On Wed, Jan 13, 2010 at 4:04 PM, Ilari Liusvaara <ilari.liusvaara@xxxxxxxxxxx> wrote: > On Wed, Jan 13, 2010 at 03:13:40PM -0500, Avery Pennarun wrote: >> On Wed, Jan 13, 2010 at 3:06 PM, Ilari Liusvaara >> > As said, I got fed up with failure modes of SSH. >> >> I think this is the answer that needs clarification. What failure >> modes are these? ssh doesn't seem to fail for me. And github.com >> seems to be working rather well with a huge number of users and ssh >> authentication. > > Those failure modes tend to be show up at setup phase. But when they > show up, at worst I have seen ones that took hours to debug because > of multitude of possible causes and no good information on what's > wrong. > > And don't get me started about multi-key setups. > > SSH uses fixed sets of keys, which has inherent failure modes. And ssh > server tends to be worse than the client (Github can avoid the server > failure modes since they control the SSH server). > > But not even github can avoid all the failure modes. > >> If you're upset at the failure modes of ssh, is it possible to fix ssh >> instead of introducing Yet Another Tunneling Protocol? > > No, those failure modes can't be solved in SSH. This is still not very illuminating. How do you know your replacement will not have these same failure modes? If you solve your main annoyances with ssh, how do you know you won't introduce any new annoying failure modes? *Why* can't ssh be fixed to solve the problem? Will I have to generate and manage yet another new set of keys to use the new system? You seem to be positioning your implementation as a competitor to *all* of ssh, https, and straight TLS (including stunnel), and moreover, presenting it as superior to all three. This is surely possible (they all suck differently), but it's going to be hard to convince people. And if your new security protocol *only* works with git, it loses points automatically against other solutions. (Even if ssh is hard to set up, I've *already set it up*, so any new alternative starts with an immediate negative score.) Have fun, Avery -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html