CINXE.COM
Forgejo News
<?xml version="1.0" encoding="UTF-8"?><?xml-stylesheet href="/pretty-feed-v3.xsl" type="text/xsl"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Forgejo News</title><description>Forgejo is a self-hosted lightweight software forge. Easy to install and low maintenance, it just does the job.</description><link>https://forgejo.org/</link><item><title>Forgejo monthly update - October 2024</title><link>https://forgejo.org/2024-10-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-10-monthly-update/</guid><description>Forgejo is two years old and has been a lively human adventure, a story worth telling. A hackathon organized by Codeberg generated thousands of new translations. Forgejo v9.0.0 was published, as well as a security patch release which was backported to Forgejo v7, the six month old Long Term Support version. A kubernetes cluster was created to replace the current infrastructure, running Forgejo from the Helm Chart.</description><pubDate>Thu, 31 Oct 2024 00:00:00 GMT</pubDate><content:encoded><p>The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <h2>Two years - a recap</h2> <p>In October 2022 <a href="https://gitea-open-letter.coding.social/">Forgejo was announced</a> in reaction to the takeover of <a href="https://en.wikipedia.org/wiki/Gitea#Forgejo_fork">Gitea</a>. After a two months of preparation, <a href="https://forgejo.org/2022-12-26-monthly-update/">the first release</a> was published and <a href="https://blog.codeberg.org/codeberg-launches-forgejo.html">Codeberg announced</a> using it because <em>"it provides Codeberg with an essential feature: trust"</em>.</p> <p>The <a href="https://forgejo.org/2023-01-31-monthly-update/#security-releases">security team</a> got quite busy soon and <a href="https://forgejo.org/2023-01-31-monthly-update/">published multiple releases</a>. The release team was also able to deliver but <a href="https://forgejo.org/2023-02-12-tags/">a mistake was made</a>. This was the first occasion for Forgejo to show that problems are explained transparently and their impact articulated clearly. The integrated CI, Forgejo Actions, <a href="https://forgejo.org/2023-02-27-forgejo-actions/">was announced</a> and <a href="https://forgejo.org/2023-03-monthly-update/#dogfooding-forgejo-actions">started to be used by Forgejo itself</a> very early on.</p> <p>In February 2023 someone new (who wasn’t a contributor that the project is relying on) joined the chat and issue tracker, spoke repeatedly in ways that was hurtful/painful to Forgejo community members, and did not seem to have capacity to speak more sensitively, despite offers for support and repeated requests. <a href="https://forgejo.org/2023-03-monthly-update/#the-forgejo-community-is-healing">It distracted community members from productive and important work</a> on governance, strategy and development. Some community members went silent, others were on edge. The <a href="https://codeberg.org/forgejo/governance/src/commit/5c07b3801537212ed6be1edfec298d7b004ce92d/MODERATION-PROCESS.md">moderation process</a> was created during these challenging times. It took months for the community to heal.</p> <p>In search for long term sustainability, <a href="https://codeberg.org/forgejo/sustainability/issues/1">the first grant application</a> was sent. It was awarded and the funds allowed Codeberg to hire developers early 2024. It was not perfectly managed and <a href="https://forgejo.org/2024-09-monthly-update/#sustainability">in December 2024</a> a significant part of the funds will be returned because they were not spent. It currently is the priority of the sustainability team <a href="https://forgejo.org/2024-08-monthly-update/#sustainability">established in August 2024</a>.</p> <p>After weeks of discussions, a decision was made to <a href="https://forgejo.org/2023-06-copyleft/">welcome copyleft contributions in Forgejo</a> in June 2023. The <a href="https://codeberg.org/forgejo/governance/src/commit/5c07b3801537212ed6be1edfec298d7b004ce92d/DECISION-MAKING.md">Forgejo decision making process</a> requires that all concerns are heard and answered before a decision is final. It takes long but is also a key to being inclusive. It became a reality <a href="https://forgejo.org/2024-08-gpl/">a year later, in August 2024</a>.</p> <p>Forgejo federation is and will always be the highest priority of the Forgejo project. Every month, since the beginning, <a href="https://forgejo.org/2023-06-monthly-update/#state-of-the-forge-federation-2023-edition">updates on its progress</a> are published. It is still not in a usable state, two years later, and that has caused some frustration <a href="https://forgejo.org/2024-08-monthly-update/#federation">but the work continues</a>.</p> <p>In August 2023 <a href="https://forgejo.org/2023-08-release-v1-20-3-0/#fixing-the-risk-of-data-loss-related-to-storage-sections">a regression was discovered</a> to cause data loss. A lot of work went into fixing it and publishing documentation explaining how to recover. It was caused by a refactor that was not properly tested and was one of the main motivation to require that <a href="https://codeberg.org/forgejo/governance/src/commit/5c07b3801537212ed6be1edfec298d7b004ce92d/PullRequestsAgreement.md">every pull request merged in Forgejo is tested</a>.</p> <p>In <a href="https://forgejo.org/2023-09-monthly-update/">the</a> <a href="https://forgejo.org/2023-10-monthly-update/">last</a> <a href="https://forgejo.org/2023-11-monthly-update/">months</a> of 2023, Forgejo contributors kept improving while rebasing all the changes on top of the Gitea codebase. However, when Gitea Cloud was announced in December 2023 and after <a href="https://codeberg.org/forgejo/discussions/issues/92">some investigation</a>, it became clear that <a href="https://codeberg.org/forgejo/discussions/issues/102">Gitea turned Open Core</a>.</p> <p>In January 2024, <a href="https://forgejo.org/2024-01-monthly-update/#localization">the Forgejo localization</a> team came into existence, in anticipation of a hard fork. Before that, the Forgejo translations depended on Gitea translations which are trapped in a proprietary service. The initial localization team covered Arabic, Dutch, French, Russian, Greek and German and kept growing since.</p> <p>Forgejo was ready for such an event and <a href="https://forgejo.org/2024-02-forking-forward/">declared its intention to become a hard fork</a>, separating itself from Gitea even further. Just as for the decision to welcome copyleft contributions, this required weeks of (sometime intense) discussions. And it also <a href="https://forgejo.org/2024-02-monthly-update/#implementation-of-the-hard-fork">took weeks of work to be implemented</a> in March 2023. Coincidentally the Open Core turn of Gitea was confirmed when a the first proprietary version of Gitea was announced around the same time.</p> <p>There was a sense of liberation when the hard fork began: it was possible to write code incompatible with the Gitea codebase! But there was also a price to pay: features and bug fixes relying on such code could not be shared with Gitea. It would have been easy to be carried away and get stuck with not enough contributors to maintain a codebase that diverged too quickly. To mitigate that risk <a href="https://forgejo.org/2024-04-monthly-update/#dependency-management">dependency management tooling</a> and a weekly observation of Gitea activity was organized and is still in place.</p> <p>The Forgejo v9.0 release that <a href="https://forgejo.org/2024-10-release-v9-0/">was published in October 2024</a> is the third major release after the hard fork. It includes a feature that would have never been possible before (quotas) because it requires architectural changes conflicting with the Gitea codebase. Forgejo v7 is a <a href="https://forgejo.org/2024-04-release-v7-0/">Long Term Support release</a>, the first of its kind, supported during a year instead of three months. It is another benefit of the hard fork, made possible because Forgejo is no longer bound to the Gitea release cycle.</p> <p>In these past two years Forgejo matured and transformed into an independent project, with a solid user base and a lively community of contributors. It involved a lot of coding and other time consuming technical work. But it was first and foremost a human adventure, with its share of plot twists and drama.</p> <h2>Forgejo releases</h2> <p>On 16 October <a href="https://forgejo.org/2024-10-release-v9-0/">Forgejo v9.0 was published</a>. It is the first version to be released under a copyleft license. Codeberg was upgraded a week later. Regressions were discovered and fixed. Some of them were only noticeable visually (diagrams not showing labels or the displayed name of archives). Another was about the container image size that grew significantly (<a href="https://code.forgejo.org/forgejo/-/packages/container/forgejo/9.0.0">180MB for v9.0.0</a>) and was reduced to <a href="https://code.forgejo.org/forgejo/-/packages/container/forgejo/9.0.1">70MB for v9.0.1</a>, back to the size of the <a href="https://code.forgejo.org/forgejo/-/packages/container/forgejo/7">Forgejo v7</a> images.</p> <p>On 28 October <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#9-0-1">Forgejo v9.0.1</a> was published and fixes those regressions. It also contains two security fixes that were backported and published as <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-10">Forgejo v7.0.10</a>, the Long Term Support version.</p> <p>These releases are the first to reflect the new Forgejo lifecycle. Before Long Term Release support existed, only v9 and v8 would have been supported, i.e. the last two major versions. But since <a href="https://forgejo.org/docs/next/contributor/release/#release-cycle">v7 is supported until July 2025</a>, the supported versions are now v9 and v7, i.e. the latest version and the long term support version.</p> <h2>User Research</h2> <p>The user research team conducted <a href="https://codeberg.org/forgejo/user-research/src/branch/main/surveys/repository-settings">a survey regarding the repository settings</a> during two weeks in October. It encouraged participation by showing banners to users of Codeberg in the repository section, linking to an external survey on Cryptpad.</p> <p>There have been 118 submissions and the analysis is still ongoing, but there is already valuable feedback among the reviewed feedback. Thanks to all the participants!