Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 843377 - Git access should not require ssh keys
Summary: Git access should not require ssh keys
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Infrastructure
Classification: Unclassified
Component: Git (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Infrastructure
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-09 04:22 UTC by Arsen Shnurkov
Modified: 2022-07-09 16:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
the proof that github don't require ssh key (no-ssh-key.png,157.70 KB, image/png)
2022-05-09 04:23 UTC, Arsen Shnurkov 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arsen Shnurkov 2022-05-09 04:22:24 UTC 
Right now gentoo provide access to git repositories via "git over ssh" method. But it's also possible to configure "git over https" access (like github does).

The second method require less keys, and will reduce learning curve for new developers. Thus gentoo will spread wider and faster.

Reproducible: Always
Comment 1 Arsen Shnurkov 2022-05-09 04:23:34 UTC 
Created attachment 777641 [details]
the proof that github don't require ssh key
Comment 2 Arsen Shnurkov 2022-05-09 04:51:40 UTC 
I was instructed to give SSH key here - https://bugs.gentoo.org/797043#c5

If this is not necessary, then instructions should be updated (or created).
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2022-05-09 05:05:23 UTC 
In the near future, when Gentoo provides GitLab CE service, pushing via HTTPS w/ scoped personal access token may be acceptable for overlay repos.

GitHub's policy might not require SSH keys; but Gentoo's present policy does.

It's easier to keep secure vs HTTPS: any disclosure of the public key does not permit impersonation of a user.

However, it's presently unlikely to be accepted for the core repo. PATs cannot be natively pushed onto secure devices (e.g. Nitrokey), something like Git Credential Manager must be used.

As for the learning curve, I feel that SSH keys are significantly simpler than ensuring the Git Credential Manager is correctly configured.

https://github.com/GitCredentialManager/git-credential-manager/blob/main/docs/credstores.md

Gentoo developers are required to have an SSH key for access to other systems, so they should be able to use it for Git as well.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-09 05:50:21 UTC Comment hidden (obsolete)
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-09 05:50:45 UTC Comment hidden (obsolete)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-09 05:52:55 UTC 
Not convinced we want to go this route. If anything, we want to use SSH keys more with the new signing capabilities and PGP keys less, based on some developers' views.
Comment 7 Piotr Karbowski (RETIRED) gentoo-dev 2022-05-09 07:04:23 UTC 
> The second method require less keys, and will reduce learning curve for new developers. Thus gentoo will spread wider and faster.

I do not think SSH keys are any significant challenge for a average Linux user and I do not think it would benefit us to allow access without keys.

If however there are people out there who would like to contribute to Gentoo but are scared off by ssh keys, they could contribute to other parts, like adding and maintain articles on our wiki.
Comment 8 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-09 08:05:05 UTC 
I honestly doubt SSH keys could ever be more challenging than writing quality ebuilds.
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-09 16:27:16 UTC 
As others have said, SSH keys are not a significant barrier to contribution and are better for security of all parties than password-based authentication.