SSH support in Pkg #16041
Comments
ViralBShah
added
packages
|
For what it's worth, I am in the same boat as David. I'm on Windows and have many private repos (close to 50 and counting). It took me some time to set up SSH and point all my remotes to git@github.com so that I could do Pkg.update without entering my password so many times. It was also necessary to set that up for Travis and Appveyor. Now, all my tests are failing on 0.5 because the private repos cannot be cloned. This has stopped me from doing any work on 0.5. Like David, I would hope this gets a 0.5 label because I am REALLY looking forward to 0.5 :) Cheers |
|
This particular ccall is not present on windows and evidently obsolete, so #8228 (comment) still stands. We're going to primarily support https going forward, so I'm going to close this as a duplicate of #8228. |
|
Probably. I consider ssh keys far worse in usability than just typing a password, so I'm not too motivated to do anything drastic here. I believe @eschnett had looked at adding libssh to |
|
Not everyone uses github. I have locally hosted git repositories that use ssh authentication. Is that going to be unsupported going forward? That's shame, if true. |
|
Can we leave this issue open, please? Clearly requiring username/password entering for every private package on every I should add that using SSH keys is working great on julia 0.4 for me, so dropping that support without replacing it with something similar would be a huge regression from my point of view. |
|
The windows-specific part of this issue is a duplicate of #8228. We're using libgit2 for the package manager now, that's not up for debate. If ssh support by default is something that people want strongly enough to implement then I'm not going to say we shouldn't do it, but I don't consider it release-blocking. There's also the option of not using Pkg to manage private packages (just put them somewhere else on |
tkelman
changed the title
|
Hi, I have close to 50 private repos on GitHub and there is no way I am going to enter my password 50 times every time I Pkg.update. Even 4 times ( #8228 ) is too much. If this is really the future for me with Julia, please let me know ASAP as I will need to switch to a different language and the somer I make that painful call, the better. Thanks everyone. |
|
No, nobody wants to have to enter a password 50 times. This'll get fixed. |
|
Thank you for the reassurance Keno. I was starting to panic (I do that too easily sometimes) :) |
|
Great! I think some fix should really come for 0.5, so maybe apply the 0.5 label? At least for github and bitbucket another option would be to plug into the whole git credential storage framework. That might only work if people have git installed and configured, but as an option that would be nice, especially as it would work with https URLs. Of course that doesn't work for people with locally hosted repos, so I think it wouldn't be a substitute for ssh support. |
|
We've gone without ssh support on master for 6 months now. I don't think this is release blocking. |
|
Keep in mind that the vast majority of users hasn't been on master for the last 6 months. Just because something hasn't shown up as a problem for the core dev group in the last 6 months doesn't mean that it can't be a major problem for a large user group that is only now starting to explore 0.5. This issue would keep me from upgrading to 0.5 until sorted out because it completely would break my daily workflow. |
Oh, come on. Lots of people who use julia in "production" haven't (and shouldn't have) upgraded to 0.5 yet. |
|
I only have a few private repos, and it's already pretty irritating. |
|
I also find this annoying. I frequently launch 0.4 just to run |
|
Password caching should not be a problem. Temporary solutions is to use ssh-agent. |
|
@Keno any chance enabling the I don't think it's technically feasible in libgit2 just yet, but something Jake and Art and I had discussed was possibly making ssh support optional in a way that PkgDev or some other non-default package could be in charge of obtaining the binaries for libssh2. edit: side note, even the libgit2sharp maintainers who are core developers of libgit2 choose not to support ssh in the binaries they distribute: libgit2/libgit2sharp#255 (comment) |
|
In case it helps... I'm very actively using 0.4, but haven't made the jump to 0.5 yet. I have lots of private repos, and I agree that package maintenance would be impossible for me (I'd just abandon it and manage the repos by hand). My password is 20 characters of gibberish, so typing it in is not an option. |
|
I suppose we can merge the first three commits and put off the tests for later. I've made some progress on the test case, but it's still flakey. |
|
It's not like we have any tests for it now. While we do really badly need some and we shouldn't let it remain untested for any longer than we absolutely have to, working and untested is a bit better than not working and untested. |
