* t5563-simple-http-auth failures with v2.55.0-rc0
@ 2026-06-11 21:04 Todd Zullinger
2026-06-12 15:42 ` Matthew John Cheetham
0 siblings, 1 reply; 6+ messages in thread
From: Todd Zullinger @ 2026-06-11 21:04 UTC (permalink / raw)
To: git; +Cc: Matthew John Cheetham
Hi,
I tested the freshly-tagged 2.55.0-rc0 and noticed some new
failures on the in-progress Fedora 45 (AKA Rawhide) for
t5563.18 (http.emptyAuth=auto attempts Negotiate before
credential_fill) which was added in 9b1630b972 (t5563: add
tests for http.emptyAuth with Negotiate, 2026-04-16).
I notice that Fedora 44 (where the tests all pass) has
curl-8.18.0 while Fedora 45 has curl-8.21.0-rc2. The
version of httpd is the same between them, FWIW. I didn't
compare other package differences; it could be something
else entirely.
Here is the output from a failing test run:
--8<--
++ test_when_finished per_test_cleanup
++ test 0 = 0
++ test_cleanup=$'{ per_test_cleanup\n\t\t} || eval_ret=$?; :'
++ set_credential_reply get
+++ test -n ''
++ local suffix=
++ cat
++ cat
++ cat
++ test_config_global credential.helper test-helper
++ test_when_finished 'test_unconfig --global '\''credential.helper'\'''
++ test 0 = 0
++ test_cleanup=$'{ test_unconfig --global \'credential.helper\'\n\t\t} || eval_ret=$?; { per_test_cleanup\n\t\t} || eval_ret=$?; :'
++ git config --global credential.helper test-helper
++ GIT_TRACE_CURL='/builddir/build/BUILD/git-2.55.0_rc0-build/git-2.55.0.rc0/t/trash directory.t5563-simple-http-auth/trace-auto'
++ git -c http.emptyAuth=auto ls-remote http://127.0.0.1:5563/custom_auth/repo.git
ddd63c907a6168e9992caee4ef0e0fa1139e4eb3 HEAD
ddd63c907a6168e9992caee4ef0e0fa1139e4eb3 refs/heads/master
ddd63c907a6168e9992caee4ef0e0fa1139e4eb3 refs/tags/foo
++ grep 'HTTP/[0-9.]* 401' '/builddir/build/BUILD/git-2.55.0_rc0-build/git-2.55.0.rc0/t/trash directory.t5563-simple-http-auth/trace-auto'
++ test_line_count = 3 actual_401s
++ test 3 '!=' 3
+++ wc -l
++ test 2 = 3
++ echo 'test_line_count: line count for actual_401s != 3'
test_line_count: line count for actual_401s != 3
++ cat actual_401s
<= Recv header: HTTP/1.1 401 Authorization Required
<= Recv header: HTTP/1.1 401 Authorization Required
++ return 1
error: last command exited with $?=1
not ok 18 - http.emptyAuth=auto attempts Negotiate before credential_fill
--8<--
And a diff of the trace-auto from Fedora 44 and 45 via
./t5563-simple-http-auth.sh -dix --run='-18' (with the
sending port normalized to 44444 to reduce the noise):
--- /dev/fd/63 2026-06-11 16:51:05.852135692 -0400
+++ /dev/fd/62 2026-06-11 16:51:05.853135711 -0400
@@ -23,6 +23,7 @@
<= Recv header:
<= Recv data, 0000000000 bytes (0x00000000)
== Info: shutting down connection #0
+== Info: Could not find host 127.0.0.1 in the .netrc file; using defaults
== Info: NTLM-proxy picked AND auth done set, clear picked
== Info: Hostname 127.0.0.1 was found in DNS cache
== Info: Trying 127.0.0.1:5563...
