fixing broken AMD driver link (#11579)

This reverts commit 9d071e6089.

.github/workflows/release.yaml

@@ -23,7 +23,7 @@ jobs:
           echo GOFLAGS="'-ldflags=-w -s \"-X=github.com/ollama/ollama/version.Version=${GITHUB_REF_NAME#v}\" \"-X=github.com/ollama/ollama/server.mode=release\"'" >>$GITHUB_OUTPUT
 
   darwin-build:
-    runs-on: macos-13
+    runs-on: macos-13-xlarge
     environment: release
     needs: setup-environment
     strategy:

api/client.go

@@ -42,23 +42,6 @@ type Client struct {
 
 func checkError(resp *http.Response, body []byte) error {
 	if resp.StatusCode < http.StatusBadRequest {
-		if len(body) == 0 {
-			return nil
-		}
-
-		// streams can contain error message even with StatusOK
-		var errorResponse struct {
-			Error string `json:"error,omitempty"`
-		}
-
-		if err := json.Unmarshal(body, &errorResponse); err != nil {
-			return fmt.Errorf("unmarshal: %w", err)
-		}
-
-		if errorResponse.Error != "" {
-			return errors.New(errorResponse.Error)
-		}
-
 		return nil
 	}
 
@@ -230,9 +213,25 @@ func (c *Client) stream(ctx context.Context, method, path string, data any, fn f
 	scanBuf := make([]byte, 0, maxBufferSize)
 	scanner.Buffer(scanBuf, maxBufferSize)
 	for scanner.Scan() {
+		var errorResponse struct {
+			Error string `json:"error,omitempty"`
+		}
+
 		bts := scanner.Bytes()
-		if err := checkError(response, bts); err != nil {
-			return err
+		if err := json.Unmarshal(bts, &errorResponse); err != nil {
+			return fmt.Errorf("unmarshal: %w", err)
+		}
+
+		if response.StatusCode >= http.StatusBadRequest {
+			return StatusError{
+				StatusCode:   response.StatusCode,
+				Status:       response.Status,
+				ErrorMessage: errorResponse.Error,
+			}
+		}
+
+		if errorResponse.Error != "" {
+			return errors.New(errorResponse.Error)
 		}
 
 		if err := fn(bts); err != nil {

api/client_test.go

@@ -89,6 +89,16 @@ func TestClientStream(t *testing.T) {
 			},
 			wantErr: "mid-stream error",
 		},
+		{
+			name: "http status error takes precedence over general error",
+			responses: []any{
+				testError{
+					message:    "custom error message",
+					statusCode: http.StatusInternalServerError,
+				},
+			},
+			wantErr: "500",
+		},
 		{
 			name: "successful stream completion",
 			responses: []any{

auth/auth.go

@@ -18,8 +18,6 @@ import (
 
 const defaultPrivateKey = "id_ed25519"
 
-var ErrInvalidToken = errors.New("invalid token")
-
 func keyPath() (string, error) {
 	home, err := os.UserHomeDir()
 	if err != nil {
@@ -29,39 +27,6 @@ func keyPath() (string, error) {
 	return filepath.Join(home, ".ollama", defaultPrivateKey), nil
 }
 
-func parseToken(token string) (key, sig []byte, _ error) {
-	keyData, sigData, ok := strings.Cut(token, ":")
-	if !ok {
-		return nil, nil, fmt.Errorf("identity: parseToken: %w", ErrInvalidToken)
-	}
-	sig, err := base64.StdEncoding.DecodeString(sigData)
-	if err != nil {
-		return nil, nil, fmt.Errorf("identity: parseToken: base64 decoding signature: %w", err)
-	}
-	return []byte(keyData), sig, nil
-}
-
-func Authenticate(token, checkData string) (ssh.PublicKey, error) {
-	keyShort, sigBytes, err := parseToken(token)
-	if err != nil {
-		return nil, err
-	}
-	keyLong := append([]byte("ssh-ed25519 "), keyShort...)
-	pub, _, _, _, err := ssh.ParseAuthorizedKey(keyLong)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := pub.Verify([]byte(checkData), &ssh.Signature{
-		Format: pub.Type(),
-		Blob:   sigBytes,
-	}); err != nil {
-		return nil, err
-	}
-
-	return pub, nil
-}
-
 func GetPublicKey() (string, error) {
 	keyPath, err := keyPath()
 	if err != nil {