</p> <p>There has been a rather <a href="https://codeberg.org/forgejo/user-research/src/commit/cd211e8cd40497a5e6e677a9d38b5450a2f519f9/interviews/other-feedback/2024-10-10-accessibility.md">spontaneous interview regarding accessibility</a> with a Codeberg user. They reported a serious issue with their screen reader, which we didn't yet manage to reproduce (even after a contributor set up a test environment with the proprietary operating system and the screen reader). Investigation of this issue currently has high priority and we hope to fix the issues as soon as possible.</p> <h2>Security Policy</h2> <p>Forgejo <a href="https://codeberg.org/forgejo/governance/pulls/185">published</a> its <a href="https://codeberg.org/forgejo/governance/src/branch/main/SECURITY-POLICY.md">security policy</a> to clarify communication and collaboration of the Forgejo security team with external parties such as libraries, security researchers and users.</p> <p>Advance notice of security releases are <a href="https://codeberg.org/forgejo/security-announcements/issues">available publicly</a>. They do not contain specific information until the day of the release and are meant to help Forgejo admin plan for an upgrade.</p> <p>Gitea was given a detailed description of the <a href="https://codeberg.org/forgejo/forgejo/milestone/8544">security issues</a> fixed in the the v9.0.1 and v7.0.10 releases in advance, as well as a patch waiving copyright to fix them. From now on, any third party willing to receive such details in advance is required to explicitly agree to comply with the security policy.</p> <h2>Helm chart</h2> <p>A new major version, <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v10.0.0">10.0.0</a> was published. It updates the Forgejo docker tag to v9.</p> <p>The Forgejo helm chart had <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases">security patch updates</a>, in both v7 and v10. <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v7.1.3">Helm chart v7.1.3</a> and <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v10.0.1">v10.0.1</a> are the latest.</p> <h2>Localization</h2> <p>The <a href="https://codeberg.org/Codeberg/translathon-2024#translathon-2024">translation hackathon (translathon)</a> organized by Codeberg this month resulted in many new contributors joining and making thousands of additions and improvements.</p> <p>In total, 57 people contributed to the translations this month, which is significantly more than any previous month.</p> <p>A <a href="https://codeberg.org/forgejo/forgejo/pulls/5703">new script</a> was added to process the localization files and verify that they contain only valid HTML insertions that follow the strictly defined rules. This should make it nearly impossible to insert malicious HTML.</p> <p>Due to project's legacy, the localization strings traditionally were able to contain any arbitrary HTML code and often had hardcoded links and other aging code. The addition of this script reduces the number of attack vectors on Forgejo's codebase and improves it's maintainability. Fortunately, there have been no security incidents caused by this flaw.</p> <h2>Infrastructure</h2> <p>A new <a href="https://code.forgejo.org/infrastructure/k8s-cluster/src/commit/42b69d45dc19bfcca53b7174c4b394c89bb3d8c6/README.md">k8s cluster</a> was created and planned to replace the <a href="https://code.forgejo.org/infrastructure/documentation/src/commit/31044c95882a4dd9b3c463c81f060586f2dc96f2/README.md">current setup</a>. Instead of ad-hoc scripts, conventions and associated documentation, it relies on a <a href="https://code.forgejo.org/infrastructure/k8s-cluster/src/commit/42b69d45dc19bfcca53b7174c4b394c89bb3d8c6/flux">declarative description</a> that updates the cluster when a commit is pushed to the repository.</p> <p>It went through a few disaster recovery tests and is now in production, hosting <a href="https://next.forgejo.org">https://next.forgejo.org</a> and <a href="https://v7.next.forgejo.org">https://v7.next.forgejo.org</a>, ready to welcome other Forgejo instances.</p> <p>The motivation for creating this new cluster is to improve the availability of <a href="https://code.forgejo.org">https://code.forgejo.org</a> in the <a href="https://forgejo.org/2024-09-monthly-update/#infrastructure">wake of last month downtime</a>. But it also significantly improves automation and reduces the technical debt. It will obsolete the ad-hoc scripts (<a href="https://code.forgejo.org/infrastructure/wakeup-on-logs">wakeup-on-logs</a>, <a href="https://code.forgejo.org/infrastructure/documentation/src/commit/31044c95882a4dd9b3c463c81f060586f2dc96f2/README.md">shell scripts</a>, ...), conventions and <a href="https://code.forgejo.org/infrastructure/documentation/src/commit/31044c95882a4dd9b3c463c81f060586f2dc96f2/README.md">documentation</a>.</p> <p>A k8s cluster is more attractive to Forgejo contributors who are willing to improve and maintain the infrastructure. They are in familiar territory if they already know k8s and do not need to learn new tools. They can start contributing with pull requests to the <a href="https://code.forgejo.org/infrastructure/k8s-cluster">repository describing the cluster</a> and eventually apply to become a member of the devops team when they gained enough trust.</p> <p>It is a lot more work to learn k8s from scratch than it is to learn the current ad-hoc system from scratch. From that point of view, this transformation does not make it easier to find volunteers willing to participate. However, there are a lot of devops who already learned k8s while nobody knows the current ad-hoc system. They do not need to learn k8s and can jump right in.</p> <h2>Sustainability</h2> <p>The beneficiaries of the NLnet grant application sent in April 2024 are no longer available. A <a href="https://codeberg.org/forgejo/sustainability/issues/63#issuecomment-2391355">call for participation</a> was posted to find Forgejo contributors willing to participate.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/242336">https://codeberg.org/242336</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/AliveDevil">https://codeberg.org/AliveDevil</a></li> <li><a href="https://codeberg.org/amano.kenji">https://codeberg.org/amano.kenji</a></li> <li><a href="https://codeberg.org/anbraten">https://codeberg.org/anbraten</a></li> <li><a href="https://codeberg.org/avobs">https://codeberg.org/avobs</a></li> <li><a href="https://codeberg.org/behm">https://codeberg.org/behm</a></li> <li><a href="https://codeberg.org/brainiac">https://codeberg.org/brainiac</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/cdotnow">https://codeberg.org/cdotnow</a></li> <li><a href="https://codeberg.org/chrisnicola">https://codeberg.org/chrisnicola</a></li> <li><a href="https://codeberg.org/ChrSt">https://codeberg.org/ChrSt</a></li> <li><a href="https://codeberg.org/cider">https://codeberg.org/cider</a></li> <li><a href="https://codeberg.org/CL0Pinette">https://codeberg.org/CL0Pinette</a></li> <li><a href="https://codeberg.org/Crown0815">https://codeberg.org/Crown0815</a></li> <li><a href="https://codeberg.org/cryptolukas">https://codeberg.org/cryptolukas</a></li> <li><a href="https://codeberg.org/Cyborus">https://codeberg.org/Cyborus</a></li> <li><a href="https://codeberg.org/DamianT">https://codeberg.org/DamianT</a></li> <li><a href="https://codeberg.org/danshearer">https://codeberg.org/danshearer</a></li> <li><a href="https://codeberg.org/David-Guillot">https://codeberg.org/David-Guillot</a></li> <li><a href="https://codeberg.org/dawn-solace">https://codeberg.org/dawn-solace</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/dmowitz">https://codeberg.org/dmowitz</a></li> <li><a href="https://codeberg.org/dragon">https://codeberg.org/dragon</a></li> <li><a href="https://codeberg.org/d-s">https://codeberg.org/d-s</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/edgalligan">https://codeberg.org/edgalligan</a></li> <li><a href="https://codeberg.org/Ellpeck">https://codeberg.org/Ellpeck</a></li> <li><a href="https://codeberg.org/Ember">https://codeberg.org/Ember</a></li> <li><a href="https://codeberg.org/etescartz">https://codeberg.org/etescartz</a></li> <li><a href="https://codeberg.org/ewfg">https://codeberg.org/ewfg</a></li> <li><a href="https://codeberg.org/ezra">https://codeberg.org/ezra</a></li> <li><a href="https://codeberg.org/floss4good">https://codeberg.org/floss4good</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/foxy">https://codeberg.org/foxy</a></li> <li><a href="https://codeberg.org/fuggla">https://codeberg.org/fuggla</a></li> <li><a href="https://codeberg.org/GDWR">https://codeberg.org/GDWR</a></li> <li><a href="https://codeberg.org/gregdechene">https://codeberg.org/gregdechene</a></li> <li><a href="https://codeberg.org/grgi">https://codeberg.org/grgi</a></li> <li><a href="https://codeberg.org/grosmanal">https://codeberg.org/grosmanal</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/herzenschein">https://codeberg.org/herzenschein</a></li> <li><a href="https://codeberg.org/io7m">https://codeberg.org/io7m</a></li> <li><a href="https://codeberg.org/iustin">https://codeberg.org/iustin</a></li> <li><a href="https://codeberg.org/jacobwillden">https://codeberg.org/jacobwillden</a></li> <li><a href="https://codeberg.org/JakobDev">https://codeberg.org/JakobDev</a></li> <li><a href="https://codeberg.org/jalil">https://codeberg.org/jalil</a></li> <li><a href="https://codeberg.org/jean-daricade">https://codeberg.org/jean-daricade</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jogibear9988">https://codeberg.org/jogibear9988</a></li> <li><a href="https://codeberg.org/julianmarcos">https://codeberg.org/julianmarcos</a></li> <li><a href="https://codeberg.org/jutty">https://codeberg.org/jutty</a></li> <li><a href="https://codeberg.org/jwakely">https://codeberg.org/jwakely</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/kidsan">https://codeberg.org/kidsan</a></li> <li><a href="https://codeberg.org/Kidswiss">https://codeberg.org/Kidswiss</a></li> <li><a href="https://codeberg.org/kita">https://codeberg.org/kita</a></li> <li><a href="https://codeberg.org/kuolemaa">https://codeberg.org/kuolemaa</a></li> <li><a href="https://codeberg.org/Kwonunn">https://codeberg.org/Kwonunn</a></li> <li><a href="https://codeberg.org/kytta">https://codeberg.org/kytta</a></li> <li><a href="https://codeberg.org/lapo">https://codeberg.org/lapo</a></li> <li><a href="https://codeberg.org/l_austenfeld">https://codeberg.org/l_austenfeld</a></li> <li><a href="https://codeberg.org/Laxystem">https://codeberg.org/Laxystem</a></li> <li><a href="https://codeberg.org/lime360">https://codeberg.org/lime360</a></li> <li><a href="https://codeberg.org/lingling">https://codeberg.org/lingling</a></li> <li><a