There are already a number of read-only FUSE-git bridges, and we already have production-ready FTP daemons galore if that's the protocol you prefer.
If you don't like the existing FUSE-git bridges make one of those instead. It's more composable; you could also point apache at the read-only FUSE mount for example.
You're unnecessarily tightly-coupling libgit2 and the FTP protocol, and probably creating a bunch of bugs (potentially dangerous RCE ones being a network service) in the process.
I feel like something went wrong a few steps ago if you find yourself needing this.
Happy to be enlightened otherwise?
I find it hard to criticize these sorts of projects. I think people should be questioned about strange ideas but over the internet it's hard to convey tone and hard to explain that I still want to encourage them to continue work on the weird, strange and unique.
But in practice, I do often find myself browsing my own code on GitHub for a variety of reasons:
- I'm in their office at their machine, but didn't bring my laptop.
- I'm traveling and want to talk about something with someone (I travel with a separate laptop).
- I'm half way through a big refactor and want to go back and see what master looks like. I know how to do this without GH/GL, but the simplest way to do that is to just pull up GH.
In all of these cases, and others, it's far easier to just pull up the file on github than it is to clone the repo locally.
So, given that we do sometimes want to browse our code remotely, the author then provides the (rather niche) criteria that make this a better solution than GH/GL:
"By serving a repo behind an FTP interface, we get these benefits:
- Web browser supported but not required
- Minimized network traffic, sending just the file data itself
- Supported on all platforms, with dozens of clients already written
- Support for both the command line and GUI"
Agree with you that this is a fairly niche set of criteria, but I could at least imagine myself in an environment where this could be a useful tool.
What I find strange for myself is the requirement of having a git web interface installed on the server and the need to use a web browser just to analyze a few parts of a remote repository.
Sure, it works, looks great, and there already are mainstream solutions available; but, a web interface certainly is overkill if all you want is to display some remote files.
I'm definitely not saying that web interfaces are wrong, but for people like me, simpler alternatives are very welcome, and I feel that FTP is a perfect fit for this. Git repositories are file trees after all and a "file transfer protocol" sounds like a better fit for this task than a "hypertext transfer protocol".
Apart from simplicity, this approach would have better composability (with external tools) as well, as the author put it:
> However these interfaces are fairly rigid, and don’t connect well with external tools.
Looking for simpler solutions to do things that we do everyday is never "strange" in my eyes.
If in 2019 a developer built a file transfer system with the same service model as FTP, using the same design, you'd dismiss them for incompetence.
There is nothing FTP does that HTTP can't already do. The normal response to that is that there's no standard set of HTTP endpoints that delivers the file-upload capability that FTP exposes by default. But then, FTP doesn't even have a "standard" directory listing.
If we didn't have HTTP file upload, SFTP would be a reasonable thing to want. But we do, and SFTP shares with FTP the property of essentially being a restricted-purpose shell (with an attendant user authentication model), which, again, is of basically no benefit in modern systems.
Death to FTP.
However I do completely and emphatically agree that FTP needs to die. There is no need for it in the modern era. We’ve had a whole plethora of better suited protocols since (I don’t agree HTTP is a good fit replacement but there isn’t a shortage of options out there) and in many cases FTP - even once you’ve applied the mountain of kludges and workarounds just to get it working with SSL behind two NAT’ed firewalls - still falls short of what a great many alternatives can already do.
FTP not only needs to die; it should have already died 10 or 20 years ago.
> It's an archaic protocol built around the limitations of early-1980s systems.
What were the limitations, and how did they shape the protocol?
> protocol "feature" of having server responses be human-readable (and not machine-parseable)
The responses are successfully parsed by quite a few clients, no? The fact that I as a person can easily read the output would seem in and of itself to be a positive quality.
> control and data connections ... caused something like 2 decades of security problems, also makes it a nightmare to provision in modern networks
I know little about configuring network security, can you tell me more here? The idea is that in passive mode the server has to pick and listen on a bunch of random ports and so the firewall can't unconditionally block them?
Also you mention "modern networks" -- did it used to be easier to provision networks in the past and something has changed recently?
FTP LIST responses are "successfully parsed" by predicting that servers will return a circa-1991 ftpd "ls" listing. Which means that to be parsed by those clients, you need to be bug-compatible with those servers. That was the point DJB was making with his (parsable) publicfile output.
