> On Thu, Mar 21, 2019 at 03:55:37PM -0400, Jeff King wrote: > > > I am a little confused about v2 here, though. It should hit the initial > > info/refs endpoint the same as usual. If it's a noop fetch, then it's > > done. Otherwise, we'd hit the git-upload-pack and expect to require > > authentication. That should work after your switch to using post_rpc, > > shouldn't it? > > > > And I guess it does, because you did not delete the test before "clone > > from auth-only-for-objects repository", which would actually do the > > second half of that conversation, and require authentication. You're > > only deleting the part that does the noop fetch. > > > > Puzzled... > > Ah, nevermind. I forgot that v2 really will make two requests for this > noop case. The initial endpoint hit only returns the capabilities and > nothing else. And that's inherent in the protocol. Yes, you're right. > I'm OK with dropping this test, but I think my reasoning is slightly > different than what you wrote. The interesting bits are actually > happening in the test _before_ this one, which are exercising the > gzipped auth-retry code. And that happens in both protocol v0 and v2. > > The test you're deleting is basically just verifying that our apache > config is indeed "half-auth". Because in v0, the server is never even > going to ask for credentials, so no interesting code paths in the client > are triggered. So it's not actually testing anything of interest. If both of us want to drop this test, that's great :-) but for clarification: in addition to verifying that our apache config is "half-auth", this test also verifies that in a no-op fetch, we don't hit the path that is guarded by an authentication requirement. This seems significant to me in light of the link you provided in your prior email [1]. [1] https://public-inbox.org/git/20190321195536.GC19427@xxxxxxxxxxxxxxxxxxxxx/