href="https://codeberg.org/Link1J">https://codeberg.org/Link1J</a></li> <li><a href="https://codeberg.org/lippoliv">https://codeberg.org/lippoliv</a></li> <li><a href="https://codeberg.org/LunarLambda">https://codeberg.org/LunarLambda</a></li> <li><a href="https://codeberg.org/lynoure">https://codeberg.org/lynoure</a></li> <li><a href="https://codeberg.org/MaddinM">https://codeberg.org/MaddinM</a></li> <li><a href="https://codeberg.org/mahlzahn">https://codeberg.org/mahlzahn</a></li> <li><a href="https://codeberg.org/Mai-Lapyst">https://codeberg.org/Mai-Lapyst</a></li> <li><a href="https://codeberg.org/malik">https://codeberg.org/malik</a></li> <li><a href="https://codeberg.org/marcellmars">https://codeberg.org/marcellmars</a></li> <li><a href="https://codeberg.org/marshmallow">https://codeberg.org/marshmallow</a></li> <li><a href="https://codeberg.org/martinwguy">https://codeberg.org/martinwguy</a></li> <li><a href="https://codeberg.org/matrss">https://codeberg.org/matrss</a></li> <li><a href="https://codeberg.org/Merith-TK">https://codeberg.org/Merith-TK</a></li> <li><a href="https://codeberg.org/michael-sparrow">https://codeberg.org/michael-sparrow</a></li> <li><a href="https://codeberg.org/mikolaj">https://codeberg.org/mikolaj</a></li> <li><a href="https://codeberg.org/minecraftchest1">https://codeberg.org/minecraftchest1</a></li> <li><a href="https://codeberg.org/mzhang">https://codeberg.org/mzhang</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/NameLessGO">https://codeberg.org/NameLessGO</a></li> <li><a href="https://codeberg.org/natct">https://codeberg.org/natct</a></li> <li><a href="https://codeberg.org/neilvandyke">https://codeberg.org/neilvandyke</a></li> <li><a href="https://codeberg.org/neonew">https://codeberg.org/neonew</a></li> <li><a href="https://codeberg.org/nette">https://codeberg.org/nette</a></li> <li><a href="https://codeberg.org/nick3331">https://codeberg.org/nick3331</a></li> <li><a href="https://codeberg.org/niklaskorz">https://codeberg.org/niklaskorz</a></li> <li><a href="https://codeberg.org/Nordfriese">https://codeberg.org/Nordfriese</a></li> <li><a href="https://codeberg.org/nostar">https://codeberg.org/nostar</a></li> <li><a href="https://codeberg.org/ntn888">https://codeberg.org/ntn888</a></li> <li><a href="https://codeberg.org/ossie">https://codeberg.org/ossie</a></li> <li><a href="https://codeberg.org/patdyn">https://codeberg.org/patdyn</a></li> <li><a href="https://codeberg.org/patrickuhlmann">https://codeberg.org/patrickuhlmann</a></li> <li><a href="https://codeberg.org/pat-s">https://codeberg.org/pat-s</a></li> <li><a href="https://codeberg.org/petris">https://codeberg.org/petris</a></li> <li><a href="https://codeberg.org/pinskia">https://codeberg.org/pinskia</a></li> <li><a href="https://codeberg.org/poVoq">https://codeberg.org/poVoq</a></li> <li><a href="https://codeberg.org/removewingman">https://codeberg.org/removewingman</a></li> <li><a href="https://codeberg.org/reynir">https://codeberg.org/reynir</a></li> <li><a href="https://codeberg.org/rvba">https://codeberg.org/rvba</a></li> <li><a href="https://codeberg.org/sandebert">https://codeberg.org/sandebert</a></li> <li><a href="https://codeberg.org/SebasRebazCoding">https://codeberg.org/SebasRebazCoding</a></li> <li><a href="https://codeberg.org/SinTan1729">https://codeberg.org/SinTan1729</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/Snoweuph">https://codeberg.org/Snoweuph</a></li> <li><a href="https://codeberg.org/SpareJoe">https://codeberg.org/SpareJoe</a></li> <li><a href="https://codeberg.org/SR-G">https://codeberg.org/SR-G</a></li> <li><a href="https://codeberg.org/stb">https://codeberg.org/stb</a></li> <li><a href="https://codeberg.org/strypey">https://codeberg.org/strypey</a></li> <li><a href="https://codeberg.org/thefinn93">https://codeberg.org/thefinn93</a></li> <li><a href="https://codeberg.org/theycallhermax">https://codeberg.org/theycallhermax</a></li> <li><a href="https://codeberg.org/tilegg">https://codeberg.org/tilegg</a></li> <li><a href="https://codeberg.org/timedin">https://codeberg.org/timedin</a></li> <li><a href="https://codeberg.org/tmb">https://codeberg.org/tmb</a></li> <li><a href="https://codeberg.org/Tom3201">https://codeberg.org/Tom3201</a></li> <li><a href="https://codeberg.org/vadim">https://codeberg.org/vadim</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/voltagex">https://codeberg.org/voltagex</a></li> <li><a href="https://codeberg.org/wangito33">https://codeberg.org/wangito33</a></li> <li><a href="https://codeberg.org/xenrox">https://codeberg.org/xenrox</a></li> <li><a href="https://codeberg.org/yoctozepto">https://codeberg.org/yoctozepto</a></li> <li><a href="https://codeberg.org/yonas">https://codeberg.org/yonas</a></li> <li><a href="https://codeberg.org/ZzenlD">https://codeberg.org/ZzenlD</a></li> <li><a href="https://translate.codeberg.org/user/413x1nkp">https://translate.codeberg.org/user/413x1nkp</a></li> <li><a href="https://translate.codeberg.org/user/aleksi">https://translate.codeberg.org/user/aleksi</a></li> <li><a href="https://translate.codeberg.org/user/artnay">https://translate.codeberg.org/user/artnay</a></li> <li><a href="https://translate.codeberg.org/user/atarwn">https://translate.codeberg.org/user/atarwn</a></li> <li><a href="https://translate.codeberg.org/user/Atul_Eterno">https://translate.codeberg.org/user/Atul_Eterno</a></li> <li><a href="https://translate.codeberg.org/user/balinteus">https://translate.codeberg.org/user/balinteus</a></li> <li><a href="https://translate.codeberg.org/user/be4zad">https://translate.codeberg.org/user/be4zad</a></li> <li><a href="https://translate.codeberg.org/user/Benny">https://translate.codeberg.org/user/Benny</a></li> <li><a href="https://translate.codeberg.org/user/Beowulf">https://translate.codeberg.org/user/Beowulf</a></li> <li><a href="https://translate.codeberg.org/user/buhtz">https://translate.codeberg.org/user/buhtz</a></li> <li><a href="https://translate.codeberg.org/user/CDN18">https://translate.codeberg.org/user/CDN18</a></li> <li><a href="https://translate.codeberg.org/user/ddogfoodd">https://translate.codeberg.org/user/ddogfoodd</a></li> <li><a href="https://translate.codeberg.org/user/div72">https://translate.codeberg.org/user/div72</a></li> <li><a href="https://translate.codeberg.org/user/eldyj">https://translate.codeberg.org/user/eldyj</a></li> <li><a href="https://translate.codeberg.org/user/emansije">https://translate.codeberg.org/user/emansije</a></li> <li><a href="https://translate.codeberg.org/user/feroli">https://translate.codeberg.org/user/feroli</a></li> <li><a href="https://translate.codeberg.org/user/Fjuro">https://translate.codeberg.org/user/Fjuro</a></li> <li><a href="https://translate.codeberg.org/user/Fnurkla">https://translate.codeberg.org/user/Fnurkla</a></li> <li><a href="https://translate.codeberg.org/user/hankskyjames777">https://translate.codeberg.org/user/hankskyjames777</a></li> <li><a href="https://translate.codeberg.org/user/jaahas">https://translate.codeberg.org/user/jaahas</a></li> <li><a href="https://translate.codeberg.org/user/JoseDouglas26">https://translate.codeberg.org/user/JoseDouglas26</a></li> <li><a href="https://translate.codeberg.org/user/kecrily">https://translate.codeberg.org/user/kecrily</a></li> <li><a href="https://translate.codeberg.org/user/kmpm">https://translate.codeberg.org/user/kmpm</a></li> <li><a href="https://translate.codeberg.org/user/kwoot">https://translate.codeberg.org/user/kwoot</a></li> <li><a href="https://translate.codeberg.org/user/lumi200">https://translate.codeberg.org/user/lumi200</a></li> <li><a href="https://translate.codeberg.org/user/marcoaraujojunior">https://translate.codeberg.org/user/marcoaraujojunior</a></li> <li><a href="https://translate.codeberg.org/user/meskobalazs">https://translate.codeberg.org/user/meskobalazs</a></li> <li><a href="https://translate.codeberg.org/user/Outbreak2096">https://translate.codeberg.org/user/Outbreak2096</a></li> <li><a href="https://translate.codeberg.org/user/overloop">https://translate.codeberg.org/user/overloop</a></li> <li><a href="https://translate.codeberg.org/user/pgmtx">https://translate.codeberg.org/user/pgmtx</a></li> <li><a href="https://translate.codeberg.org/user/q3yi">https://translate.codeberg.org/user/q3yi</a></li> <li><a href="https://translate.codeberg.org/user/qwerty287">https://translate.codeberg.org/user/qwerty287</a></li> <li><a href="https://translate.codeberg.org/user/SerikaFrame">https://translate.codeberg.org/user/SerikaFrame</a></li> <li><a href="https://translate.codeberg.org/user/sinsky">https://translate.codeberg.org/user/sinsky</a></li> <li><a href="https://translate.codeberg.org/user/SmolLemon">https://translate.codeberg.org/user/SmolLemon</a></li> <li><a href="https://translate.codeberg.org/user/SomeTr">https://translate.codeberg.org/user/SomeTr</a></li> <li><a href="https://translate.codeberg.org/user/SteffoSpieler">https://translate.codeberg.org/user/SteffoSpieler</a></li> <li><a href="https://translate.codeberg.org/user/stevenroose">https://translate.codeberg.org/user/stevenroose</a></li> <li><a href="https://translate.codeberg.org/user/thodorisl">https://translate.codeberg.org/user/thodorisl</a></li> <li><a href="https://translate.codeberg.org/user/tkbremnes">https://translate.codeberg.org/user/tkbremnes</a></li> <li><a href="https://translate.codeberg.org/user/Vac31">https://translate.codeberg.org/user/Vac31</a>.</li> <li><a href="https://translate.codeberg.org/user/whitecold">https://translate.codeberg.org/user/whitecold</a></li> <li><a href="https://translate.codeberg.org/user/William_Weber_Berrutti">https://translate.codeberg.org/user/William_Weber_Berrutti</a></li> <li><a href="https://translate.codeberg.org/user/WithLithum">https://translate.codeberg.org/user/WithLithum</a></li> <li><a href="https://translate.codeberg.org/user/Wuzzy">https://translate.codeberg.org/user/Wuzzy</a></li> <li><a href="https://translate.codeberg.org/user/Xinayder">https://translate.codeberg.org/user/Xinayder</a></li> <li><a href="https://translate.codeberg.org/user/xtex">https://translate.codeberg.org/user/xtex</a></li> <li><a href="https://translate.codeberg.org/user/yeziruo">https://translate.codeberg.org/user/yeziruo</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo v9.0 is available</title><link>https://forgejo.org/2024-10-release-v9-0/</link><guid isPermaLink="true">https://forgejo.org/2024-10-release-v9-0/</guid><description>Forgejo v9.0 is available. It is the first version to be released under a copyleft license. Forgejo has early support for a soft-quota that can protect your server from high disk usage due to abuse. It also removes support for go-git, considered too hazardous for daily usage compared to Git. The translations saw an unprecedented number of improvements thanks to the hackathon organized by Codeberg.