On Wed, Feb 22, 2017 at 01:57:28PM -0800, Junio C Hamano wrote: > Jeff King <peff@xxxxxxxx> writes: > > > On Wed, Feb 22, 2017 at 01:25:11PM -0800, Junio C Hamano wrote: > >> > >> Thanks for your thoughts. I'd think that we should take this change > >> and leave the optimization for later, then. It's not like the > >> change of the default is making the normal situation any worse, it > >> seems. > > > > I'm not excited that it will start making known bogus-username requests > > by default to servers which do not even support Negotiate. I guess that > > is really the server-operators problem, but it feels pretty hacky. > > I guess that's another valid concern. The servers used to be able > to say "Ah, this repository needs auth and this request does not, so > reject it without asking the auth-db". Now it must say "Ah, this > repository needs auth and this request does have one, but it is > empty so let's not even bother the auth-db" in order to reject a > useless "empty-auth" request with the same efficiency. > > After the first request without auth (that fails), do we learn > anything useful from the server side (like "it knows Negotiate") > that we can use to flip the "empty-auth" bit to give a better > default to people from both worlds, I wonder...? Yes, that's exactly what I was trying to say in my first message. -Peff