@@ -47,37 +48,8 @@
== Info: no chunk, no close, no size. Assume close to signal end
<= Recv header, 0000000001 bytes (0x00000001)
<= Recv header:
-== Info: shutting down connection #1
-== Info: Issue another request to this URL: 'http://127.0.0.1:5563/custom_auth/repo.git/info/refs?service=git-upload-pack'
-== Info: NTLM-proxy picked AND auth done set, clear picked
-== Info: Hostname 127.0.0.1 was found in DNS cache
-== Info: Trying 127.0.0.1:5563...
-== Info: Established connection to 127.0.0.1 (127.0.0.1 port 5563) from 127.0.0.1 port 44444
-== Info: using HTTP/1.x
-== Info: gss_init_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. SPNEGO cannot find mechanisms to negotiate.
-== Info: Server auth using Negotiate with user ''
-=> Send header, 0000000214 bytes (0x000000d6)
-=> Send header: GET /custom_auth/repo.git/info/refs?service=git-upload-pack HTTP/1.1
-=> Send header: Host: 127.0.0.1:5563
-=> Send header: User-Agent: git/2.55.0.rc0
-=> Send header: Accept: */*
-=> Send header: Accept-Encoding: deflate, gzip, br
-=> Send header: Pragma: no-cache
-=> Send header: Git-Protocol: version=2
-=> Send header:
-== Info: Request completely sent off
-<= Recv header, 0000000036 bytes (0x00000024)
-<= Recv header: HTTP/1.1 401 Authorization Required
-== Info: gss_init_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible. SPNEGO cannot find mechanisms to negotiate.
-<= Recv header, 0000000028 bytes (0x0000001c)
-<= Recv header: WWW-Authenticate: Negotiate
-<= Recv header, 0000000044 bytes (0x0000002c)
-<= Recv header: WWW-Authenticate: Basic realm="example.com"
-== Info: no chunk, no close, no size. Assume close to signal end
-<= Recv header, 0000000001 bytes (0x00000001)
-<= Recv header:
<= Recv data, 0000000000 bytes (0x00000000)
-== Info: shutting down connection #2
+== Info: shutting down connection #1
== Info: NTLM-proxy picked AND auth done set, clear picked
== Info: Hostname 127.0.0.1 was found in DNS cache
== Info: Trying 127.0.0.1:5563...
@@ -113,7 +85,7 @@
<= Recv data: orn.0020fetch=shallow wait-for-done.0012server-option.0017ob
<= Recv data: ject-format=sha1.0000
<= Recv data, 0000000000 bytes (0x00000000)
-== Info: shutting down connection #3
+== Info: shutting down connection #2
== Info: NTLM-proxy picked AND auth done set, clear picked
== Info: Hostname 127.0.0.1 was found in DNS cache
== Info: Trying 127.0.0.1:5563...
@@ -154,4 +126,4 @@
<= Recv data: 9e4eb3 refs/heads/master.003bddd63c907a6168e9992caee4ef0e0fa
<= Recv data: 1139e4eb3 refs/tags/foo.0000
<= Recv data, 0000000000 bytes (0x00000000)
-== Info: shutting down connection #4
+== Info: shutting down connection #3
The absence of one of the requests stands out. Anyone
familiar with this area have suggestions for how to further
debug it? It should reproduce easily in a Fedora 45
container, if anyone wants to poke at it more directly.
Thanks,
--
Todd
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: t5563-simple-http-auth failures with v2.55.0-rc0
2026-06-11 21:04 t5563-simple-http-auth failures with v2.55.0-rc0 Todd Zullinger
@ 2026-06-12 15:42 ` Matthew John Cheetham
2026-06-12 18:02 ` Todd Zullinger
0 siblings, 1 reply; 6+ messages in thread
From: Matthew John Cheetham @ 2026-06-12 15:42 UTC (permalink / raw)
To: Todd Zullinger, git@vger.kernel.org
On 2026-06-11 22:04, Todd Zullinger wrote:
> Hi,
>
> I tested the freshly-tagged 2.55.0-rc0 and noticed some new
> failures on the in-progress Fedora 45 (AKA Rawhide) for
> t5563.18 (http.emptyAuth=auto attempts Negotiate before
> credential_fill) which was added in 9b1630b972 (t5563: add
> tests for http.emptyAuth with Negotiate, 2026-04-16).