</description><pubDate>Wed, 16 Oct 2024 00:00:00 GMT</pubDate><content:encoded><p><a href="/download/">Forgejo v9.0</a> was released 16 October 2024. You will find a short selection of the changes it introduces below and a <a href="https://codeberg.org/forgejo/forgejo/milestone/7235">complete list in the release notes</a>.</p> <p>If stability is more important than new features, consider using Forgejo v7.0 instead: it is a Long Term Support release that will receive bug fixes until 16 July 2025. Forgejo v9.0 will be supported until <a href="https://forgejo.org/docs/next/contributor/release/#release-cycle">15 January 2025</a>, when Forgejo v10.0 is published.</p> <p>A <a href="https://v9.next.forgejo.org/">dedicated test instance</a> is available to try it out. Before upgrading it is <em>strongly recommended</em> to make a full backup as explained in the <a href="/docs/v9.0/admin/upgrade/">upgrade guide</a> and carefully read <em>all breaking changes</em> from the <a href="https://codeberg.org/forgejo/forgejo/milestone/7235">release notes</a>. If in doubt, do not hesitate to ask for help <a href="https://floss.social/@forgejo">on the Fediverse</a>, or <a href="https://matrix.to/#/#forgejo-chat:matrix.org">in the chat room</a>.</p> <h2>Summary</h2> <p>Forgejo v9.0 is the first version to be released under a copyleft license, <a href="https://forgejo.org/2024-08-monthly-update/#forgejo-is-now-copyleft">after a year of discussions</a>. Among the motivations for this change is the realization that a pattern emerged over the years, exemplified by Redis, CockroachDB, Terraform and many others. They turned proprietary because people chose their own financial gain over the interest of the general public. Forgejo admins no longer have to worry about this sword of Damocles: relicensing it as a proprietary software is not allowed.</p> <p>The removal of the <a href="https://github.com/go-git/go-git">go-git</a> backend is part of a larger effort to make Forgejo easier to maintain, more robust and even smaller than it already is (~100MB). When presented with <code>go-git</code> as an alternative to Git, a Forgejo admin may overlook that it has less features and a history of <a href="https://github.com/go-git/go-git/issues/878">corrupting repositories</a>. It would have been possible to work on documentation and new tests to ensure administrators do not run into these pitfalls, but the effort would have been out of proportion compared to the benefits it provides.</p> <p>The Forgejo localization community was created early 2024 with the ambitious goal of gaining enough momentum to sustain a long term effort. A daunting task considering there are over 5,000 strings to translate, verify and improve. There has been many calls for help in the past and the community keeps growing steadily. Fortunately, the <a href="https://codeberg.org/Codeberg/translathon-2024#translathon-2024">translation hackathon (translathon)</a> organized by Codeberg in October was exceptional. It attracted an unprecedented number of participants who improved or created thousands of translations.</p> <h2>New features</h2> <p>Below is short selection of the most notable changes. The <a href="https://codeberg.org/forgejo/forgejo/milestone/7235">complete list is available in the release notes</a>.</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4212">PR</a>: Added the foundations of a flexible, configurable quota system.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4819">PR</a>: Allow push mirrors to use an SSH key as the authentication method for the mirroring action instead of using user:password authentication. The SSH keypair is created by Forgejo and the destination repository must be configured with the public key to allow for push over SSH.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1445">PR</a>: A release asset can be a URL instead of a file.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4490">PR</a>: Accessibility keyboard support for test actions.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/5482">PR</a> (<a href="https://codeberg.org/forgejo/forgejo/pulls/5524">backported</a>): "Assign to me" button on Pull Requests and Issues.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4903">PR</a>: Support grouping by any path for arch package.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4780">PR</a>: Add signature support for the RPM module.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4801">PR</a>: <a href="https://codeberg.org/forgejo/forgejo/commit/feb43b2584b7f64ec7f9952af2b50b2210e6e6cf">commit</a> The actions logs older than <code>[actions].LOG_RETENTION_DAYS</code> days are removed (the default is 365).</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4607">PR</a>: <a href="https://codeberg.org/forgejo/forgejo/commit/d0227c236aa195bd03990210f968b8e52eb20b79">commit</a> issue Templates: add option to have dropdown printed list.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2869">PR</a>: Logs journald integration.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4710">PR</a>: Refactor repository migration items.</li> </ul> <h2>Copyleft</h2> <p><a href="https://forgejo.org/2024-08-gpl/">The impact of the license change</a> has been carefully considered with regard to the variety of usages of Forgejo. Someone might have chosen to avoid copyleft software, for example because it is discouraged in a company. However, Forgejo depends on Git, one of the most successful pieces of copyleft software. Both Forgejo and Git must be used together, either as individual binaries or bundled into the <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/v9.0-test">official container images</a>. The license of Git is <a href="https://git-scm.com/about/free-and-open-source">GNU GPL v2</a>, another version of the same <a href="https://www.gnu.org/licenses/copyleft.html">copyleft license</a>.</p> <p>The majority of Forgejo's codebase is still MIT-licensed, but it is expected that an increasing number of files will switch to GNU GPL v3+ over time. With the notable exception of the <a href="https://codeberg.org/forgejo/forgejo/pulls/5083">API swagger file that is and will stay MIT</a> to clarify that the intent of the Forgejo authors is that it is used for interoperability with no restriction. It is not an original work and enforcing copyright on that file would probably be difficult anyway.</p> <h2>Quotas</h2> <p>Forgejo got early support for a soft-quota system that can protect your server from high disk usage due to abuse or user mistakes. This feature is still in development. If you will try to use it, consider sending us feedback via <a href="https://codeberg.org/forgejo/discussions/issues/">a discussion</a>, or the Matrix channels.</p> <p>Forgejo has chosen to use a "soft" quota implementation. It means that Forgejo checks the quota usage only before an action is executed, but it will allow a started action to complete.</p> <p>In some cases (like pushing to Git repositories), it is hard to estimate the exact new size, because it depends on how much data is available and how much we can benefit from compression. As a result, it is possible to exceed the quota if the operation was started before the quota was used up. After the quota is exceeded, new operations that would increase the quota won't be possible.</p> <p>Furthermore, there is currently little support for early prevention of operations in the UI: The handling of, for example, web operations that are denied later is not yet optimal.</p> <p>Read more in the <a href="https://forgejo.org/docs/v9.0/admin/quota/">Soft-Quota page of the documentation</a>.</p> <h2>The multi-architecture OCI leak is fixed</h2> <p>When a multi-architecture container image is pushed to the Forgejo registry, the same tag is used but refers to different images. This is what Forgejo itself relies on to provide <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/7">either arm64 or amd64</a> depending on the platform (e.g. <code>docker pull codeberg.org/forgejo/forgejo:7</code>).</p> <p>This is implemented with <a href="https://github.com/opencontainers/image-spec/blob/main/image-index.md">an image index</a> which points to <a href="https://github.com/opencontainers/image-spec/blob/main/manifest.md">image manifests</a>. This level of indirection was unfortunately not taken into account when cleaning up dangling blobs. When a multi-architecture image was either deleted from the web interface or overridden by pushing new images with the same tag, the blobs were never deleted. This bug has been present in Forgejo since the beginning and went unnoticed for a long time, presumably because multi-architecture images are uncommon.</p> <p>Forgejo will remove dangling blobs when it starts as well as in the existing daily container image cleanup. This will show in the logs with when looking for <code>grep -i CleanupSHA256</code>:</p> <pre><code>2024/10/15 00:00:00 ...er/cleanup_sha256.go:106:cleanupSHA256() [I] Nothing to cleanup 2024/10/15 00:00:00 ...er/cleanup_sha256.go:29:CleanupSHA256() [I] Finished to cleanup dangling images with a sha256:* version </code></pre> <p>The time required for the cleanup to complete should be under a minute, even if ten of thousands of blobs were leaked. It is however recommended to give it a try using a backup of the Forgejo instance to be sure. For instance when <a href="https://code.forgejo.org">https://code.forgejo.org</a> was upgraded, it cleaned up a few thousand dangling blobs for a total of around 50GB within less than 15 seconds. To accommodate large instances such as Codeberg, blobs are cleaned up 500 at a time.</p> <h2>Removal of go-git support</h2> <p>Forgejo used to have 2 Git backends: the normal git and <a href="https://github.com/go-git/go-git">go-git</a> which is a Git implementation in pure Go. This the benefit of being a little bit faster than Git on Windows.</p> <p>Supporting go-git would mean holding Forgejo back. Every Git Feature that Forgejo wants to use also needs to be implemented in go-git. For example: setting git notes in the Web UI is currently not possible in go-git. In addition go-git may lead to data loss and repository corruption <a href="https://github.com/go-git/go-git/issues/878">(one example)</a>. It is not widely used and does not have extensive testing (see <a href="https://github.com/go-git/go-git/issues/878">the latest example of such corruption</a>).