auth/authorized_keys.go

@@ -1,254 +0,0 @@
-package auth
-
-import (
-	"bufio"
-	"encoding/base64"
-	"fmt"
-	"io"
-	"log/slog"
-	"os"
-	"path/filepath"
-	"regexp"
-	"strings"
-	"sync"
-	"time"
-
-	"golang.org/x/crypto/ssh"
-)
-
-type KeyEntry struct {
-	Name      string
-	PublicKey string
-	Endpoints []string
-}
-
-type KeyPermission struct {
-	Name      string
-	Endpoints []string
-}
-
-type APIPermissions struct {
-	permissions  map[string]*KeyPermission
-	lastModified time.Time
-	mutex        sync.RWMutex
-}
-
-var ws = regexp.MustCompile(`\s+`)
-
-func authkeyPath() (string, error) {
-	home, err := os.UserHomeDir()
-	if err != nil {
-		return "", err
-	}
-
-	return filepath.Join(home, ".ollama", "authorized_keys"), nil
-}
-
-func NewAPIPermissions() *APIPermissions {
-	return &APIPermissions{
-		permissions: make(map[string]*KeyPermission),
-		mutex:       sync.RWMutex{},
-	}
-}
-
-func (ap *APIPermissions) ReloadIfNeeded() error {
-	ap.mutex.Lock()
-	defer ap.mutex.Unlock()
-
-	filename, err := authkeyPath()
-	if err != nil {
-		return err
-	}
-
-	fileInfo, err := os.Stat(filename)
-	if err != nil {
-		return fmt.Errorf("failed to stat file: %v", err)
-	}
-
-	if !fileInfo.ModTime().After(ap.lastModified) {
-		return nil
-	}
-
-	file, err := os.Open(filename)
-	if err != nil {
-		return fmt.Errorf("failed to open file: %v", err)
-	}
-	defer file.Close()
-
-	ap.lastModified = fileInfo.ModTime()
-	return ap.parse(file)
-}
-
-func (ap *APIPermissions) parse(r io.Reader) error {
-	ap.permissions = make(map[string]*KeyPermission)
-
-	scanner := bufio.NewScanner(r)
-	var cnt int
-	for scanner.Scan() {
-		cnt += 1
-		line := strings.TrimSpace(scanner.Text())
-
-		if line == "" || strings.HasPrefix(line, "#") {
-			continue
-		}
-
-		line = ws.ReplaceAllString(line, " ")
-
-		entry, err := ap.parseLine(line)
-		if err != nil {
-			slog.Warn(fmt.Sprintf("authorized_keys line %d: skipping invalid line: %v\n", cnt, err))
-			continue
-		}
-
-		var pubKeyStr string
-
-		if entry.PublicKey == "*" {
-			pubKeyStr = "*"
-		} else {
-			pubKey, err := ap.validateAndDecodeKey(entry)
-			if err != nil {
-				slog.Warn(fmt.Sprintf("authorized_keys line %d: invalid key for %s: %v\n", cnt, entry.Name, err))
-				continue
-			}
-			pubKeyStr = pubKey
-		}
-
-		if perm, exists := ap.permissions[pubKeyStr]; exists {
-			if perm.Name == "default" {
-				perm.Name = entry.Name
-			}
-			if len(perm.Endpoints) == 1 && perm.Endpoints[0] == "*" {
-				// skip redundant entries
-				continue
-			} else if len(entry.Endpoints) == 1 && entry.Endpoints[0] == "*" {
-				// overwrite redundant entries
-				perm.Endpoints = entry.Endpoints
-			} else {
-				perm.Endpoints = append(perm.Endpoints, entry.Endpoints...)
-			}
-		} else {
-			ap.permissions[pubKeyStr] = &KeyPermission{
-				Name:      entry.Name,
