From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Thompson, David" Subject: bug#31284: [PATCH 0/1] guix: Add git-fetch/impure. Date: Mon, 30 Apr 2018 09:59:04 -0400 Message-ID: References: <87o9i4szg8.fsf@gmail.com> <87vac9ylaq.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41721) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fD9La-0008Lz-KF for bug-guix@gnu.org; Mon, 30 Apr 2018 10:00:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fD9LW-0003nl-Oj for bug-guix@gnu.org; Mon, 30 Apr 2018 10:00:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:36205) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fD9LW-0003nf-J8 for bug-guix@gnu.org; Mon, 30 Apr 2018 10:00:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fD9LW-0003d1-6W for bug-guix@gnu.org; Mon, 30 Apr 2018 10:00:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87vac9ylaq.fsf@netris.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Mark H Weaver Cc: 31284@debbugs.gnu.org On Sun, Apr 29, 2018 at 1:28 PM, Mark H Weaver wrote: > Hi Chris, > > Chris Marusich writes: > >> You've both said that you would prefer not to add git-fetch/impure to >> Guix. Can you help me to understand why you feel that way? I really >> think it would be nice if Guix could fetch Git repositories over SSH >> using public key authentication, so I'm hoping that we can talk about it >> and figure out an acceptable way to implement it. > > I thought about it some more, and found that I cannot really justify my > position on this, so I hereby drop my objection. It's obviously not > useful for packages that will be included in Guix itself, which is our > primary focus, but I suppose it could be useful for private package > definitions. > > What do you think, David? It seems to me that password tokens in URLs > raise possible security risks, whereas public-key authentication is > generally better practice. If I'm outvoted here then I'm OK with accepting this change. Just to clarify, I advocate the use of password tokens in URLs for private repositories only. I do this for non-Guix things as well in order to improve reproducibility of internal builds. - Dave