Swift Package Manager, https or ssh?

la-pieuvre · April 13, 2021, 10:22am

Hi,
I'm using for my projects swift package manager.
I have 2 options to add a package to the project using a https link ("https://github.com/....git") or using ssh ("git@github.com:....git")

Unfortunately I noticed that if a package is added as dependency in 2 different places. let say Main project depends Package A and Package B while Package B depends on Package A as well. We need to have the same protocol to link the dependencies in both the project and package B.
If one of them uses "https" and the other "git@" the conflict fail to be resolved.

So here is my questions :
Which one should we use preferably https or ssh? (Meaning what is the commun way to do it?)
Is this behaviour a bug or a feature?
Thanks

0xTim · April 13, 2021, 10:44am

In my experience the common way of doing it is HTTPS for all public repos and SSH for private repos.

The fact that SwiftPM treats HTTPS and SSH as different packages is a limitation of it's current resolution algorithm. It uses the URL to identify packages. There are some proposals being pitched at the moment to solve this

la-pieuvre · April 13, 2021, 12:15pm

Thanks for your answer. I'm not sure I understand why there is a difference for private and public package tho.

lukasa · April 13, 2021, 1:28pm

Because SSH lets you auth using key-based authentication, which is non-interactive, while https:// requires username/password authentication, which is interactive. This means that for internal repos that often have access control, SSH lets you through that access control more easily.

As to why not SSH everywhere, HTTPS is substantially less expensive for git to use as a clone mechanism.

la-pieuvre · April 13, 2021, 1:31pm

That's exactly the bit of information that I was missing, thanks :)