>
> I notice that Fedora 44 (where the tests all pass) has
> curl-8.18.0 while Fedora 45 has curl-8.21.0-rc2. The
> version of httpd is the same between them, FWIW. I didn't
> compare other package differences; it could be something
> else entirely.
Thanks for the report. The failure is not in Git, it is a libcurl
behaviour change, and there is already an open upstream issue:
https://github.com/curl/curl/issues/21943
"Negotiate ignored with --anyauth" (Dan Fandrich, 2026-06-10)
Dan also bisected it to the same commit I had locally,
`8f71d0fde515` ("creds: hold credentials", curl PR #21548).
His report describes the regression at the `curl(1)` level (`curl
--anyauth -u : ...` no longer attempts Negotiate); t5563 test 18 is
the same regression observed through `http.emptyAuth=auto`, which
under the hood is the same `CURLOPT_USERPWD=":"` pattern.
Dan also notes a workaround: replacing `-u :` with `-u
literally:anything` (any non-blank username, real or fake) puts
libcurl back on the Negotiate path. That suggests a small Git-side
escape hatch is possible if we want to unblock people running
against current libcurl while we wait for an upstream fix; I have
not tried it yet and would want to be sure it does not have side
effects on other auth schemes before proposing it.
Daniel Stenberg has acknowledged the curl issue but has not yet
posted a fix. I will follow curl#21943 and, if the upstream answer
is "the new behaviour is intended", come back here with a proposal
for what Git should do about `http.emptyAuth` and test 18.
Thanks,
Matthew
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: t5563-simple-http-auth failures with v2.55.0-rc0
2026-06-12 15:42 ` Matthew John Cheetham
@ 2026-06-12 18:02 ` Todd Zullinger
2026-06-18 14:49 ` Todd Zullinger
0 siblings, 1 reply; 6+ messages in thread
From: Todd Zullinger @ 2026-06-12 18:02 UTC (permalink / raw)
To: Matthew John Cheetham; +Cc: git@vger.kernel.org
Hi,
Matthew John Cheetham wrote:
> On 2026-06-11 22:04, Todd Zullinger wrote:
>> I notice that Fedora 44 (where the tests all pass) has
>> curl-8.18.0 while Fedora 45 has curl-8.21.0-rc2. The
>> version of httpd is the same between them, FWIW. I didn't
>> compare other package differences; it could be something
>> else entirely.
>
> Thanks for the report. The failure is not in Git, it is a libcurl
> behaviour change, and there is already an open upstream issue:
>
> https://github.com/curl/curl/issues/21943
> "Negotiate ignored with --anyauth" (Dan Fandrich, 2026-06-10)
>
> Dan also bisected it to the same commit I had locally,
> `8f71d0fde515` ("creds: hold credentials", curl PR #21548).
[...]
> Daniel Stenberg has acknowledged the curl issue but has not yet
> posted a fix. I will follow curl#21943 and, if the upstream answer
> is "the new behaviour is intended", come back here with a proposal
> for what Git should do about `http.emptyAuth` and test 18.
Excellent. This is it good hands all around.
With luck, curl is updated and the canary of distributions
like Fedora's Rawhide will have served a useful purpose in
flushing out issues before they affect most people. With
the help of git's excellent and thorough test suite, of
course. :)
If there is a curl update, I imagine it will be picked up
reasonably quickly in Fedora (and elsewhere that was testing
8.21.0 release candidates) and there will hopefully be no
strong need to make any changes on the git side.
Thanks!
