making remote git storage work [was Re: Subsurface ans Dropbox]

Fri May 29 08:59:25 PDT 2015

On Fri, May 29, 2015 at 04:24:04PM +0100, Long, Martin wrote:
> 
> I didn't want to come across as hostile. I know I haven't contributed a LOT
> to the project like some others. Unfortunately, although I'm a developer,
> C/C++ are not strengths of mine, so contributing code is difficult, but I
> was just offering a contribution in the form of some feedback from my
> perspective.

I apologize that my response to your feedback and perspective was rather
aggressive. I guess you hit a few sore spots on my mantel of thick skin
that you need to be an open source maintainer...

> You can get FREE SSL certificates, which are accepted by all of the major
> browsers, from StartSSL. They do simple verification using email, and you
> can get them straight away. I use them all the time. It's secure, but they
> just don't offer the monetary guarantees that the big providers offer,
> making it unsuitable for ecommerce.

StartSSL is such an unbelievable pain in the rear it's not even funny. I
used to use them and at some point just gave up. They twice randomly
decided that there were undefined "issues" with my application and forced
me to a $50 ID verification process. And recovery of your credentials is
impossible, yet they expire after one year - so unless you are super
proactive (note: I'm not) you go through this crap once every 364 days.

I cannot wait for the LF to launch their initiative to get free SSL
certificates.

All that said, I have ssh based authentication working on my git server.
I do NOT have https/user/passwd based authentication working. So
regardless of the certificate issue, it still would require more effort on
my side.

I am very serious - if someone wants to investigate a way to automate
things to set up repositories at some other public site with acceptable
usage terms and EULA that can be seamless to the user and is https based -
I would ABSOLUTELY LOVE THAT.

But I have to prioritize my time - I already barely have the time to do
the things I do and other intersts and duties of mine suffer because of
all the time I spend on Subsurface. I simply don't expect that I'll be
able to get this implemented any time soon. Whereas I have ssh
authentication working and believe that I understand what it will take to
implement the backend infrastructure for that.

> I quite understand that we need to keep this simple for the user, and hence
> my suggestion to use https.I thought it would be simpler to do this using
> http/https than it would using a convoluted method of fetching and
> decrypting a key using a REST api, especially when the result is ultimately
> the same - login using a username/password. I don't think at any point did
> I suggest that [non-advance] users should be creating SSH keys, rather that
> we ought to consider user/password security over http as a better fit
> implementation for that use case.

See above. That would require that I implement this on the back end.

/D