On 03/12, Jeff King wrote: > On Sat, Mar 10, 2018 at 02:01:14PM +0100, Ævar Arnfjörð Bjarmason wrote: > > > > - (peff) Time to deprecate the git anonymous protocol? > > [...] > > > > I think the conclusion was that nobody cares about the git:// protocol, > > but people do care about it being super easy to spin up a server, and > > currently it's easiest to spin up git://, but we could also ship with > > some git-daemon mode that had a stand-alone webserver (or ssh server) to > > get around that. > > I don't think keeping support for git:// is too onerous at this point > (especially because it should make the jump to protocol v2 with the > rest). But it really is a pretty dated protocol, lacking any kind of > useful security properties (yes, I know, if we're all verifying signed > tags it's great, but realistically people are fetching the tip of master > over a hijack-able TCP connection and running arbitrary code on the > result). It might be nice if it went away completely so we don't have to > warn people off of it. > > The only thing git:// really has going over git-over-http right now is > that it doesn't suffer from the stateless-rpc overhead. But if we unify > that behavior in v2, then any advantage goes away.
It's still my intention to unify this behavior in v2 but then begin working on improving negotiation as a whole (once v2 is in) so that we can hopefully get rid of the nasty corner cases that exist in http://. Since v2 will be hidden behind a config anyway, it may be prudent to wait until negotiation gets better before we entertain making v2 default (well there's also needing to wait for hosting providers to begin supporting it). > > I do agree we should have _something_ that is easy to spin up. But it > would be wonderful if git-over-http could become that, and we could just > deprecate git://. I suppose it's possible people build clients without > curl, but I suspect that's an extreme minority these days (most third > party hosters don't seem to offer git:// at all). > > -Peff -- Brandon Williams
