pip should warn on git:// protocol

[alex]

This is un-authenticated, the same as HTTP, and is thus a MITM vector.

[jezdez]

Makes sense, we should do the same for other vcs backends using unencrypted protocols

[deveshks]

I wanted to take a shot at this PR.

But before that, I wanted to understand what kind of URL does git:// protocol refers to ? Is this from one of the URL's mentioned in the pip install's Git subsection ?

[uranusjr]

@deveshks It’s the Git protocol, which is an ancient (OK this is an exaggeration) standard before “smart HTTP” came about, and was the prevelant choice for read-only remotes (because fetching through HTTP and HTTPS was very slow at the time). To install from it, you’d write something like pip install git+git://example.com/repo.git.

Honestly I feel this is no longer necessary. Nobody really mentions git:// anywhere anymore, and anyone still using the Git protocol at this point probably knows what they’re doing and don’t need the warning anyway.

[uranusjr]

I think one thing we should do is to change or remove those git+git:// and git:// entries in the documentation to avoid the impression that it is a good idea.

[deveshks]

Hi @uranusjr ,

I did try pip install -e git+git://github.com/python/mypy.git which I assume refers to the Git protocol, and got the error ERROR: Could not detect requirement name for 'git+git://github.com/python/mypy.git', please specify one with #egg=your_package_name, so I think that should be enough to ensure failure if the old protocol is used.

BTW, I also tried pip install -e git://github.com/python/mypy#egg=mypy which refers to the first URL git://git.example.com/MyProject#egg=MyProject and it succeeds.

I also tried pip install -e git+git://github.com/python/mypy#egg=mypy which refers to the second URL git+git://git.example.com/MyProject#egg=MyProject and it succeeds too.

We can remove both URL's from the documentation, but I think we should also raise an exception if the users are still using said URL. What do you think?

[uranusjr]

I think we should also raise an exception if the users are still using said URL.

I don’t think it’s a good idea to raise an exception. It is a perfectly valid URL, and pip should keep it working. The most pip should do is to emit a warning message, althought that is still unnecessary IMO.

[deveshks]

Sure @uranusjr , I think that makes more sense.

So do I create a PR to just remove the URL's from the documentation, or do I also emit a warning message as well?

[uranusjr]

@deveshks Let’s do them in two PRs. The documentation one should be straightforward, and discussion on the warning’s wording could delay it unnecessarily.

[deveshks]

Thanks @uranusjr , have create the first PR for the doc. As for the warning, I think it can be something like

WARNING. You are using <url> which is based on Git protocol, which is unauthenticated. 
We suggest you to use other appropriate vcs urls as per the pip install docs