Re: [Savannah-hackers-public] git over https

[Leo Famulari]

On Sat, Feb 04, 2017 at 01:39:36PM -0700, Bob Proulx wrote:
> Paul Smith wrote:
> > The current one works fine for me except that I really want HTTPS
> > support, which the current server doesn't provide.
> 
> First let me ask why you want https access?  It is terribly slow.  You
> are a member and can use ssh.  Why not use ssh access?  There is no
> advantage to using https over ssh but there are many disadvantages.
> It is really only a last ditch fallback method.

The advantage of HTTPS compared to SSH is that it can be used
anonymously, without setting up a Savannah account. Currently, users who
wish to fetch source code from Savannah using an authenticated protocol
must create a Savannah account. This is inconvenient for casual users.
I bet that most of them use the unauthenticated HTTP or Git protocols
and are vulnerable to man-in-the-middle attacks and eavesdropping. For
this reason, I would not call HTTPS a fallback method, but rather in the
same class as SSH.

>   git clone https://git0.savannah.gnu.org/git/emacs.git
>     Cloning into 'emacs'...
>     ... takes about twenty minutes with no output on my network ...

I think this is a regression from the old Savannah server. The old
server appears to use the so-called "smart HTTP" Git protocol [0], which
provides informative output while it is working. On the other hand, the
"dumb HTTP" Git protocol [1] does not provide any output.

It takes me ~40 seconds to clone the Guix Git repository from
<https://git0.savannah.gnu.org/git/guix.git>. To me, that's pretty fast
for an 83 MB download. And it's the same speed as cloning over SSH from
the old server.

[0]
https://git-scm.com/book/en/v2/Git-on-the-Server-Smart-HTTP

[1]
https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols

signature.asc
Description: PGP signature