[gvb]

To elaborate on dolinsky and the article, if your web server is doing a "git pull", it means it has ssh access into your workstation. If someone breaks into your web server, this means that they have ssh access into your workstation as well by simply using the keys on your web server. This is bad, very bad.

If you push to your web server, only your public key is exposed if your web server is compromised.

[russell_h]

Not necessarily. If you run an ssh-agent locally and configure ForwardAgent to 'yes' for connections to your web server you can ssh to your server and use ssh from it without actually putting your private key on it.

I'd still recommend pushing to a server though.

[mcmatterson]

An excellent discussion about this exact topic came through HN yesterday. See http://news.ycombinator.com/item?id=2183415, and in particular the comments.

[alexgandy]

Thanks for pointing this out.

[cookiecaper]

I don't know if he meant that he git pulls from his workstation. I git push out to a bare repository on my server, and then I ssh in and git pull from the local bare repository into the project's working directory on my server. This doesn't leave the keys for my workstation on the server, but I still have to log in and git pull in the wd.