</p> <p>For these reasons, <a href="https://codeberg.org/forgejo/forgejo/pulls/4941">go-git was removed from the codebase</a>. It only affects users who built Forgejo manually using <code>TAGS=gogit</code>, which no longer has any effect. This removal only happened in the development branch and not in the existing stable Forgejo branches, up to <code>v8.0/forgejo</code> included.</p> <h2>Transparent removal of Couchbase</h2> <p>Using <a href="https://codeberg.org/forgejo/forgejo/pulls/5090">Couchbase as a session provider was removed</a>. This is not a breaking change because it will transparently fallback to the file provider. The rationale for removing Couchbase support is that it is <a href="https://www.couchbase.com/blog/couchbase-adopts-bsl-license/">not free software</a> and therefore cannot be tested in Forgejo and neither should be supported.</p> <h2>Gitea compatibility</h2> <p>Forgejo v9.0 has <a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/upgrade/upgrade.sh#L56-L57">automated upgrade tests from Gitea v1.22 to Forgejo v9.0</a>.</p> <ul> <li>An instance running Gitea versions up to v1.21 can be upgraded to Forgejo v7.0 or v8.0</li> <li>An instance running Gitea v1.22 can be upgraded to Forgejo v8.0 or Forgejo v9.0</li> </ul> <p>Read more about <a href="/2024-02-forking-forward/">Gitea compatibility in the blog post explaining the hard fork that happened in February 2024</a>.</p> <h2>Release schedule and Long Term Support</h2> <p>The <a href="/docs/v9.0/contributor/release/#release-cycle">time based release schedule</a> was established to publish a release every three months. Patch releases will be published more frequently, depending on the severity of the bug or security fixes they contain.</p> <table> <thead> <tr> <th><strong>Date</strong></th> <th><strong>Version</strong></th> <th><strong>Release date</strong></th> <th><strong>End Of Life</strong></th> </tr> </thead> <tbody><tr> <td>2024 Q1</td> <td><strong>7.0.0</strong></td> <td>23 April 2024</td> <td><strong>16 July 2025</strong></td> </tr> <tr> <td>2024 Q2</td> <td>8.0.0</td> <td>30 July 2024</td> <td>16 October 2024</td> </tr> <tr> <td>2024 Q3</td> <td><strong>9.0.0</strong></td> <td>16 October 2024</td> <td>15 January 2025</td> </tr> <tr> <td>2025 Q1</td> <td>10.0.0</td> <td>15 January 2025</td> <td>16 April 2025</td> </tr> </tbody></table> <h3>9.0-test daily releases</h3> <p>Releases are built daily from the latest changes found in the <a href="https://codeberg.org/forgejo/forgejo/src/branch/v9.0/forgejo">v9.0/forgejo</a> development branch. They are deployed to the <a href="https://v9.next.forgejo.org">https://v9.next.forgejo.org</a> instance for manual verification in case a bug fix is of particular interest ahead of the next patch release. It can also be installed locally with:</p> <ul> <li>OCI images: <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/9.0-test">root</a> and <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/9.0-test-rootless">rootless</a></li> <li><a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v9.0-test">Binaries</a></li> </ul> <p>Their names are staying the same but they are replaced by new builds every day.</p> <h2>Localization</h2> <p>This release contains many translation additions and improvements done by contributors on <a href="https://translate.codeberg.org/projects/forgejo/forgejo/">Codeberg Translate</a>, and numerous improvements to the UX and translatability of English locale.</p> <p>Translation updates and some improvements of English locale were also ported to v7.0 where there was no risk of regressions.</p> <p>The <a href="https://codeberg.org/Codeberg/translathon-2024#translathon-2024">translation hackathon (translathon)</a> organized by Codeberg in October resulted in many new contributors joining and making thousands of additions and improvements.</p> <h2>Get Forgejo v9.0</h2> <p>See the <a href="/download/">download page</a> for instructions on how to install Forgejo, and read the <a href="https://codeberg.org/forgejo/forgejo/milestone/7235">release notes</a> for more information.</p> <h3>Upgrading</h3> <p>Carefully read the <a href="https://codeberg.org/forgejo/forgejo/milestone/7235">breaking changes</a> section of the release notes.</p> <p>The actual upgrade process is as simple as replacing the binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v9.0.0">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/9.0.0">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/9.0"><code>9.0</code> tag</a> to stay up to date with the latest <code>9.0.Y</code> patch release automatically.</p> <p>Make sure to check the <a href="/docs/v9.0/admin/upgrade">Forgejo upgrade documentation</a> for recommendations on how to properly backup your instance before the upgrade.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in <a href="https://codeberg.org/forgejo/forgejo/issues">the issue tracker</a> for feature requests or bug reports, reach out <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop into <a href="https://matrix.to/#/#forgejo:matrix.org">the Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) and say hi!</p> <h3>Donate</h3> <p>Forgejo is proud to be <a href="https://codeberg.org/forgejo/sustainability/">funded transparently</a>. Additionally it accept donations <a href="https://liberapay.com/forgejo">through Liberapay</a>. It is also possible to <a href="https://docs.codeberg.org/improving-codeberg/donate/">donate to Codeberg e.V.</a> in case the Liberapay option does not work out for you, and part of the funding is used to <a href="https://codeberg.org/forgejo/sustainability/#forgejo-resources-per-year">compensate for work on Forgejo</a>.</p> <p>However, the Liberapay team allows for money to go directly to developers without a round-trip to Codeberg. Additionally, Liberapay allows for a steady and reliable funding stream next to other options, a crucial aspect for the project. The distribution of funds through Liberapay is <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#liberapay-team-members">transparently controlled using the decision-making process</a>, and Forgejo contributors are encouraged to consider applying to benefit from this funding opportunity.</p> <p>Thank you for using Forgejo and considering a donation, in case your financial situation allows you to.</p> </content:encoded></item><item><title>Forgejo monthly update - September 2024</title><link>https://forgejo.org/2024-09-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-09-monthly-update/</guid><description>Forgejo v9.0 release candidates are available for testing to prepare for the release scheduled 16 October 2024. The contributor and testing documentation were improved with the goal of encouraging more diverse participation. The infrastructure dedicated to Forgejo development suffered a downtime because of excessive crawling and mitigation measures were implemented.</description><pubDate>Sun, 06 Oct 2024 00:00:00 GMT</pubDate><content:encoded><p>The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <h2>Forgejo v9.0 release candidates</h2> <p>The first release candidates for <a href="https://forgejo.org/docs/next/contributor/release/#release-cycle">Forgejo v9.0</a> was published <a href="https://codeberg.org/forgejo/forgejo/issues/5380">25 September</a> and code.forgejo.org upgraded. A call <a href="https://forgejo.org/2024-09-preparing-v9/">for participation</a> was published, asking for help with translations and testing.</p> <p>A <a href="https://codeberg.org/forgejo/discussions/issues/227">regression was discovered</a> in the v9.0 release candidate that incorrectly deleted some of the images <a href="https://code.forgejo.org/oci/-/packages">mirrored from the Docker hub</a>. It disrupted the CI intermittently during 48h before a <a href="https://codeberg.org/forgejo/forgejo/pulls/5430">fix was published and deployed</a>. The root cause was a bug in the <a href="https://codeberg.org/forgejo/forgejo/pulls/4698">cron task that cleanup dangling container images</a>.</p> <h2>Forgejo Design process</h2> <p>Efforts on long-term improvements to Forgejo have been kept low in the past month, however there was a noteworthy exchange on <a href="https://codeberg.org/forgejo/design/issues/20">moderation features</a> in Forgejo. Initially, an idea was investigated to track reported content in a specific issue tracker, but the idea was discarded some time later due to the volume of spam issues on Codeberg, which probably requires a more efficient UI. The moderation features will not make it into Forgejo v9, but they will remain in the focus of design work.</p> <h2>Contributor documentation and test suite</h2> <p>By the end of August, a <a href="https://codeberg.org/forgejo/discussions/issues/212">discussion emerged to improve Forgejo's testing infrastructure</a>, making it more friendly to new developers.</p> <p>Since the last monthly update, multiple improvements have been made:</p> <ul> <li>The contributing resources in the documentation have been <a href="https://codeberg.org/forgejo/docs/pulls/821">cleaned and updated</a>, with the goal of encouraging more diverse contributions, <a href="https://forgejo.org/docs/next/contributor/welcome/">sending a warm welcome</a> to new contributors and clarifying the motivation and instructions for writing tests. If you did not yet contribute to Forgejo, now is a good time to get started and provide us with feedback.</li> <li>The <a href="https://codeberg.org/forgejo/forgejo/pulls/5235">in-repo hints for testing</a> have been deduplicated and updated to make getting started easier. And numerous smaller improvements have been made to the end-to-end test suite that uses real browsers to ensure actions in the Forgejo UI work as expected. They <a href="https://codeberg.org/forgejo/forgejo/pulls/5322">added</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls/5287">improved</a> examples.</li> </ul> <p>Using the improved test infrastructure, the <a href="https://codeberg.org/forgejo/forgejo/commits/branch/forgejo/tests/e2e">frequency of new browser tests</a> has increased a lot compared to recent months.</p> <h2>Helm chart</h2> <p>A new major version, <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v9.0.0">9.0.0</a> was published. It sets proper namespaces and allows override.</p> <p>The Forgejo helm chart had <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases">many minor and patch updates</a>, in both v7 and v8. <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v7.1.2">Helm chart v7.1.2</a> and <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v8.1.1">v8.2.3</a> are the latest.