From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: bug#31284: [PATCH 0/1] guix: Add git-fetch/impure. Date: Sun, 29 Apr 2018 13:28:13 -0400 Message-ID: <87vac9ylaq.fsf@netris.org> References: <87o9i4szg8.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46139) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fCq9I-0000Iv-3E for bug-guix@gnu.org; Sun, 29 Apr 2018 13:30:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fCq9D-0004gh-6H for bug-guix@gnu.org; Sun, 29 Apr 2018 13:30:08 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:35216) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fCq9D-0004gS-2h for bug-guix@gnu.org; Sun, 29 Apr 2018 13:30:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fCq9C-0008Qg-Rh for bug-guix@gnu.org; Sun, 29 Apr 2018 13:30:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87o9i4szg8.fsf@gmail.com> (Chris Marusich's message of "Fri, 27 Apr 2018 21:54:31 -0700") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Chris Marusich Cc: 31284@debbugs.gnu.org Hi Chris, Chris Marusich writes: > You've both said that you would prefer not to add git-fetch/impure to > Guix. Can you help me to understand why you feel that way? I really > think it would be nice if Guix could fetch Git repositories over SSH > using public key authentication, so I'm hoping that we can talk about it > and figure out an acceptable way to implement it. I thought about it some more, and found that I cannot really justify my position on this, so I hereby drop my objection. It's obviously not useful for packages that will be included in Guix itself, which is our primary focus, but I suppose it could be useful for private package definitions. What do you think, David? It seems to me that password tokens in URLs raise possible security risks, whereas public-key authentication is generally better practice. Mark