For a good starting point on FTP's security design, read up on [FTP bounce attacks]. But the key thing to remember is: this design is pointless. There is no reason for a file transfer protocol to be allocating new connections like this.
In my experience, HTTP regularly chokes on multi-GB file transfers. I am not endorsing FTP, and when we have 100GB+ transfers we have in the past resorted to snearkernet.
Simpler is good, too simple is not.
Since the information on a file may vary widely from system to system, this information may be hard to use automatically in a program, but may be quite useful to a human user.
It works by convention and people writing piles of hairy code to over the years to make it behave. FTP is a really ancient protocol with many problems beside that. Much like short people, it got no reason to live.
FTP may have its quirks but I'd argue that nobody can say that it's simpler/easier to parse HTML than to parse FTP payloads.
In any case, can't this be solved to configure the server to conform to the most standard/clean/mainstream conventions? We are writing a server after all in this case, not a client.
I'm not convinced that FTP's shortcomings can't be easily worked around in this case; but I understand that you are trying to say that the ancient FTP protocol should die. Maybe you are right. And maybe there are very good reasons for that.
And then I'd say we need a modern file transfer protocol. HTML over HTTP still isn't optimal for this task at least some of the time, for some people. And I, with my limited knowledge, still believe that FTP can't be worse than HTML over HTTP for the task in question, even if not better.
There are actually standards documents you can read that specify how to parse html. (Mind boggling length and complexity, aside.) But there's nothing that tells you how to interpret an ftp list response.
In my limited understanding, the only parameters that can change is the separator and the number of columns. How hard can it be to establish a straightforward convention? Or why are we being judged so hard, despite the fact that we are advocating to use the protocol in a consistent, straightforward way; just because some people apparently made very bad technical decisions in the past?
In the web you can build a universe if you want. The API surface of it is gigantic compared to FTP. I like to use the simplest technology I can for the purpose at hand. And if the servers I use are outputting straightforward payloads, I don't have to care about what stupid things people did in the past.
> and in a modern system you'd just honor a .json (or Accept header) that would give you the result as a trivially parsed array
Your approach would be to serve JSON over HTTP then, I guess. Would you have any other recommendations to for this apart from JSON over HTTP? Are there other simple and viable alternatives?
I also browsed a few of the FTP mirrors for OpenBSD and took note of how they formatted their response, and tried to make my format match what I observed to be the most common response. It's worked with all the clients I've tried so far: ncftp on mac, ftp on openbsd, Firefox, mac's ftp-finder integration, and Filezilla.
So while there is admittedly ambiguity in FTP servers on the whole, I think my server in particular should work OK. Keeping an open mind though if you know about a problem I haven't foreseen.
But the client parsing code is mostly strsep() and cross your fingers and hope to die. It's not terribly robust.
Like if you were writing a program, you would not prefer parsing the output of ls to running stat yourself.
"You're holding it wrong"
Git is specifically a decentralised version control system. Cloning the remote branches is how you view and browse remote repos.
Viewing remote non bare repos via FTP is fine but im not sure I understand the problem.
The problem is network traffic? Cool, checkout a shallow copy depth=1.
Browsing? I'm confused how ftp is worse than say GitHub? Or GitHub with some of the file browser add-ons/greasemonkey scripts.
I'm also pretty confused by the use case that ftp beats keeping a local working copy. Presumably you want to edit these files eventually right? Are you also editing remotely? What about a remote X session or SSH?
I'm just confused by the use case not saying you're holding it wrong.
Try answering this: in what world or under which conditions does this solution make sense?
I'm not saying it's wrong I'm saying I can't see what conditions make this make sense.
I'm curious to try this out!
Just prepend sourcegraph.com/ to the hostname. That'd be https://sourcegraph.com/github.com/user/repo for your example.
It can be self-hosted as well.
Thanks for reporting this. It looks ok for me in Safari 12.0.3, what version are you on?
The bulk of the work is done by Video.js 5.0.2. Perhaps your browser or plugins are blocking the script?
Can you send me an email with a screenshot? I do try to make the videos work on every browser if possible.
I'll send you an email with a screenshot of the whole thing.
Example (Gopher link):
Writing in C requires care, but the modern day "rewrite it in rust" crusade does feel overblown. C programs are nice -- small and fast.
Anyway, I don't mean to be cocky. A code review is welcome, I'd be curious if I did indeed overlook a security issue.