So I digged into Git's source a bit. Git can configure curl to start the
HTTP auth even if not requested (that's the "int proactive_auth" argument
to http_init() in http.c. Turns out that it gets set only when doing
pushes, and all other places hardcode it to zero (false). So here's how I
understand the interaction of these things:
1) When doing read-only operations, git (the C-implementation which most
users have) sends credentials only when requested by the remote.
2) If a repo allows anonymous read access to at least some refs, Gerrit
doesn't really know whether it's supposed to request credentials via HTTP
error 401, so it simply assumes that it's a client's business to decide.
3) Gerrit wants to support both anonymous and authenticated access to a
given repo via a single URL endpoint.
It seems to me that these are in conflict *IF* you have a repo where some
refs are OK to be anonymously read, while others can only be accessed by
authenticated and authorized users. Do you really need to use that? Note
that it's OK to have repositories which are not readable by anonymous
users; what's broken is mixing anonymously-accessible and private refs in a
single repository.
There's also that mess where apparently "/a/" is used as a prefix for
authenticated access to the REST API, and that git-over-HTTP access to
projects is also allwoed at the root, nut just below /p/. This means that
there's a certain ambiguity which results in weird behavior. You've already
reported that stuff starts working "correctly" for you if a project is
named "a/something". A side effect of this is that users cannot access any
project whose name starts with "a/", at least when copy-pasting the URLs
from Gerrit's web.
Hope this helps,