</p> <h2>Localization</h2> <p>A significant effort was made to backport translations to the LTS version (Forgejo v7.0). There was hope for new languages added in this version to reach better completion in its primary lifetime, but it is taking longer than expected. This and other considerations led to <a href="https://codeberg.org/forgejo/discussions/issues/226">a proposal</a> to do less backporting to old stable to prevent breakage and save time.</p> <p>A very large change was <a href="https://codeberg.org/forgejo/forgejo/pulls/5306">ported from Gitea</a> and is good for internationalization. But it was not easy to also preserve the existing strings and it could have broken a few non-English strings in Forgejo v9. Some translators caught the problem and it was luckily fixed in time.</p> <p>The overall translation activity was about twice lower than last month, which was very active.</p> <h2>Forgejo Actions</h2> <p>The <a href="https://code.forgejo.org/forgejo/nlnet-off-ngie-forgejo">security audit</a> bootstrapped <a href="/2024-08-monthly-update/#forgejo-runner">last month</a> has its own repository to track the work done as transparently as possible. A <a href="https://code.forgejo.org/forgejo/nlnet-off-ngie-forgejo/issues/1">suitable pentester</a> was found and <a href="https://code.forgejo.org/forgejo/nlnet-off-ngie-forgejo/issues/2">the scope of the audit</a> was determined during a call. A rough plan was <a href="https://code.forgejo.org/forgejo/nlnet-off-ngie-forgejo/issues/3">drafted</a> and approved by NLnet who is funding the audit. The work should begin in November 2024.</p> <h2>Optimizing CI pipelines</h2> <p>In order to ensure a high software quality, Forgejo (like most larger project) runs CI/CD pipelines that perform a series of automated checks on the source code, ensuring that contribution meet certain quality standards.</p> <p>Running these pipelines consumes significant amount of energy and adds to the climate footprint of free/libre software development.</p> <p>In a quest to make Forgejo <a href="https://wimvanderbauwhede.codeberg.page/articles/frugal-computing/">more frugal in the use of computing</a> in the development lifecycle, <a href="https://codeberg.org/forgejo/forgejo/issues/5127">optimizations to the CI/CD pipelines</a> have been considered and a part of the work was merged.</p> <p>The optimizations include <a href="https://codeberg.org/forgejo/forgejo/pulls/5297">caching the playwright environment in a test image</a> and improvements to the <a href="https://codeberg.org/forgejo/forgejo/pulls/5328">caching of Go dependencies</a> that improves on the caching available from the <code>setup-go</code> action that spent 10x2 minutes per job creating compressed archives. The action is <a href="https://codeberg.org/fnetX/setup-cache-go">also available to other projects</a> and a dedicated contribution to the Forgejo Actions ecosystem.</p> <h2>Infrastructure</h2> <p>On <a href="https://codeberg.org/forgejo/discussions/issues/219">9 September</a> code.forgejo.org was down during 10 hours. It was overwhelmed by excessive crawling and the response time was so slow that it kept accumulating a backlog and answering every request with a timeout. On top of that it happened late at night and although it was trivially fixed by restarting Forgejo, it only happened the next morning.</p> <p>This was the first significant downtime and <a href="https://codeberg.org/forgejo/discussions/issues/220">impacted a number of Forgejo instances</a> that are using Forgejo Actions hosted on code.forgejo.org. A number of measures were taken to prevent that from happening:</p> <ul> <li><a href="https://code.forgejo.org/infrastructure/documentation/pulls/9">Rate-limiting is imposed</a> on the most aggressive crawlers.</li> <li><a href="https://code.forgejo.org/robots.txt">Exclusion rules</a> were defined and added to robots.txt.</li> <li>Members of the devops team are notified on their mobile when <a href="https://status.forgejo.ovh/">monitoring detects a problem</a>.</li> <li>An ad-hoc script was written to detect excessive timeouts during extended periods of time and automatically restart Forgejo if needed.</li> </ul> <p>The script is a hack that must not stay. It proved useful a couple of times while working on strategies to reduce crawling to manageable levels. It still represents over 50% of the incoming requests but they do not impact the instance performances.</p> <p>The long term solution, as code.forgejo.org audience grows, is to improve its availability. The test instances at v*.next.forgejo.org are already <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/">using Forgejo helm</a>, each in <a href="https://code.forgejo.org/infrastructure/k8s">a dedicated k3s cluster</a>. A long lived <a href="https://code.forgejo.org/infrastructure/documentation#k8s-node">k8s cluster</a> is being deployed to use the same Forgejo helm so code.forgejo.org can be migrated there. The goal is for built-in health monitoring to automatically react to an unhealthy Forgejo instance and restart it using idiomatic k8s methods instead of an ad-hoc script.</p> <p>There is no urgency for the k8s cluster to replace the LXC based infrastructure. But it will take some time to improve code.forgejo.org availability in this way and the works started right away so that it has a chance to be ready before the next incident happens.</p> <h2>Sustainability</h2> <p>A procedure for receiving payment from Codeberg on Forgejo work <a href="https://codeberg.org/forgejo/sustainability/issues/61">was documented</a> and discussed. The details of the funds received and spent in 2024 were <a href="https://codeberg.org/forgejo/sustainability/pulls/60/files">updated</a>.</p> <p>The progress of the ongoing grant <a href="https://codeberg.org/forgejo/sustainability/src/branch/main/2022-12-01-nlnet">was updated</a>. It was extended until the end of 2024 and got an informal agreement to increase the funding by 10K€. The legal status of the donations in Europe <a href="https://codeberg.org/forgejo/sustainability/issues/62">was documented</a> with an example based on a Freelance established in Portugal, with links to do the same for other European countries.</p> <p>The progress of the federation grant <a href="https://codeberg.org/forgejo/sustainability/src/branch/main/2022-08-01-nlnet">was also updated</a> and a <a href="https://codeberg.org/forgejo/sustainability/pulls/59">request for payment drafted</a> for 2,500€. The grant will expire 1 December 2024 and the unspent funds will be returned to NLnet where they can be used by other projects.</p> <p>Questions were received from NLnet on the latest grant application and <a href="https://codeberg.org/forgejo/sustainability/pulls/57">an answer sent</a> which led to <a href="https://codeberg.org/forgejo/sustainability/issues/63">followup questions</a>. Because of the required delay in answering those questions, the grant application was moved by a few months, to the next call.</p> <p>The sustainability team elected <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#sustainability-team">its first member</a>. They helped with following up with the current grants and document the progress made so far.</p> <p>The relevance of creating a non profit exclusively dedicated to managing the Forgejo funds and governed by the Forgejo decision making process <a href="https://codeberg.org/forgejo/discussions/issues/224">was discussed</a>. A balance should be found between the burden of managing a new organization and the benefit of being more flexible than Codeberg. The current situation is problematic as a significant amount of the funds obtained in the past two years (in excess of 60,000€) will have to be returned when the grants expire by the end of 2024.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/adaaa">https://codeberg.org/adaaa</a></li> <li><a href="https://codeberg.org/aimuz">https://codeberg.org/aimuz</a></li> <li><a href="https://codeberg.org/Alexilator">https://codeberg.org/Alexilator</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/Arsen">https://codeberg.org/Arsen</a></li> <li><a href="https://codeberg.org/avobs">https://codeberg.org/avobs</a></li> <li><a href="https://codeberg.org/ayakael">https://codeberg.org/ayakael</a></li> <li><a href="https://codeberg.org/bartavi">https://codeberg.org/bartavi</a></li> <li><a href="https://codeberg.org/benniekiss">https://codeberg.org/benniekiss</a></li> <li><a href="https://codeberg.org/bramh">https://codeberg.org/bramh</a></li> <li><a href="https://codeberg.org/btlogy">https://codeberg.org/btlogy</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/cbn8krgm">https://codeberg.org/cbn8krgm</a></li> <li><a href="https://codeberg.org/cemoktra">https://codeberg.org/cemoktra</a></li> <li><a href="https://codeberg.org/chrysn">https://codeberg.org/chrysn</a></li> <li><a href="https://codeberg.org/Chucky2401">https://codeberg.org/Chucky2401</a></li> <li><a href="https://codeberg.org/clarfonthey">https://codeberg.org/clarfonthey</a></li> <li><a href="https://codeberg.org/coderofsalvation">https://codeberg.org/coderofsalvation</a></li> <li><a href="https://codeberg.org/CommanderRedYT">https://codeberg.org/CommanderRedYT</a></li> <li><a href="https://codeberg.org/DamianT">https://codeberg.org/DamianT</a></li> <li><a href="https://codeberg.org/danjones000">https://codeberg.org/danjones000</a></li> <li><a href="https://codeberg.org/ddevault">https://codeberg.org/ddevault</a></li> <li><a href="https://codeberg.org/delgh1">https://codeberg.org/delgh1</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/dmowitz">https://codeberg.org/dmowitz</a></li> <li><a href="https://codeberg.org/douglasparker">https://codeberg.org/douglasparker</a></li> <li><a href="https://codeberg.org/dragon">https://codeberg.org/dragon</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/el0n">https://codeberg.org/el0n</a></li> <li><a href="https://codeberg.org/Ember">https://codeberg.org/Ember</a></li> <li><a href="https://codeberg.org/Erayd">https://codeberg.org/Erayd</a></li> <li><a href="https://codeberg.org/esainane">https://codeberg.org/esainane</a></li> <li><a href="https://codeberg.org/ezra">https://codeberg.org/ezra</a></li> <li><a href="https://codeberg.org/f403">https://codeberg.org/f403</a></li> <li><a href="https://codeberg.org/floss4good">https://codeberg.org/floss4good</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/foxy">https://codeberg.org/foxy</a></li> <li><a