|
Mbedtls does not support DSA keys. We probably can tweak mbedtls configuration to support for 4096-bit RSA keys. |
|
So, even dropping back to 2048-bit RSA doesn't work for me. |
|
@blakejohnson are you on linux? |
|
No, Mac OS X 10.11.5. |
|
After #17586, |
|
how often do you get prompted? I don't know how long we cache the credentials for, or if we have it working in a way where we can let ssh-agent entirely handle the passphrase |
|
passphrase should be entered when adding the key to the agent, so we shouldn't need to prompt for it. |
|
Indeed ssh-agent authentication appears to be broken again. Will take a look. |
`usesshagent` is just a flag to determine whether or not to use the agent, so zeroing it isn't necessary. Even worse, since it only gets a reference to one of the flag strings (stored in the AST), zeroing them globally changes those strings, disabling ssh-agent authentication entirely. Fixes the problem noted in #16041
|
@blakejohnson have you had a chance to re-test that redirection issue again recently? Did you ever open a separate issue on it? |
|
No, I haven't tried that again. Though, given the number of other issues Keno has fixed in recent days, I wonder if I wasn't premature in identifying the temporary cause of success. I'll put that on my queue to test, and if it is still a problem, I'll file an issue. |
`usesshagent` is just a flag to determine whether or not to use the agent, so zeroing it isn't necessary. Even worse, since it only gets a reference to one of the flag strings (stored in the AST), zeroing them globally changes those strings, disabling ssh-agent authentication entirely. Fixes the problem noted in JuliaLang#16041
|
I do experience the problem of being prompted for the passphrase of the wrong key (GitHub key is not the default one), while I don't have this issue with other applications using SSH (nor I have with Julia 0.4.6). I'm running Julia Version |
|
@giordano Do you have that key set in your SSH config file? Unfortunately, libssh2 (and consequently libgit2) cannot use the SSH config file information. |
|
Yes, I have. Am I hopeless? At least I have to type the password just once ;-) |
|
@giordano You and I are both in the same crappy boat, I'm afraid. I expect it won't be fixed unless libssh2 starts parsing SSH config files. |
|
Although inputting a password once is not the end of the world, it is not completely symmetric if linux/OSX do not need to input passwords. Until this is fixed for Windows, I almost say we should break it for linux/OSX too, just to be fair and so it doesn't drop off the radar (given this issue is closed - presumably in a rush so they could release 0.5 - although it doesn't seem 100% satisfactory). |
|
Windows should not be a second class Julia citizen. |
|
What leads you to think this is Windows-specific? |
|
Ignorant assumptions? :) |
|
windows is kind of a second class citizen with ssh usability in general apart from julia. we try not to intentionally break things on any platform, but if there are remaining improvements to make on any platform we should have issues to track them (see #17541, and there are a few already open and being tracked) |
|
@EricForgy I'm on OS X. I actually don't have to input a passphrase as my key doesn't have one, but I have to type the full path to my key every time. |
|
On OSX el capitan 10.11.6 I am unable to get Pkg.clone() working on julia 0.5 http://stackoverflow.com/questions/39849236/pkg-clone-changed-on-julia-0-5 |
|
With julia 0.5.1, Hence, this issue should be reopened! |
|
No, that's the windows path issue. |
|
Unrelated problem, addressed by this PR: #20914. |
Julia 0.5 has removed all support for cloning private repos on Windows. In previous versions one could always clone private repos via SSH remote URLs, but support for the git protocol seems entirely removed. Cloning private repos via https also doesn't work on Windows, I get the following error:
I think there are potentially two solutions:
getpasswd, fix up github two-factor authentication #8228)I believe that only having 2) would be very painful, because my understanding is that every Pkg.update would for example query for the username/password combo for private repos, i.e. as far as I know there is no support for credential storage in libgit2, right?
So I think if the git transport is not re-enabled, one would really also need integration with the git credential manager interface, so that https credentials that are stored in a registered git credential manager would be picked up by
Pkg.cloneandPkg.update. My understanding is that libgit2 has no support for this, so it would probably have to be implemented manually...I think this issue here should get the 0.5.0 milestone attached. Not being able to work with private repos is a major regression relative to 0.4 that would affect essentially anyone who has package work in private repos.
The text was updated successfully, but these errors were encountered: