#319 Change clone default from ssh:// to https://
Opened 4 years ago by kevin. Modified 2 years ago

Greetings.

src.fedoraproject.org has supported https pushing for a while now (and we are going to announce it formally soon). We would like to encourage people to use this instead of ssh, with the idea of retiring the ssh method some years down the road.

If fedpkg could change defaults (ie, if you just say 'fedpkg clone') from ssh to https that would be great.

It might be worthwhile to add a new flag (-s ? --ssh?) to allow people who want to still get ssh to do so.

Thanks!


@kevin we get to the issue. I explored the possibilities. I think that just updating the gitbaseurl value in fedpkg's config with "https" would do the desired effect.
The mechanism of falling back to the old "ssh" could be more complicated. Whole clone functionality is defined in rpkg and adding this specific change there doesn't make sense to other dependencies like "rhpkg".
Do you know what would be the reason insisting on old ssh?

I'm not sure why someone would insist on ssh. I suppose perhaps they are on a headless machine and can't get the initial credentials for https?
No other reason I can think of...

In this case, they can use an anonymous clone (fedpkg clone -a <repo>). This relies on https even now.

I tested HTTPS cloning. It went OK. But I didn't go through a push into a forked repo.
It requires authentication through the URL, that is printed on the console, but not working. It probably requires some oidc configuration. But I wasn't able to find any guide that helps with this.

Until we could test the working authentication I don't see the benefit of switching to https as default. Does anybody have useful information about oidc?

What could possibly be implemented is some additional argument to fedpkg clone that allows the user to manually switch between methods:
1) adding two options --ssh and --https. --ssh stays default.
or
2) add option --protocol with default value "ssh".

How did you test? because fedpkg already has this authentication. :)

You MUST clone or push with fedpkg so it runs getcred and sets up your OIDC token. After that you can use git all you want and it works fine due to the .git/config and OIDC token already in place.

The getcred helper also needs a gui session so it can prompt you for username/password with a browser.

This is the only way non packagers can currently push to their forks.

I'm not sure how to make the process more streamlined/clear...

1) I didn't have the correct credential helper path on .git/config of my testing repository (maybe because I cloned it in the development mode)
2) My fedpkg was running on non-graphical docker terminal. This mode shows some text password prompt, but authentication didn't work.

Authentication works but what about developers who works in server mode?
I am trying to find out how to generate a token, that can be stored in the configuration. There Is such a config value (oidc_client_secret) but seems to be not used.

1) I didn't have the correct credential helper path on .git/config of my testing repository (maybe because I cloned it in the development mode)

If you cloned it with git yeah... it wouldn't. Only fedpkg would add the credhelper.

2) My fedpkg was running on non-graphical docker terminal. This mode shows some text password prompt, but authentication didn't work.

Yeah, I think it requires a gui browser currently.

Authentication works but what about developers who works in server mode?

I guess they would need to get creds in one place and put them on the server?

I am trying to find out how to generate a token, that can be stored in the configuration. There Is such a config value (oidc_client_secret) but seems to be not used.

Not sure. :)

Login to comment on this ticket.

Metadata