Jeff King <peff@xxxxxxxx> writes: > I suspect it isn't enough to help without 2/2. This will tell curl that > the server does not do Negotiate, so it will skip the probe request. But > Git will still feed curl the bogus empty credential. > > That's what 2/2 tries to fix: only kick in the emptyAuth hack when there > is something besides Basic[1] to try. The way it is written adds an In your [1] you wanted to mention that Digest would have the same property as Basic, or something like that? > extra "auto" mode to emptyAuth, as I wanted to leave "emptyauth=true" as > a workaround in case the "auto" behavior does not work. And then I > turned on "auto" by default, since that was what the discussion was > shooting for. > > But if we are worried about turning on emptyAuth everywhere, the auto > behavior could be tied to emptyauth=true (and have something like > "emptyauth=always" to _really_ force it). I don't have an opinion there. I do not have a strong opinion, either, but it sounds like that even the "disable emptyAuth hack if the server is Basic only" variant would be much better than setting emptyAuth on by default. At least the user whose issue was reported in Dscho's message would be fixed by such a variant, I would think (i.e. talking to a server with no Negotiate and emptyAuth set to true results in no attempt to give the user a chance to tell who s/he is --- your 2/2 will turn emptyAuth off in that case).