git-novice
git-novice copied to clipboard
swcarpentry
SSH vs HTTPS
I know this topic has been discussed at depth (#778), but I feel like it might be worth revisiting. Almost every tutorial I encounter except the Carpentries recommends using HTTPS with a PAT for GitHub (happygitwithr, the usethis R package, and the fact that it's the GitHub default, to name a few). The reasons listed by these sources in favor of using and teaching HTTPS are:
- increased security (your PAT expires and can be easily deleted if someone were to get ahold of it)
- ease of setup (not all Windows machines have SSH, not all machines have port 22 open, firewalls, etc.)
- The PAT generated is also used for the GitHub API which also enables the use of many other tools that use the API under the hood in one setup step
The arguments I see in discussions in this repo in favor of SSH seem mostly philosophical:
- SSH is a widespread tool worth learning (although it's not like the concept of an API token is unique to GitHub)
- SSH is not owned by a private company (but GitHub certainly is, which is already being taught)
- SSH is platform agnostic (so is HTTPS??)
I just think this might be worth revisiting since many other git/GitHub tutorials strongly recommend HTTPS and it seems like the majority of sources think it's less likely to cause (technical) problems for students.
There were some very valid concerns about security of instructors showing their PAT or students having their PAT exposed (https://github.com/swcarpentry/git-novice/issues/778#issuecomment-883437322). But most tutorials strongly recommend against keeping your PAT in any plain text file and instead use a git-supported credential manager. Instructors should also delete the PAT they create for the course immediately after in the unlikely event that someone takes a screenshot and attempts to use it for malicious purposes.
thank you for the feedback. There have been long discussions regarding SSH vs PAT. The end result is the git lesson inherited it because the Unix Shell maintainers suggested the best example for using it is git. We did decide to https://github.com/swcarpentry/git-novice/issues/778#issuecomment-877677393, so an instructor can determine what they have time to go over. And, many people agreed that SSH is better than PATs, because SSH is used more widely (and often in command line situations, not just for git).
There is a supplemental SSH episode still in development which includes PATs. Please feel free to contribute. Issue https://github.com/swcarpentry/git-novice/issues/824 describes how to contribute and provides a space for discussion.
