[darcs-users] ssh path

Petr Rockai me at mornfall.net
Fri Nov 23 12:05:37 UTC 2007


"Yitzchak Gale" <gale at sefer.org> writes:
> No, the whole approach of SSH.
What you mean with approach of SSH?

> But what happened was: there was a working group for SSH
> applications, and they came out with some drafts. But then the whole
> effort was cancelled, and no standards ever came out of it.  You can
> see that in the archives on the IETF site.
>
> It is well-known, anecdotally, that the reason this happened is that
> they decided that SSH is the wrong approach.
Well, depends on what you mean with wrong approach. And to what.

>> WebDAV is horribly broken, at least in most current
>> implementations.
>
> Really? I never had any problems with it. On the client side, all
> modern OSs support it seamlessly.  On the server side, just enable
> mod_dav and specify a directory.
Well, could be, but you still need to solve certificates and
authentication. With ssh, you get both mostly for free. And it is
probably still more secure than self-signed certs.

> Note that WebDAV has some built-in support for VCS, but it is
> hard-wired with CVS-think.  It would be a good idea for us to get
> involved before they go even further down that road.
You probably mean DeltaV, subversion is using it for its http(s)://
support. Yes, it is somewhat problematic. And you need to have a
specialised WebDAV module for your webserver so it can serve
subversion repositories. There is mod_svn, but for one, I don't use
apache, so tough luck.

>> It is very inconvenient to set up authentication for it.
>
> More than inconvenient - it is impossible, by design.
> Authentication and transport encryption are
> provided by separate layers, not WebDAV.
Yes, but you still need to provide it.

> That said, those layers are also not hard to set up, so I am not
> sure what is bothering you.
They are harder to set up than ssh is.

> If you still don't feel like setting it up, WebDAV hosting is widely
> available, at very low cost - a few dollars per month. Many of the
> super-cheap PHP hosting sites have WebDAV that you can enable with
> one click.
Eh. That won't help you much. Unless all you want to do is store
files, but unfortunately, darcs push is a little more complex than
that, at least for now.

>> And SSH is widely available, on all platforms you can think of.
>
> But only after you set it up. I have found that to be the major
> obstacle to using darcs with my teams. Nowadays, most people have
> never even heard of SSH, even experienced software developers. So I
> spend hours on phone calls and emails trying to explain the concepts
> to them and help them troubleshoot.
Dunno, in the operating systems I use, it works out of the box, just
after fully automatic installation. Both client and server.

> Whereas, with WebDAV, I would just give them a login and a URL, and
> we're up and running.
We just live in totally different worlds, then : - ). And yes, I am a
professional (as in making a living off it) software developer, too. I
probably do have client-side WebDAV support, but I don't have use for
it.

> True, that is not as secure as SSH - for that you'd need to start
> messing with certs and stuff. But a password over an encrypted
> channel is good enough for most situations.
Yes, but you still need certificates to know whom you send the
encrypted password to.

> Anyway, how many MIS departments do you know who allow port 22 open
> these days? And I can understand them. Have you every browsed the
> logs of a server with port 22 open? It's frightening.  This is not
> just spam traffic; they're shooting at you with live
> ammunition. They are trying to rootkit you.  And you'd be surprised
> how often they come too close for comfort.
You often want to disable password-auth, that will get you fairly far
away from danger of the bots succeeding. SSH on standard port is not
the problem. How you use it may be. I have no idea what a MIS
department is.

> (1) means that darcs is useless in most professional
> environments. Is darcs only for hobbyists? Then this is low
> priority.
Well, I assume that primary darcs userbase is exactly hobbyists --
free software developers aren't much anything else, for the most
part. And those professional environments that do care probably have
more than enough in-house manpower to fix darcs. Or to hire someone to
fix it. For whatever purpose they have for it. It *is* free software,
after all. (Or to buy some professional-grade VCS which has feature
set of CVS and a GUI, but non-trivial licensing fees).

>> And all of these are fairly easily implemented, so you could
>> probably provide patches for first two, it should be a fairly easy
>> task (and you are apparently motivated, since you consider it a
>> very urgent feature).
>
> Touché. I am giving my users some kind of workaround,
> I'll see if it can be something useful to others too. I hope
> I'll have time to submit some patches...
You don't need to work around anything, you can fix it properly : -
). You could also implement WebDAV support using curl, since it
apparently has support for that. However, since darcs normally needs
to do non-trivial work on the remote end (running darcs apply for
that), it could be a problem implementing over WebDAV. So again,
WebDAV is bound to be much less efficient at this task, since it will
probably have to do all that work on the local end (which also means,
it may have to download much more data for each push, so it can
compute the new patches). So if you really dislike SSH, you could
implement SMTP-based pushes and run darcs apply on the remote host
that way. Anything involving apache running darcs apply upon WebDAV
operations is probably not going to fly.

>> The last one depends on availability of WebDAV implementations,
>> which may be a problem. Also, it is usually a royal PITA to set up
>> on the server side properly,
>
> Not true, as above. But if no one wants to set it up, I am sure we
> can get together a few people to put in a few dollars for hosting.
Yes, but people usually feel more comfortable with having their
repositories on their own machines. Moreover, the push support in
darcs is fairly marginal (in my opinion), since you can (and usually
want to) use all-pulls model (using http), or if you have a public
repo somewhere that is updated remotely, only the person responsible
for that one needs the ssh access.

>> it is probably only useful for people who either have WebDAV server
>> already (I assume a smallish minority of darcs users)
>
> I'll bet you yourself are using it without realizing it.
I am not. I used to use it with subversion, but it was way too broken
(both server and client side). Switched to the svn+ssh:// protocol for
all uses I still do have for subversion. It just works better. Same
for university and work -- all SSH and no WebDAV.

> WebDAV is widespread, and less and less people are using SSH. For
> end users, WebDAV is trivial and SSH is complex.
That is not quite true in the free software world. And darcs lives in
that world. Proprietary technology is, well, proprietary and fairly
distant.

>> SSH is, at least for subversion, considerably faster than WebDAV,
>> which is pretty inefficient.
>
> The WebDAV site claims that WebDAV is faster.  But I don't know the
> basis of either their claim or yours, nor the cause.
For what? SSH is just an encryption tunnell. You could run WebDAV in
SSH, in theory. For subversion, the choice is svn:// (internal,
stateful protocol) over SSH versus WebDAV/DeltaV over SSL/TLS. WebDAV
loses on this front. It may be faster in some applications, sure. But
it probably still won't beat rsync over ssh for file transfers, either.

Yours,
  Peter

-- 
Peter Rockai | me()mornfall!net | prockai()redhat!com
 http://blog.mornfall.net | http://web.mornfall.net

"In My Egotistical Opinion, most people's C programs should be
 indented six feet downward and covered with dirt."
     -- Blair P. Houghton on the subject of C program indentation


More information about the darcs-users mailing list