zig icon indicating copy to clipboard operation
zig copied to clipboard
verified publisher icon ziglang

ability to fetch dependencies via git+ssh protocol

Open andrewrk opened this issue 2 years ago • 1 comments

Extracted from #14265.

zig build should support fetching via an URL like this:

    .url = "git+ssh://[email protected]:ziglang/zig.git#8b8090d7fad3e444784bc52db6a80188a9dbd3c0",

Note that the fragment is used to fetch a particular commit. I suppose the fragment could be omitted, meaning to fetch the latest HEAD of the default branch, however, this would be not advised since the hash would be wrong as soon as another commit is pushed to that branch. Ideally, if the fragment is omitted then an error would be emitted telling the user to add the fragment, giving them a copy+pasteable snippet, or perhaps even editing the manifest file on the user's behalf.

Open question: should it be built-in? or is this issue a request for a third party contributor to make a fetch plugin (#14294)?

I think the first step would be to implement this as a third-party fetch plugin, and then we can evaluate whether it can be upstreamed and become a builtin.

Related:

  • #14296
  • #14297
  • #14298

andrewrk avatar Jan 13 '23 05:01 andrewrk

Considering how security sensitive ssh is, I am not sure it would be a good idea to implement the protocol ourselves (be it builtin or plugin). Just calling the git executable instead and let it deal with it, sounds (at least to me) like a more sane solution even if it means that it needs to have Git in it's $PATH.

There are a few reasons for this:

  • There will be requests about "support typing in the password manually", "support ssh keyfiles", "support getting the keyfile via " and possibly more.
  • Some Linux distributions use SELinux to only allow certain executables to access ~/.ssh (and quite frankly for good reason).
  • It's also not like the protocol is small/easy: https://datatracker.ietf.org/doc/html/rfc4254 sure, chapter 6 (interactive sessions) and 7 (TCP/IP forwarding) aren't needed, but just this RFC forwards to other RFCs for details.
  • Git over SSH works by creating a full-blown ssh session (in non-interactive mode, like when you for example say ssh user@server 'ps -A') and then running a few commands (on sites like GitHub restricted by using git-shell as login shell). Because of that not even the Git executable itself implements SSH itself but uses the one it finds in PATH (most often OpenSSH).

So with that in mind, I would argue that implementing this by calling Git (or even ssh) would be preferable since I doubt anybody here wants to essentially maintain a SSH implementation.

KilianHanich avatar Jul 22 '24 10:07 KilianHanich