-				Endpoints: entry.Endpoints,
-			}
-		}
-	}
-
-	return scanner.Err()
-}
-
-func (ap *APIPermissions) parseLine(line string) (*KeyEntry, error) {
-	parts := strings.SplitN(line, " ", 4)
-	if len(parts) < 2 {
-		return nil, fmt.Errorf("key type and public key not found")
-	}
-
-	kind, b64Key := parts[0], parts[1]
-	name := "default"
-	eps := "*"
-
-	if len(parts) >= 3 && parts[2] != "" {
-		if parts[2] != "*" {
-			name = parts[2]
-		}
-	}
-
-	if len(parts) == 4 && parts[3] != "" {
-		eps = parts[3]
-	}
-
-	if kind != "ssh-ed25519" && kind != "*" {
-		return nil, fmt.Errorf("unsupported key type %s", kind)
-	}
-
-	if kind == "*" && b64Key != "*" {
-		return nil, fmt.Errorf("unsupported key type")
-	}
-
-	var endpoints []string
-	if eps == "*" {
-		endpoints = []string{"*"}
-	} else {
-		for _, e := range strings.Split(eps, ",") {
-			e = strings.TrimSpace(e)
-			if e == "" {
-				return nil, fmt.Errorf("empty endpoint in list")
-			} else if e == "*" {
-				endpoints = []string{"*"}
-				break
-			}
-			endpoints = append(endpoints, e)
-		}
-	}
-
-	return &KeyEntry{
-		PublicKey: b64Key,
-		Name:      name,
-		Endpoints: endpoints,
-	}, nil
-}
-
-func (ap *APIPermissions) validateAndDecodeKey(entry *KeyEntry) (string, error) {
-	keyBlob, err := base64.StdEncoding.DecodeString(entry.PublicKey)
-	if err != nil {
-		return "", fmt.Errorf("base64 decode: %w", err)
-	}
-	pub, err := ssh.ParsePublicKey(keyBlob)
-	if err != nil {
-		return "", fmt.Errorf("parse key: %w", err)
-	}
-	if pub.Type() != ssh.KeyAlgoED25519 {
-		return "", fmt.Errorf("key is not Ed25519")
-	}
-
-	return entry.PublicKey, nil
-}
-
-func (ap *APIPermissions) Authorize(pubKey ssh.PublicKey, endpoint string) (bool, string, error) {
-	if err := ap.ReloadIfNeeded(); err != nil {
-		return false, "unknown", err
-	}
-
-	ap.mutex.RLock()
-	defer ap.mutex.RUnlock()
-
-	if wildcardPerm, exists := ap.permissions["*"]; exists {
-		if len(wildcardPerm.Endpoints) == 1 && wildcardPerm.Endpoints[0] == "*" {
-			return true, wildcardPerm.Name, nil
-		}
-
-		for _, allowedEndpoint := range wildcardPerm.Endpoints {
-			if allowedEndpoint == endpoint {
-				return true, wildcardPerm.Name, nil
-			}
-		}
-	}
-
-	keyString := string(ssh.MarshalAuthorizedKey(pubKey))
-	parts := strings.SplitN(keyString, " ", 2)
-	var base64Key string
-	if len(parts) > 1 {
-		base64Key = parts[1]
-	} else {
-		base64Key = parts[0]
-	}
-
-	base64Key = strings.TrimSpace(base64Key)
-
-	perm, exists := ap.permissions[base64Key]
-	if !exists {
-		return false, "unknown", nil
-	}
-
-	if len(perm.Endpoints) == 1 && perm.Endpoints[0] == "*" {
-		return true, perm.Name, nil
-	}
-
-	for _, allowedEndpoint := range perm.Endpoints {
-		if allowedEndpoint == endpoint {
-			return true, perm.Name, nil
-		}
-	}
-
-	return false, "unknown", nil
-}