href="https://codeberg.org/fuggla">https://codeberg.org/fuggla</a></li> <li><a href="https://codeberg.org/GamePlayer-8">https://codeberg.org/GamePlayer-8</a></li> <li><a href="https://codeberg.org/GDWR">https://codeberg.org/GDWR</a></li> <li><a href="https://codeberg.org/Gnu1">https://codeberg.org/Gnu1</a></li> <li><a href="https://codeberg.org/grgi">https://codeberg.org/grgi</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/h759bkyo4">https://codeberg.org/h759bkyo4</a></li> <li><a href="https://codeberg.org/IamLunchbox">https://codeberg.org/IamLunchbox</a></li> <li><a href="https://codeberg.org/io7m">https://codeberg.org/io7m</a></li> <li><a href="https://codeberg.org/JacksonBailey">https://codeberg.org/JacksonBailey</a></li> <li><a href="https://codeberg.org/jean-daricade">https://codeberg.org/jean-daricade</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jwildeboer">https://codeberg.org/jwildeboer</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/kuolemaa">https://codeberg.org/kuolemaa</a></li> <li><a href="https://codeberg.org/Kwonunn">https://codeberg.org/Kwonunn</a></li> <li><a href="https://codeberg.org/lapo">https://codeberg.org/lapo</a></li> <li><a href="https://codeberg.org/LDericher">https://codeberg.org/LDericher</a></li> <li><a href="https://codeberg.org/linos">https://codeberg.org/linos</a></li> <li><a href="https://codeberg.org/MaddinM">https://codeberg.org/MaddinM</a></li> <li><a href="https://codeberg.org/mahlzahn">https://codeberg.org/mahlzahn</a></li> <li><a href="https://codeberg.org/Mai-Lapyst">https://codeberg.org/Mai-Lapyst</a></li> <li><a href="https://codeberg.org/maltejur">https://codeberg.org/maltejur</a></li> <li><a href="https://codeberg.org/marcellmars">https://codeberg.org/marcellmars</a></li> <li><a href="https://codeberg.org/matrss">https://codeberg.org/matrss</a></li> <li><a href="https://codeberg.org/mcnesium">https://codeberg.org/mcnesium</a></li> <li><a href="https://codeberg.org/mdt">https://codeberg.org/mdt</a></li> <li><a href="https://codeberg.org/Merith-TK">https://codeberg.org/Merith-TK</a></li> <li><a href="https://codeberg.org/michael-sparrow">https://codeberg.org/michael-sparrow</a></li> <li><a href="https://codeberg.org/midirhee12">https://codeberg.org/midirhee12</a></li> <li><a href="https://codeberg.org/mih">https://codeberg.org/mih</a></li> <li><a href="https://codeberg.org/mirkoperillo">https://codeberg.org/mirkoperillo</a></li> <li><a href="https://codeberg.org/mkobel">https://codeberg.org/mkobel</a></li> <li><a href="https://codeberg.org/mlncn">https://codeberg.org/mlncn</a></li> <li><a href="https://codeberg.org/mvdkleijn">https://codeberg.org/mvdkleijn</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/neonew">https://codeberg.org/neonew</a></li> <li><a href="https://codeberg.org/Neureka">https://codeberg.org/Neureka</a></li> <li><a href="https://codeberg.org/nhathaway">https://codeberg.org/nhathaway</a></li> <li><a href="https://codeberg.org/nobodyinperson">https://codeberg.org/nobodyinperson</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/ossie">https://codeberg.org/ossie</a></li> <li><a href="https://codeberg.org/paspflue">https://codeberg.org/paspflue</a></li> <li><a href="https://codeberg.org/patdyn">https://codeberg.org/patdyn</a></li> <li><a href="https://codeberg.org/pat-s">https://codeberg.org/pat-s</a></li> <li><a href="https://codeberg.org/pavi">https://codeberg.org/pavi</a></li> <li><a href="https://codeberg.org/poVoq">https://codeberg.org/poVoq</a></li> <li><a href="https://codeberg.org/pylixonly">https://codeberg.org/pylixonly</a></li> <li><a href="https://codeberg.org/removewingman">https://codeberg.org/removewingman</a></li> <li><a href="https://codeberg.org/rtfb">https://codeberg.org/rtfb</a></li> <li><a href="https://codeberg.org/rvba">https://codeberg.org/rvba</a></li> <li><a href="https://codeberg.org/s1m">https://codeberg.org/s1m</a></li> <li><a href="https://codeberg.org/sandebert">https://codeberg.org/sandebert</a></li> <li><a href="https://codeberg.org/saurabh">https://codeberg.org/saurabh</a></li> <li><a href="https://codeberg.org/sclu1034">https://codeberg.org/sclu1034</a></li> <li><a href="https://codeberg.org/SLASHLogin">https://codeberg.org/SLASHLogin</a></li> <li><a href="https://codeberg.org/s-l-s">https://codeberg.org/s-l-s</a></li> <li><a href="https://codeberg.org/SludgePhD">https://codeberg.org/SludgePhD</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/solomonv">https://codeberg.org/solomonv</a></li> <li><a href="https://codeberg.org/Squel">https://codeberg.org/Squel</a></li> <li><a href="https://codeberg.org/stb">https://codeberg.org/stb</a></li> <li><a href="https://codeberg.org/stevenroose">https://codeberg.org/stevenroose</a></li> <li><a href="https://codeberg.org/tgy">https://codeberg.org/tgy</a></li> <li><a href="https://codeberg.org/thefinn93">https://codeberg.org/thefinn93</a></li> <li><a href="https://codeberg.org/thefox">https://codeberg.org/thefox</a></li> <li><a href="https://codeberg.org/toolforger">https://codeberg.org/toolforger</a></li> <li><a href="https://codeberg.org/VadZ">https://codeberg.org/VadZ</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/virtulis">https://codeberg.org/virtulis</a></li> <li><a href="https://codeberg.org/voltagex">https://codeberg.org/voltagex</a></li> <li><a href="https://codeberg.org/wangito33">https://codeberg.org/wangito33</a></li> <li><a href="https://codeberg.org/xenrox">https://codeberg.org/xenrox</a></li> <li><a href="https://codeberg.org/Xinayder">https://codeberg.org/Xinayder</a></li> <li><a href="https://codeberg.org/xtex">https://codeberg.org/xtex</a></li> <li><a href="https://codeberg.org/yoctozepto">https://codeberg.org/yoctozepto</a></li> <li><a href="https://codeberg.org/yonas">https://codeberg.org/yonas</a></li> <li><a href="https://translate.codeberg.org/user/aleksi">https://translate.codeberg.org/user/aleksi</a></li> <li><a href="https://translate.codeberg.org/user/ciampix">https://translate.codeberg.org/user/ciampix</a></li> <li><a href="https://translate.codeberg.org/user/emansije">https://translate.codeberg.org/user/emansije</a></li> <li><a href="https://translate.codeberg.org/user/EssGeeEich">https://translate.codeberg.org/user/EssGeeEich</a></li> <li><a href="https://translate.codeberg.org/user/muhaaliss">https://translate.codeberg.org/user/muhaaliss</a></li> <li><a href="https://translate.codeberg.org/user/Outbreak2096">https://translate.codeberg.org/user/Outbreak2096</a></li> <li><a href="https://translate.codeberg.org/user/salif">https://translate.codeberg.org/user/salif</a></li> <li><a href="https://translate.codeberg.org/user/toasterbirb">https://translate.codeberg.org/user/toasterbirb</a></li> <li><a href="https://translate.codeberg.org/user/Zughy">https://translate.codeberg.org/user/Zughy</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Help us in making Forgejo v9 a great release</title><link>https://forgejo.org/2024-09-preparing-v9/</link><guid isPermaLink="true">https://forgejo.org/2024-09-preparing-v9/</guid><description>Your help in preparing the next Forgejo release is appreciated. Now is a good time to step in.</description><pubDate>Wed, 25 Sep 2024 00:00:00 GMT</pubDate><content:encoded><p>We are looking forward to shipping the improvements we have made in the past months to all Forgejo users. Today, we have reached the next milestone in our <a href="/docs/v8.0/developer/release/#release-cycle">release cycle</a>, reaching a period of feature freeze to focus on fixing bugs. The release of Forgejo v9.0 is scheduled for 16 October 2024.</p> <p>It is a good moment for you to help ensuring the next Forgejo release is a success. Thank you for your support!</p> <h2>Localization</h2> <p>With the feature freeze comes a period of less new strings to translate. Now is the best time to translate Forgejo into your language, we invite you to <a href="/docs/next/contributor/localization/">check out the localization guide</a> and joining us on Weblate.</p> <p>Localizing Forgejo helps more users around the world to get involved in free/libre software development, including end-users submitting bug reports and students who get in touch with Forgejo in schools.</p> <p>Additionally, raising the completion status before the next release reduces the effort on our end to backport translations to existing Forgejo releases.</p> <p>Join our localization effort today!</p> <h2>Using</h2> <p>If you can upgrade your Forgejo version to the latest state in the <a href="https://codeberg.org/forgejo/forgejo/src/branch/v9.0/forgejo"><code>v9.0/forgejo</code></a> branch, you can spot and report issues before other users do. Ensure you make a backup of your data, just in case.</p> <p>We are looking forward to your feedback or bug reports. Test the upcoming version of Forgejo today!</p> <h2>Developing</h2> <p>If you always wanted to help developing for Forgejo, we appreciate your help in fixing bugs for the upcoming version.</p> <p>Take a look at <a href="https://codeberg.org/forgejo/forgejo/issues?labels=201023%2c222666">this list of bugs that might be "good first issue"s</a>. Let us know if you are interested to take a look at any of them, and we'll be here to assist you completing them before the release date.</p> <p>If you can spare more time, also take a look at other and new bug reports, try to reproduce them and diagnose the issues together with the team.</p> <h2>Donating</h2> <p>If you cannot spare some time right now, but still want to support Forgejo, consider <a href="https://liberapay.com/forgejo">setting up a donation to our Liberapay team</a> or <a href="https://docs.codeberg.org/improving-codeberg/donate/">donating to Codeberg</a> to enable other Forgejo developers to complete their work.</p> <h3>Get in touch</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo monthly update - August 2024</title><link>https://forgejo.org/2024-08-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-08-monthly-update/</guid><description>Forgejo changed its license from MIT to GNU GPL v3+, it is now copyleft, just like Git. A pull request for federated user activity following using ActivityPub saw significant progress. Space usage quotas for users and organizations was implemented. The Forgejo security policy was published.</description><pubDate>Sat, 31 Aug 2024 00:00:00 GMT</pubDate><content:encoded><p>The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <p>It was decided more than a year ago and finally happened: Forgejo changed its license from MIT to <a href="https://forgejo.org/2024-08-gpl/">GNU GPL v3+</a> and accepts contributions with a simple <a href="https://forgejo.org/docs/next/developer/dco/">Developer Certificate of Origin</a>. It is an additional guarantee that it will not drift away from Free Software and become <a href="https://en.wikipedia.org/wiki/Open-core_model">Open Core</a> like GitLab or Gitea.