In broad strokes:

• I think having only one Repository object is cleaner -- the policies would map like this:
  • View: Can view repository from web UI in Diffusion, and clone/read/pull it.
  • Edit: Can manage repository details from web UI (e.g., edit policies, edit local paths, enable/disable/etc).
  • Push (new): Can push to the repository. At some point we should probably add additional checks (e.g., policies for each branch) but I think a single policy that you must satisfy to be able to push at all is probably a good starting point. I can sketch out the CAN_PUSH capability.
• Generally, want to get rid of the "Repository" UI and put everything in Diffusion instead. There's a new (not-connected-to-anything) create workflow here: https://secure.phabricator.com/diffusion/create/ and new (connected and functional) edit UIs here: https://secure.phabricator.com/diffusion/P/edit/ -- we should ideally put new stuff in as sections in that.
• I want to get local directory management on slightly firmer ground before we allow writes to it. Everything this is doing is generally fine, but my plan is to have a default directory (like /var/phabricator/repo/ or something) where we just put everything by default, and move the prompting to be more like "Everything will be done for you automatically! Or you can customize it if you insist. [Laborious Customization] [Sweet Automatic Correctness]". The "local path" is a pain for users to get right and a lot of them make mistakes right now. I want to move this customization to being an advanced option.
• The VCS password stuff seems like a pretty reasonable solution, but man is it gross. I don't immediately see a cleaner way to do it. One thought is arc push, which would go lookup a password and then just run git push, but that's almost worse.
• For the URIs, I wonder if we could just detect that a request is a git/svn/hg request by examining it, and then use /diffusion/X/ for everything. This is sort of sketchy, but it strikes me as desirable to have a single URI just work correctly for everything. Git looks like it has request parameters that we could use; it also has a git user-agent, although that seems highly suspect to rely on.

For moving forward, let's do this:

• Unify Repository/HostedRepository objects.
• Move "HTTP Access: off, read-only, read/write" option to a new "hosting" panel in repository/X/edit. For now, provide only "off" and "read-only". Default to "off". Mark "read-only" as "(BETA!!!~~)".
• The read stuff basically all looks good to me and can just go in as-is.
• Let's stick with /git/ for now, although I'd like to take a shot at maybe getting rid of that. It's not very straightforward, though.
• Let's split the push/init stuff into a separate diff for later. I want to stabilize things more first and support those in a more first-class way.

Sound reasonableish?

I'd like to keep pushing / read-write in scope; at work we're going to be moving to Git within the next few weeks and I'd like to be able to be hosting repositories in Phabricator directly (there's strong pushback against having "yet another thing" for doing the actual hosting).

For now, I don't think "local path" being specified absolutely is too much of a big deal; later on down the track the option to automatically pick a location doesn't impact an administrator's ability to provide a full path if they wish anyway, so this can really be viewed as just "not having the automatic option" for now.

I'll move the hosting options into the new repository edit UI (with the provision that the local hosting path won't be shown unless you can edit it). I'll put the push policy in the policies section, with the column name pushPolicy.

In future I don't think removing /git/ and changing it to /serve/ will be as problematic as we think. We already know the repository type (svn/hg/git), so we can fire off different *HTTPServer implementations based on the repository type, and then we don't even have to care about what requests the client is making. It wouldn't make sense if someone was trying to use Mercurial to clone a Git repository anyway, so I think it's practically better if we just let the client software deal with the fact that it isn't a repository it understands.

Okay, summary of changes:

• All configuration is now done through the Diffusion editor.
• The call to git init --bare no longer happens. It's left up to the user to create the directory and initialise the repository on disk for Phabricator to serve it up.
• I added the CAN_PUSH capability. I don't particularly like the Pushable By text, but I couldn't think of any better phrasing.
• I haven't yet modified GitHTTPServer to use ExecFuture. Unless this is essential, I think it's better if I just send in some future diffs; one to add setEnv and the other to modify the GitHTTPServer implementation.