auth/authorized_keys_test.go

@@ -1,133 +0,0 @@
-package auth
-
-import (
-	"bytes"
-	"reflect"
-	"testing"
-)
-
-const validB64 = "AAAAC3NzaC1lZDI1NTE5AAAAICy1v/Sn0kGhu1LXzCsnx3wlk5ESdncS66JWo13yeJod"
-
-func TestParse(t *testing.T) {
-	tests := []struct {
-		name string
-		file string
-		want map[string]*KeyPermission
-	}{
-		{
-			name: "two fields only defaults",
-			file: "ssh-ed25519 " + validB64 + "\n",
-			want: map[string]*KeyPermission{
-				validB64: {
-					Name:      "default",
-					Endpoints: []string{"*"},
-				},
-			},
-		},
-		{
-			name: "extra whitespace collapsed and default endpoints",
-			file: "ssh-ed25519  " + validB64 + "   alice\n",
-			want: map[string]*KeyPermission{
-				validB64: {
-					Name:      "alice",
-					Endpoints: []string{"*"},
-				},
-			},
-		},
-		{
-			name: "four fields full",
-			file: "ssh-ed25519 " + validB64 + " bob /api/foo,/api/bar\n",
-			want: map[string]*KeyPermission{
-				validB64: {
-					Name:      "bob",
-					Endpoints: []string{"/api/foo", "/api/bar"},
-				},
-			},
-		},
-		{
-			name: "comment lines ignored and multiple entries",
-			file: "# header\n\nssh-ed25519 " + validB64 + " user1\nssh-ed25519 " + validB64 + "  user2  /api/x\n",
-			want: map[string]*KeyPermission{
-				validB64: {
-					Name:      "user1",
-					Endpoints: []string{"*"},
-				},
-			},
-		},
-		{
-			name: "three entries variety",
-			file: "ssh-ed25519 " + validB64 + "\nssh-ed25519 " + validB64 + " alice /api/a,/api/b\nssh-ed25519 " + validB64 + " bob /api/c\n",
-			want: map[string]*KeyPermission{
-				validB64: {
-					Name:      "alice",
-					Endpoints: []string{"*"},
-				},
-			},
-		},
-		{
-			name: "two entries w/ wildcard",
-			file: "ssh-ed25519 " + validB64 + " alice /api/a\n* * * /api/b\n",
-			want: map[string]*KeyPermission{
-				validB64: {
-					Name:      "alice",
-					Endpoints: []string{"/api/a"},
-				},
-				"*": {
-					Name:      "default",
-					Endpoints: []string{"/api/b"},
-				},
-			},
-		},
-		{
-			name: "tags for everyone",
-			file: "* * * /api/tags",
-			want: map[string]*KeyPermission{
-				"*": {
-					Name:      "default",
-					Endpoints: []string{"/api/tags"},
-				},
-			},
-		},
-		{
-			name: "default name",
-			file: "* * somename",
-			want: map[string]*KeyPermission{
-				"*": {
-					Name:      "somename",
-					Endpoints: []string{"*"},
-				},
-			},
-		},
-		{
-			name: "unsupported key type",
-			file: "ssh-rsa AAAAB3Nza...\n",
-			want: map[string]*KeyPermission{},
-		},
-		{
-			name: "bad base64",
-			file: "ssh-ed25519 invalid@@@\n",
-			want: map[string]*KeyPermission{},
-		},
-		{
-			name: "just an asterix",
-			file: "*\n",
-			want: map[string]*KeyPermission{},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			perms := NewAPIPermissions()
-			err := perms.parse(bytes.NewBufferString(tc.file))
-			if err != nil {
-				t.Fatalf("unexpected error: %v", err)
-			}
-			if len(perms.permissions) != len(tc.want) {
-				t.Fatalf("got %d entries, want %d", len(perms.permissions), len(tc.want))
-			}
-			if !reflect.DeepEqual(perms.permissions, tc.want) {
-				t.Errorf("got %+v, want %+v", perms.permissions, tc.want)
-			}
-		})
-	}
-}

discover/amd_linux.go

@@ -58,7 +58,7 @@ func AMDGetGPUInfo() ([]RocmGPUInfo, error) {
 	driverMajor, driverMinor, err := AMDDriverVersion()
 	if err != nil {
 		// TODO - if we see users crash and burn with the upstreamed kernel this can be adjusted to hard-fail rocm support and fallback to CPU
-		slog.Warn("ollama recommends running the https://www.amd.com/en/support/linux-drivers", "error", err)
+		slog.Warn("ollama recommends running the https://www.amd.com/en/support/download/linux-drivers.html", "error", err)
 	}
 