--
Todd
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: t5563-simple-http-auth failures with v2.55.0-rc0
2026-06-12 18:02 ` Todd Zullinger
@ 2026-06-18 14:49 ` Todd Zullinger
2026-06-18 15:02 ` Matthew John Cheetham
2026-06-18 16:18 ` Junio C Hamano
0 siblings, 2 replies; 6+ messages in thread
From: Todd Zullinger @ 2026-06-18 14:49 UTC (permalink / raw)
To: Matthew John Cheetham; +Cc: git@vger.kernel.org
Hi,
I wrote:
> Matthew John Cheetham wrote:
>> Thanks for the report. The failure is not in Git, it is a libcurl
>> behaviour change, and there is already an open upstream issue:
>>
>> https://github.com/curl/curl/issues/21943
>> "Negotiate ignored with --anyauth" (Dan Fandrich, 2026-06-10)
>>
>> Dan also bisected it to the same commit I had locally,
>> `8f71d0fde515` ("creds: hold credentials", curl PR #21548).
> [...]
>> Daniel Stenberg has acknowledged the curl issue but has not yet
>> posted a fix. I will follow curl#21943 and, if the upstream answer
>> is "the new behaviour is intended", come back here with a proposal
>> for what Git should do about `http.emptyAuth` and test 18.
>
> Excellent. This is it good hands all around.
[...]
>
> If there is a curl update, I imagine it will be picked up
> reasonably quickly in Fedora (and elsewhere that was testing
> 8.21.0 release candidates) and there will hopefully be no
> strong need to make any changes on the git side.
I saw Fedora picked up curl-8.21.0-rc3 this morning and
confirmed it resolves the git test failures. Someone else
has already commented on the upstream curl issue to note
that.
Thanks,
--
Todd
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: t5563-simple-http-auth failures with v2.55.0-rc0
2026-06-18 14:49 ` Todd Zullinger
@ 2026-06-18 15:02 ` Matthew John Cheetham
2026-06-18 16:18 ` Junio C Hamano
1 sibling, 0 replies; 6+ messages in thread
From: Matthew John Cheetham @ 2026-06-18 15:02 UTC (permalink / raw)
To: Todd Zullinger; +Cc: git@vger.kernel.org
On 2026-06-18 15:49, Todd Zullinger wrote:
> I saw Fedora picked up curl-8.21.0-rc3 this morning and
> confirmed it resolves the git test failures. Someone else
> has already commented on the upstream curl issue to note
> that.
Thanks for confirming rc3 fixes things!
The CURLOPT_USERPWD = ":" behaviour was never codified in curl's
documentation, but given the fix they've put in place it's probably a
good sign we can continue to rely on this.
I may propose a patch to curl documentation's patch to say that this
behaviour is expected and supported, if the they don't do it themselves
soon already.
Thanks,
Matthew
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: t5563-simple-http-auth failures with v2.55.0-rc0
2026-06-18 14:49 ` Todd Zullinger
2026-06-18 15:02 ` Matthew John Cheetham
@ 2026-06-18 16:18 ` Junio C Hamano
1 sibling, 0 replies; 6+ messages in thread
From: Junio C Hamano @ 2026-06-18 16:18 UTC (permalink / raw)
To: Todd Zullinger; +Cc: Matthew John Cheetham, git@vger.kernel.org
Todd Zullinger <tmz@pobox.com> writes:
> I saw Fedora picked up curl-8.21.0-rc3 this morning and
> confirmed it resolves the git test failures. Someone else
> has already commented on the upstream curl issue to note
> that.
Thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-06-18 16:18 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-11 21:04 t5563-simple-http-auth failures with v2.55.0-rc0 Todd Zullinger
2026-06-12 15:42 ` Matthew John Cheetham
2026-06-12 18:02 ` Todd Zullinger
2026-06-18 14:49 ` Todd Zullinger
2026-06-18 15:02 ` Matthew John Cheetham
2026-06-18 16:18 ` Junio C Hamano
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox