For many public Git repos, using HTTPS for “git fetch”, “git pull”, and other Git download operations has adequate security. A primary concern for downloading public Git content is verifying the content is genuinely from the desired author. A reasonable degree of confidence can be accomplished using HTTPS to download and verifying the author PGP signed Git commits. Git download operations over HTTPS are perhaps twice as fast as Git over SSH and use less CPU.
When pushing Git commits, SSH can provide enhanced security. Since “git push” operations typically take longer than “git pull”, particularly where pre-commit hooks and PGP commit signing are used, SSH speed penalty on “git push” is often acceptable.
For developers there are speed benefits from a hybrid Git configuration where Git downloads use HTTPS and Git uploads use SSH. Git has intrinsic functionality for this setup in a global configuration. The one-setup setup below uses “https://” for the remote repo URL instead of “ssh://”. To upgrade existing local public repos, edit individual repo “.git/config” accordingly. This is a one-time config command:
git config --global url."ssh://github.com/".pushInsteadOf https://github.com/ git config --global url."ssh://gitlab.com/".pushInsteadOf https://gitlab.com/
If experiencing problems on “git push”, check the individual repo “.git/config”, making sure the url is like:
[remote "origin"] url = https://github.com/username/repo.git
In particular, the ending of the
url line must NOT have a trailing slash like