On Wed, Feb 22, 2017 at 02:35:11PM -0800, Junio C Hamano wrote: > A solution along your line would help Negotiate users OOB experience > without hurting the servers that do not offer Negotiate, but until > that materializes, users can set the lazier http.emptyAuth on > (without selectively setting http.<host>.emptyAuth off for sites > without Negotiate) and hurt the servers by throwing an empty auth > anyway regardless of the default, so the flipping of the default is > not fundamentally adding more harm in that sense. I was hoping to materialize it today. :) Here's what I came up with. I have a lot of questions about the second patch which I'll outline there. But I think it may be a good start. [1/2]: http: restrict auth methods to what the server advertises [2/2]: http: add an "auto" mode for http.emptyauth http.c | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) -Peff