Highly, terribly dangerous posts. Misuse of this profile can invite eggbug to trounce upon your data and then laugh in your face. You don't want this profile. Really.

My Blog

$\mathbb{X}$

twitter.com/welltypedwitch

Mastodon

functional.cafe/@prophet

Github

github.com/Innf107

Twitch

twitch.tv/welltypedwitch

Prophet @prophet12/16/2022, 2:14 PM

ashlynn @sweetpea

ashlynn @sweetpea12/16/2022, 7:24 AM

OPINION POST

you should run this:

git config --global url.git@github.com:.insteadOf https://github.com/

why? let me tell you a tale of 2FA and submodules

2FA

You should set up 2FA on GitHub. You should, it's the virtuous, objectively correct decision as long as you own a phone. It increases the security of your account, and if you ever work a job that uses GitHub to manage their projects they will invariably require you to do so if they have a hint of sense.

The problem with this, is that GitHub 2FA (understandably) disables HTTPS write-access for git. No longer can git push to a remote using an HTTPS URI simply prompt you for your password, because you don't just have a password anymore! You have a 2FA code, and if they just ignored that for git pushes it'd be pretty dang useless.

Git Submodules

Look, you've probably heard a lot of things about git submodules. That they're dangerous, that they'll ruin your project if you use them wrong. That you should always use subtrees instead (this is a dumb opinion, please come to class with a better one tomorrow).

The fact is, submodules are dead useful. Maybe in an older version of git they were much scarier, maybe they do still have some sharp edges I just haven't bumped into too badly yet, but if you want to be able to iterate on a dependency at the same time as the project depending on it, they just work in so many ways.

Plus, for some languages you kind of need them to manage dependencies sanely (I am eagerly awaiting the Zig package manager. No, I will not use gyro).

The problem is, for submodules anyone who clones your repo and pulls the submodules will attempt to pull each submodule with the exact URI that you use to initialize the submodule. This means, if you initialize a submodule with git@github.com:repo/path.git then someone without a GitHub account or without SSH set up on GitHub will fail to pull the submodule.

WOMP WOMP

Since you, an enlightened GitHub 2FA user, can't actually push to an HTTPS remote, this presents a slight problem if you, y'know, actually want to work on any of the submodules.

Now, of course, there are steps a cloning user can take to resolve this. The command I show above but reversed is actually a somewhat common step taken to fix this issue. Unfortunately this command (and all other mitigating solutions I'm aware of) are fairly advanced git usage.

Do you want someone to have to be an advanced user to clone your repository? I don't.

Return with the Elixir

So. So, so, so, so, so. You have all the pieces now. You've drawn all 5 pieces of Exodia. You stand at the precipice of Mount Doom, ring in hand.

Do you see it yet? Have you divined the truth? Witnessed the four base elements at work and meditated upon the concept of aether?

It's simple. You run

git config --global url.git@github.com:.insteadOf https://github.com/

in your shell, and always add submodules with the HTTPS URL.

On your system, the HTTPS URL is rewritten to an SSH URI. You can push freely, like a bird in flight. On the cloning user's system, they call pull freely, grounded by the solid foundation of an HTTPS URL.

The chains shatter. You are free. You hold all of the power of submodules in your hands and none of the drawbacks.

...other than that one bit where you always forget to add --recurse-submodules to the git clone command. What a pain, yeah?

#git #github #software engineering #programming

You must log in to comment.

in reply to @sweetpea's post:

David @hllizi12/17/2022, 12:25 AM

Thank you, that's very useful.

purely dysfunctional catgirl @leftpaddotpy12/17/2022, 3:41 AM

you can equally use https for push even with 2fa if you do gh auth login :)

ashlynn @sweetpea12/17/2022, 5:41 AM

I admit to being fairly diametrically opposed to installing a gh cli tool specifically to interact with GitHub, although I understand why people would do so.

It just feels a step too far, if you know what I mean :p

purely dysfunctional catgirl @leftpaddotpy12/17/2022, 6:28 AM

in this context it's basically just a credential helper that gives git an oauth access token

Zoey @zoey-12/17/2022, 6:20 AM

Do you clone submodules using SSH if they're public repos? If I'm cloning something and I'm not writing to it, I'm cloning it over HTTPS, not SSH. And, even if I am writing to it, if it's public I'm cloning it over HTTPS, and using git remote set-url --push git@github.com:repo/repo.git to only use SSH to push, not to pull. My SSH keys live on a yubikey, and if I don't have a reason to authenticate to GitHub to read something, I don't want to have to deal with plugging in my key.

ashlynn @sweetpea12/17/2022, 9:33 PM

I tended to clone them with SSH when I'm writing to them, yes. For example my emacs config uses borg, which lets me cleanly contribute back upstream to emacs packages when I have an issue with them.

Remote push-urls are a nice feature though! I wasn't actually aware of them when making this post or I would probably have used them instead. As it stands though my SSH key isn't on a hardware key and this insteadof config is "set and forget" rather than requiring additional manual intervention for each submodule I want to be able to push on so I'll probably keep using it.

Pinned Tags