[darcs-users] ssh path

[Yitzchak Gale]

Hi Petr,

Thanks for your reply.

I wrote:
>> ...although SSH is still widely used and
>> widely supported, it is officially viewed as
>> deprecated by the IETF.

Petr Rockai wrote:
> Can you please give a reference to the place where SSH is claimed
> to be deprecated? I cannot find it. You may mean the SSH1 protocol,
> but that's largely unused for a long time.

No, the whole approach of SSH.

Well, I guess "officially" is a bit too strong - they never
came out with a press release about this, or anything like that,
afaik.

But what happened was: there was a working group for SSH
applications, and they came out with some drafts. But then the
whole effort was cancelled, and no standards ever came out of it.
You can see that in the archives on the IETF site.

It is well-known, anecdotally, that the reason this happened
is that they decided that SSH is the wrong approach.

>> Like other VCSs,
>> we should start migrating towards WebDAV
>> over an encrypted channel.

> WebDAV is horribly
> broken, at least in most current implementations.

Really? I never had any problems with it. On the
client side, all modern OSs support it seamlessly.
On the server side, just enable mod_dav and
specify a directory.

It's in widespread use. Apple quietly uses it in the
background for all kinds of things, like calendar
sharing. All the popular enterprise CMSs all use
it. Etc. So it has to be well supported.

Note that WebDAV has some built-in support
for VCS, but it is hard-wired with CVS-think.
It would be a good idea for us to get involved
before they go even further down that road.

> It is very
> inconvenient to set up authentication for it.

More than inconvenient - it is impossible, by design.
Authentication and transport encryption are
provided by separate layers, not WebDAV.

That said, those layers are also not hard to
set up, so I am not sure what is bothering you.

If you still don't feel like setting it up, WebDAV
hosting is widely available, at very low cost -
a few dollars per month. Many of the super-cheap
PHP hosting sites have WebDAV that you can
enable with one click.

> And SSH is widely
> available, on all platforms you can think of.

But only after you set it up. I have found that to be
the major obstacle to using darcs with my
teams. Nowadays, most people have never
even heard of SSH, even experienced software
developers. So I spend hours on phone calls
and emails trying to explain the concepts to
them and help them troubleshoot.

Whereas, with WebDAV, I would just give
them a login and a URL, and we're up and running.

True, that is not as secure as SSH - for that you'd need to
start messing with certs and stuff. But a password
over an encrypted channel is good enough for
most situations.

> As for botnet hammering, I don't really think it is that urgent, still
> a lot less traffic than mail.

He he. Yes. Small consolation, isn't it? What a world!

Anyway, how many MIS departments do you
know who allow port 22 open these days? And I can
understand them. Have you every browsed the logs
of a server with port 22 open? It's frightening.
This is not just spam traffic; they're shooting at you
with live ammunition. They are trying to rootkit you.
And you'd be surprised how often they come too close
for comfort.

> As for
> setting ports, there's always ~/.ssh/config (at least with OpenSSH on
> Unix), where you can specify default port for each host separately.

That is helpful on Unix, yes.

>> 1. VERY URGENT - Fix SSH port support on
>>    Windows. Either in darcs itself, or by providing
>>    wrappers for the PuTTY commands.
>> 2. Urgent - Add an --ssh-port option to darcs
>>    commands that use SSH, or parse the port
>>    number in URLs, or both.
>> 3. Important - Add WebDAV support to darcs.

> I think there are *much* more important issues for darcs than those,

(1) means that darcs is useless in most professional
environments. Is darcs only for hobbyists? Then
this is low priority.

> And all of these are fairly easily
> implemented, so you could probably provide patches for first two, it
> should be a fairly easy task (and you are apparently motivated, since
> you consider it a very urgent feature).

Touché. I am giving my users some kind of workaround,
I'll see if it can be something useful to others too. I hope
I'll have time to submit some patches...

> The last one depends on
> availability of WebDAV implementations, which may be a problem. Also,
> it is usually a royal PITA to set up on the server side properly,

Not true, as above. But if no one wants to set it up,
I am sure we can get together a few people to put in
a few dollars for hosting.

> it is probably only useful for people who either have WebDAV server
> already (I assume a smallish minority of darcs users)

I'll bet you yourself are using it without realizing it.
WebDAV is widespread, and less and less people
are using SSH. For end users, WebDAV is trivial
and SSH is complex.

> SSH is, at least for subversion, considerably
> faster than WebDAV, which is pretty inefficient.

The WebDAV site claims that WebDAV is faster.
But I don't know the basis of either their claim
or yours, nor the cause.

Regards,
Yitz