On Wed, Apr 10, 2013 at 11:30:59PM +0200, Jakub Narębski wrote: > > 1. GET $repo/info/refs?service=git-receive-pack > > > > This makes initial contact and gets the ref information which push > > uses to decide what it is going to push. So it is read-only, and in > > an anonymous-read setup, does not need to be protected. > > Yes, it doesn't need to be protected, but *git-receive-pack* requires > (or required) valid user even for above GET request for getting refs. Right. But that is not anything receive-pack is doing; it is up to his webserver config, which is why I asked to see it. > > 2. POST $repo/git-receive-pack > > > > This actually pushes up the objects and updates the refs, and > > must be protected. > > > > The setup listed above does work with apache; it is tested as part of > > our test suite (you can see the actual config in t/lib-httpd/apache.conf). > > So what in lighttpd is giving us the 403? Can you share your whole > > config? > > I think I have seen a patch on git mailing list to correct this, but > I am not sure. > > Are you sure that we test this correctly? Perhaps you are thinking of the jk/maint-http-half-auth-push topic from last August/September. It explicitly tests the setup from the manpage. The relevant commits are 4c71009 (t: test http access to "half-auth" repositories, 2012-08-27) which demonstrates the problem, and b81401c (http: prompt for credentials on failed POST, 2012-08-27). However, even before the fix, it never got a 403 on the GET of info/refs. It got a 401 on the later POST, but didn't prompt for credentials. -Peff -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html