On Sun, Apr 29, 2018 at 1:28 PM, Mark H Weaver <[email protected]> wrote: > Hi Chris, > > Chris Marusich <[email protected]> writes: > >> You've both said that you would prefer not to add git-fetch/impure to >> Guix. Can you help me to understand why you feel that way? I really >> think it would be nice if Guix could fetch Git repositories over SSH >> using public key authentication, so I'm hoping that we can talk about it >> and figure out an acceptable way to implement it. > > I thought about it some more, and found that I cannot really justify my > position on this, so I hereby drop my objection. It's obviously not > useful for packages that will be included in Guix itself, which is our > primary focus, but I suppose it could be useful for private package > definitions. > > What do you think, David? It seems to me that password tokens in URLs > raise possible security risks, whereas public-key authentication is > generally better practice.
If I'm outvoted here then I'm OK with accepting this change. Just to clarify, I advocate the use of password tokens in URLs for private repositories only. I do this for non-Guix things as well in order to improve reproducibility of internal builds. - Dave