 	// Determine if the user has already pre-selected which GPUs to look at, then ignore the others

llama/patches/0019-metal-add-mean-kernel-14267.patch

@@ -19,7 +19,7 @@ diff --git a/ggml/src/ggml-metal/ggml-metal.m b/ggml/src/ggml-metal/ggml-metal.m
 index a9eeebc6..110c9ece 100644
 --- a/ggml/src/ggml-metal/ggml-metal.m
 +++ b/ggml/src/ggml-metal/ggml-metal.m
-@@ -489,6 +489,7 @@ enum ggml_metal_kernel_type {
+@@ -489,6 +489,7 @@ static void ggml_backend_metal_device_rel(struct ggml_backend_metal_device_conte
      GGML_METAL_KERNEL_TYPE_COS,
      GGML_METAL_KERNEL_TYPE_NEG,
      GGML_METAL_KERNEL_TYPE_SUM_ROWS,
@@ -27,7 +27,7 @@ index a9eeebc6..110c9ece 100644
      GGML_METAL_KERNEL_TYPE_POOL_2D_AVG_F32,
      GGML_METAL_KERNEL_TYPE_POOL_2D_MAX_F32,
      GGML_METAL_KERNEL_TYPE_ARGMAX,
-@@ -1436,6 +1437,7 @@ static struct ggml_backend_metal_context * ggml_metal_init(ggml_backend_dev_t de
+@@ -1436,6 +1437,7 @@ @implementation GGMLMetalClass
          GGML_METAL_ADD_KERNEL(GGML_METAL_KERNEL_TYPE_COS,                             cos,                             true);
          GGML_METAL_ADD_KERNEL(GGML_METAL_KERNEL_TYPE_NEG,                             neg,                             true);
          GGML_METAL_ADD_KERNEL(GGML_METAL_KERNEL_TYPE_SUM_ROWS,                        sum_rows,                        true);

llama/patches/0022-BF16-macos-version-guard.patch

@@ -0,0 +1,27 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Daniel Hiltgen <daniel@ollama.com>
+Date: Wed, 30 Jul 2025 08:43:46 -0700
+Subject: [PATCH] BF16 macos version guard
+
+Only enable BF16 on supported MacOS versions (v14+)
+---
+ ggml/src/ggml-metal/ggml-metal.m | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ggml/src/ggml-metal/ggml-metal.m b/ggml/src/ggml-metal/ggml-metal.m
+index 110c9ece..ab46f6e3 100644
+--- a/ggml/src/ggml-metal/ggml-metal.m
++++ b/ggml/src/ggml-metal/ggml-metal.m
+@@ -89,7 +89,11 @@
+         ctx->has_bfloat |= [ctx->mtl_device supportsFamily:MTLGPUFamilyApple6];
+ 
+ #if defined(GGML_METAL_USE_BF16)
+-        ctx->use_bfloat = ctx->has_bfloat;
++        if (@available(macOS 14.0, *)) {
++            ctx->use_bfloat = ctx->has_bfloat;
++        } else {
++            ctx->use_bfloat = false;
++        }
+ #else
+         ctx->use_bfloat = false;
+ #endif

ml/backend/ggml/ggml/src/ggml-metal/ggml-metal.m

@@ -89,7 +89,11 @@ static id<MTLDevice> ggml_backend_metal_device_acq(struct ggml_backend_metal_dev
         ctx->has_bfloat |= [ctx->mtl_device supportsFamily:MTLGPUFamilyApple6];
 
 #if defined(GGML_METAL_USE_BF16)
-        ctx->use_bfloat = ctx->has_bfloat;
+        if (@available(macOS 14.0, *)) {
+            ctx->use_bfloat = ctx->has_bfloat;
+        } else {
+            ctx->use_bfloat = false;
+        }
 #else
         ctx->use_bfloat = false;
 #endif

server/routes.go

@@ -28,7 +28,6 @@ import (
 	"golang.org/x/sync/errgroup"
 
