From: Jeff King <peff@peff.net>
To: Jonathan Tan <jonathantanmy@google.com>
Cc: git@vger.kernel.org
Subject: Re: [RFC PATCH] t5551: delete auth-for-pack-but-not-refs test
Date: Thu, 21 Mar 2019 15:55:37 -0400 [thread overview]
Message-ID: <20190321195536.GC19427@sigill.intra.peff.net> (raw)
In-Reply-To: <20190321174719.151877-1-jonathantanmy@google.com>
On Thu, Mar 21, 2019 at 10:47:19AM -0700, Jonathan Tan wrote:
> When using protocol v0, upload-pack over HTTP permits a "half-auth"
> configuration in which, at the web server layer, the info/refs path is
> not protected by authentication but the git-upload-pack path is, so that
> a user can perform fetches that do not download any objects without
> authentication, but still needs authentication to download objects.
>
> 2e736fd5e9 ("remote-curl: retry failed requests for auth even with
> gzip", 2012-10-31) added a test for this, stating that this leaks
> information about the repository but makes it occasionally more
> convenient for users that use manual credential entry.
>
> Protocol v2 does not support this, because both ref and pack are
> obtained from the git-upload-pack path.
I have mixed feelings. I agree that this this is not a setup we really
want to recommend. But it did come out of somebody's real-world case[1].
It would be nice to know if it got broken, even if v2 doesn't support
it.
I am a little confused about v2 here, though. It should hit the initial
info/refs endpoint the same as usual. If it's a noop fetch, then it's
done. Otherwise, we'd hit the git-upload-pack and expect to require
authentication. That should work after your switch to using post_rpc,
shouldn't it?
And I guess it does, because you did not delete the test before "clone
from auth-only-for-objects repository", which would actually do the
second half of that conversation, and require authentication. You're
only deleting the part that does the noop fetch.
Puzzled...
-Peff
[1] https://public-inbox.org/git/CAHtLG6Q+XO=LhnKw4hhwtOe2ROeDN1Kg=JN5GTQqdvYjk-Sv4g@mail.gmail.com/
next prev parent reply other threads:[~2019-03-21 19:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-21 17:47 [RFC PATCH] t5551: delete auth-for-pack-but-not-refs test Jonathan Tan
2019-03-21 19:55 ` Jeff King [this message]
2019-03-21 20:02 ` Jeff King
2019-03-21 20:24 ` Jonathan Tan
2019-03-21 21:48 ` Jeff King
2019-03-21 22:36 ` Jonathan Tan
2019-03-22 2:20 ` Junio C Hamano
2019-03-22 17:20 ` Jonathan Tan
2019-03-22 19:01 ` [PATCH v2] t5551: mark half-auth no-op fetch test as v0-only Jonathan Tan
2019-03-23 7:05 ` Jeff King
2019-04-06 11:31 ` Jonathan Nieder
2019-04-08 17:01 ` Jonathan Tan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190321195536.GC19427@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=jonathantanmy@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).