On Sat, Mar 10, 2018 at 02:01:14PM +0100, Ævar Arnfjörð Bjarmason wrote:
> > - (peff) Time to deprecate the git anonymous protocol? > [...] > > I think the conclusion was that nobody cares about the git:// protocol, > but people do care about it being super easy to spin up a server, and > currently it's easiest to spin up git://, but we could also ship with > some git-daemon mode that had a stand-alone webserver (or ssh server) to > get around that. I don't think keeping support for git:// is too onerous at this point (especially because it should make the jump to protocol v2 with the rest). But it really is a pretty dated protocol, lacking any kind of useful security properties (yes, I know, if we're all verifying signed tags it's great, but realistically people are fetching the tip of master over a hijack-able TCP connection and running arbitrary code on the result). It might be nice if it went away completely so we don't have to warn people off of it. The only thing git:// really has going over git-over-http right now is that it doesn't suffer from the stateless-rpc overhead. But if we unify that behavior in v2, then any advantage goes away. I do agree we should have _something_ that is easy to spin up. But it would be wonderful if git-over-http could become that, and we could just deprecate git://. I suppose it's possible people build clients without curl, but I suspect that's an extreme minority these days (most third party hosters don't seem to offer git:// at all). -Peff
