Right now gentoo provide access to git repositories via "git over ssh" method. But it's also possible to configure "git over https" access (like github does). The second method require less keys, and will reduce learning curve for new developers. Thus gentoo will spread wider and faster. Reproducible: Always
Created attachment 777641 [details] the proof that github don't require ssh key
I was instructed to give SSH key here - https://bugs.gentoo.org/797043#c5 If this is not necessary, then instructions should be updated (or created).
In the near future, when Gentoo provides GitLab CE service, pushing via HTTPS w/ scoped personal access token may be acceptable for overlay repos. GitHub's policy might not require SSH keys; but Gentoo's present policy does. It's easier to keep secure vs HTTPS: any disclosure of the public key does not permit impersonation of a user. However, it's presently unlikely to be accepted for the core repo. PATs cannot be natively pushed onto secure devices (e.g. Nitrokey), something like Git Credential Manager must be used. As for the learning curve, I feel that SSH keys are significantly simpler than ensuring the Git Credential Manager is correctly configured. https://github.com/GitCredentialManager/git-credential-manager/blob/main/docs/credstores.md Gentoo developers are required to have an SSH key for access to other systems, so they should be able to use it for Git as well.
Note that it IS necessary as we don't push to GitHub directly, you push to our servers and they mirror to GitHub.
(In reply to Sam James from comment #4) > Note that it IS necessary as we don't push to GitHub directly, you push to > our servers and they mirror to GitHub. (Clarifying based on another comment reporter made)
Not convinced we want to go this route. If anything, we want to use SSH keys more with the new signing capabilities and PGP keys less, based on some developers' views.
> The second method require less keys, and will reduce learning curve for new developers. Thus gentoo will spread wider and faster. I do not think SSH keys are any significant challenge for a average Linux user and I do not think it would benefit us to allow access without keys. If however there are people out there who would like to contribute to Gentoo but are scared off by ssh keys, they could contribute to other parts, like adding and maintain articles on our wiki.
I honestly doubt SSH keys could ever be more challenging than writing quality ebuilds.
As others have said, SSH keys are not a significant barrier to contribution and are better for security of all parties than password-based authentication.