 	"github.com/ollama/ollama/api"
-	"github.com/ollama/ollama/auth"
 	"github.com/ollama/ollama/discover"
 	"github.com/ollama/ollama/envconfig"
 	"github.com/ollama/ollama/fs/ggml"
@@ -56,8 +55,6 @@ var mode string = gin.DebugMode
 type Server struct {
 	addr  net.Addr
 	sched *Scheduler
-
-	perms *auth.APIPermissions
 }
 
 func init() {
@@ -72,38 +69,6 @@ func init() {
 	gin.SetMode(mode)
 }
 
-func loggedFormatter(param gin.LogFormatterParams) string {
-	var statusColor, methodColor, resetColor string
-	if param.IsOutputColor() {
-		statusColor = param.StatusCodeColor()
-		methodColor = param.MethodColor()
-		resetColor = param.ResetColor()
-	}
-
-	if param.Latency > time.Minute {
-		param.Latency = param.Latency.Truncate(time.Second)
-	}
-
-	username := "default"
-	if userVal, exists := param.Keys["username"]; exists {
-		if name, ok := userVal.(string); ok {
-			username = name
-		}
-	}
-
-	return fmt.Sprintf(
-		"[Ollama] %s |%s %3d %s| %13v | %15s | %-20s |%s %-7s %s %#v\n%s",
-		param.TimeStamp.Format("2006/01/02 - 15:04:05"),
-		statusColor, param.StatusCode, resetColor,
-		param.Latency,
-		param.ClientIP,
-		username,
-		methodColor, param.Method, resetColor,
-		param.Path,
-		param.ErrorMessage,
-	)
-}
-
 var (
 	errRequired    = errors.New("is required")
 	errBadTemplate = errors.New("template error")
@@ -1146,43 +1111,6 @@ func allowedHost(host string) bool {
 	return false
 }
 
-func allowedEndpointsMiddleware(perms *auth.APIPermissions) gin.HandlerFunc {
-	return func(c *gin.Context) {
-		if !envconfig.UseAuth() || (c.Request.Method == "HEAD" && c.Request.URL.Path == "/") {
-			c.Next()
-			return
-		}
-
-		token := strings.TrimPrefix(c.Request.Header.Get("Authorization"), "Bearer ")
-		if token == "" {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
-			return
-		}
-
-		pubKey, err := auth.Authenticate(token, fmt.Sprintf("%s,%s", c.Request.Method, c.Request.RequestURI))
-		if err != nil {
-			slog.Error("authentication error", "error", err)
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
-			return
-		}
-
-		authorized, name, err := perms.Authorize(pubKey, c.Request.URL.Path)
-		c.Set("username", name)
-		if err != nil {
-			slog.Error("authorization error", "error", err)
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
-			return
-		}
-
-		if !authorized {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
-			return
-		}
-
-		c.Next()
-	}
-}
-
 func allowedHostsMiddleware(addr net.Addr) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		if addr == nil {
@@ -1249,13 +1177,10 @@ func (s *Server) GenerateRoutes(rc *ollama.Registry) (http.Handler, error) {
 	}
 	corsConfig.AllowOrigins = envconfig.AllowedOrigins()
 
-	r := gin.New()
+	r := gin.Default()
 	r.HandleMethodNotAllowed = true
 	r.Use(
-		gin.LoggerWithFormatter(loggedFormatter),
-		gin.Recovery(),
 		cors.New(corsConfig),
-		allowedEndpointsMiddleware(s.perms),
 		allowedHostsMiddleware(s.addr),
 	)
 
@@ -1265,7 +1190,7 @@ func (s *Server) GenerateRoutes(rc *ollama.Registry) (http.Handler, error) {
 	r.HEAD("/api/version", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"version": version.Version}) })
 	r.GET("/api/version", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"version": version.Version}) })
 
-	// Local model cache management
+	// Local model cache management (new implementation is at end of function)
 	r.POST("/api/pull", s.PullHandler)
 	r.POST("/api/push", s.PushHandler)
 	r.HEAD("/api/tags", s.ListHandler)
@@ -1297,7 +1222,7 @@ func (s *Server) GenerateRoutes(rc *ollama.Registry) (http.Handler, error) {
 		// wrap old with new
 		rs := &registry.Local{
 			Client:   rc,
-			Logger:   slog.Default(),
+			Logger:   slog.Default(), // TODO(bmizerany): Take a logger, do not use slog.Default()
 			Fallback: r,
 
 			Prune: PruneLayers,
@@ -1342,12 +1267,6 @@ func Serve(ln net.Listener) error {
 
 	s := &Server{addr: ln.Addr()}
 
-	if envconfig.UseAuth() {
-		perms := auth.NewAPIPermissions()
-		perms.ReloadIfNeeded()
-		s.perms = perms
-	}
-
 	var rc *ollama.Registry
 	if useClient2 {
 		var err error