every so often anyway (when deleting a repo, for example), and this requires my actual password.

Regarding Gitlab, they support both personal access tokens and SSH keys for Git auth, like Github, but they also still support the regular old username&password auth.

Regarding setting ssh = true as the default, I don't think it's a good idea because it'd introduce additional friction. To use SSH Git auth, a new user may need to:

1. learn about asymmetric cryptography on a high level
2. learn about all the different algorithms, which are secure in practice and which ones are outdated
3. set up SSH keys
4. teach Github about your public keys

These may be road blocks for some/most new users, and it's neither wise nor pedagogic to make newbies think they have to learn all this stuff just to be able to play with a Julia package IMO.

[gdalle]

Thanks for your input, I'm actually convinced to keep HTTPS for now! Leaving the issue open in case anyone would like to weigh in