</p> <p>Last month, the <a href="https://codeberg.org/forgejo/forgejo/issues/4153">v8.0 release date was postponed multiple times</a> because bugs were discovered at the last minute. This rather time consuming effort was rewarded by a smooth upgrade of Codeberg and other instances. The absence of problems allowed Forgejo contributors to focus on features and structural improvements: ActivityPub federation, storage quotas, security policy, and more.</p> <h2>Forgejo is now copyleft</h2> <p><a href="https://forgejo.org/2024-08-gpl/">The impact of the license change</a> has been carefully considered with regard to the variety of usages of Forgejo. Someone might have chosen to avoid copyleft software, for example because it is discouraged in a company. However, Forgejo depends on Git, one of the most successful copyleft software. Both Forgejo and Git must be used together, either as individual binaries or bundled into the <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/v9.0-test">official container images</a>. The license of Git is <a href="https://git-scm.com/about/free-and-open-source">GNU GPL v2</a>, another version of the same <a href="https://www.gnu.org/licenses/copyleft.html">copyleft license</a>.</p> <p>The majority of Forgejo's codebase is still MIT-licensed, but it is expected that an increasing number of files will switch to GNU GPL v3+ over time. With the notable exception of the <a href="https://codeberg.org/forgejo/forgejo/pulls/5083">API swagger file that is and will stay MIT</a> to clarify that the intent of the Forgejo authors is that it is used for interoperability with no restriction. It is not an original work and enforcing copyright on that file would probably be difficult anyway.</p> <p>The <a href="https://codeberg.org/forgejo/discussions/issues/192">discussions on how to improve</a> Forgejo's licensing are still very lively and will eventually lead to decisions that will improve its legal protection, in the interest of the general public.</p> <h2>Federation</h2> <p><a href="https://codeberg.org/forgejo/discussions/issues/208">Federation is getting useful</a>. There is now more than preliminary background work, and the first exciting things could be tried out by users. The work is not near the goal yet.</p> <p>Building upon the foundations released with Forgejo v8.0, a pull request for <a href="https://codeberg.org/forgejo/forgejo/pulls/4767">federated user activity following</a> saw significant progress. The core idea is that any activity (where activity is defined as anything that ends up in the Forgejo user activity) is wrapped in an ap.Note, and sent to followers in the ActivityPub sense. Similarly, the inbox of local users now accepts such Notes. Additionally, there's now a "Feeds" tab on the user profile page, which displays the received notes.</p> <h2>go-git support is removed from the codebase</h2> <p>Forgejo used to have 2 Git backends: the normal git and <a href="https://github.com/go-git/go-git">go-git</a> which is a Git implementation in pure Go. This had 2 benefits:</p> <ol> <li>You don't need git installed.</li> <li>It is a little bit faster than Git on Windows.</li> </ol> <p>Supporting go-git would mean holding Forgejo back. Every Git Feature that Forgejo wants to use also needs to be implemented in go-git. For example: setting git notes in the Web UI is currently not possible in go-git. In addition go-git may lead to data loss and repository corruption <a href="https://github.com/go-git/go-git/issues/878">(one example)</a>. It is not widely used and does not have extensive testing (see <a href="https://github.com/go-git/go-git/issues/878">the latest example of such corruption</a>).</p> <p>For these reasons, <a href="https://codeberg.org/forgejo/forgejo/pulls/4941">go-git was removed from the codebase</a>. It only affects users who built Forgejo manually using <code>TAGS=gogit</code>, which no longer has any effect. This removal only happened in the development branch and not in the existing stable Forgejo branches, up to <code>v8.0/forgejo</code> included.</p> <h2>Noteworthy pull requests</h2> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4212">Space usage quotas for users and organizations</a>.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1445">A release asset can be a URL instead of a file</a>.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4698">Add a cron task to cleanup dangling container images with version sha256:*</a>.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/5090">Remove support for Couchbase as a session provider</a>; it instead will now fallback to the file provider. The rationale for removing Couchbase support is that it's not free software, <a href="https://www.couchbase.com/blog/couchbase-adopts-bsl-license/">https://www.couchbase.com/blog/couchbase-adopts-bsl-license/</a>, and therefore cannot be tested in Forgejo and neither should be supported.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4819">Allow push mirrors to use a SSH key as the authentication method</a> for the mirroring action instead of using user:password authentication. The SSH keypair is created by Forgejo and the destination repository must be configured with the public key to allow for push over SSH.</li> <li><a href="https://codeberg.org/forgejo/forgejo/commit/bf7373a2520ae56a1dc00416efa02de9749b63d3">Forgejo Actions logs are compressed by default</a>. It can be disabled by setting [actions].LOG_COMPRESSION=none.</li> </ul> <p>Read more <a href="https://codeberg.org/forgejo/forgejo/milestones">in the draft release notes for the upcoming major version</a>.</p> <h2>OCI mirror</h2> <p>Forgejo <a href="https://code.forgejo.org/forgejo/oci-mirror/src/commit/5c750a36ad39692206cc04eca85b6a34b5367a31/.forgejo/workflows/mirror.yml">maintains a mirror</a> of <a href="https://code.forgejo.org/oci/-/packages">container images</a> that are commonly used in the CI and the release process. The primary motivation is to not be subject to rate limiting <a href="https://docs.docker.com/docker-hub/download-rate-limit/">when using the Docker hub</a> as well as saving bandwidth.</p> <p>There still were two problems that led to a rate limiting incident disrupting the CI during a few hours:</p> <ul> <li>A number of references to container images were not using the mirror - they were replaced</li> <li>The mirror itself was rate limited because it used <code>skopeo copy</code> - it was <a href="https://code.forgejo.org/forgejo/oci-mirror/pulls/4">replaced with <code>skopeo sync</code></a></li> </ul> <h2>Release notes automation</h2> <p>In addition to the preview shown in each pull request, the <a href="https://codeberg.org/forgejo/forgejo/milestones">Forgejo milestones</a> for all upcoming releases are <a href="https://codeberg.org/forgejo/forgejo/src/commit/eb25bc9edb5d33621fbebda20475139f42d62ad7/.forgejo/workflows/release-notes-assistant-milestones.yml">updated daily with the draft release notes</a> compiled from all the pull requests.</p> <h2>Design and User Interface</h2> <p>Semantic HTML often was a discussion topic, and <a href="https://codeberg.org/forgejo/forgejo/pulls/4995">a pull request was merged to demonstrate</a> how forms could look like with less classes and less weird divs all over the place. They bring consistency out of the box (you only need to change some CSS properties, no need to keep your templates in sync). It was followed by <a href="https://codeberg.org/forgejo/forgejo/pulls/5031">a refactor of some forms to improve semantic HTML, usability, accessibility, and reduce the JavaScript footprint</a>.</p> <p><a href="https://codeberg.org/forgejo/discussions/issues/212">A discussion started to improve the testing infrastructure</a>. The "reasonable effort" for the tests is eaten up by just figuring out how to get test data populated. Contributors asked to write tests, should not follow a paper chase. It led to pull requests to <a href="https://codeberg.org/forgejo/forgejo/pulls/5108">move <code>CreateDeclarativeRepo</code> to more accessible location</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls/5110">improve diffs generated by Forgejo to make testing more convenient</a>.</p> <h2>Helm chart</h2> <p>The Forgejo helm chart had <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases">many minor and patch updates</a>, in both v7 and v8. <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v7.0.5">Helm chart v7.0.5</a> and <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v8.1.1">v8.1.1</a> were released which contain Forgejo security fixes.</p> <p>Each version is tested against a kubernetes cluster to verify it works. It was using <a href="https://kind.sigs.k8s.io/">kind</a> but it turned out to be difficult to debug when the number of transient errors increased. <a href="https://k3s.io/">K3S</a> is <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/773/files">used</a> instead and proved to be more stable.</p> <h2>Forgejo v8.0 install party</h2> <p><a href="https://codeberg.org/forgejo/discussions/issues/198">The Forgejo v8.0 install party</a> was a nice community meetup and we got to know some Forgejo users. Some users performed their updates live and had only minor issues that were mostly caused by an issue on their end. Due to the lack of actual problems, some might have perceived it as boring. Finally, it was decided to also upgrade Codeberg to Forgejo v8, which was also a smooth experience.</p> <h2>Social account</h2> <p><a href="https://floss.social/@forgejo">https://floss.social/@forgejo</a> was setup about two years ago and it works flawlessly. However, a problem emerged over the past six months that <a href="https://codeberg.org/forgejo/discussions/issues/205">requires finding a new home</a>: the moderation team at floss.social cannot be contacted, <a href="https://codeberg.org/forgejo/discussions/issues/87">despite numerous attempts over a period of months and via multiple channels</a>.</p> <p>Nothing indicates it is anything more than a case of being overwhelmed by requests on a rather large instance. But it is best addressed by looking for a new home now instead of waiting that an event requiring moderation happens and is left unattended.</p> <h2>Security policy</h2> <p>A <a href="https://codeberg.org/forgejo/governance/issues/159">discussion began</a> in 2023, before Forgejo became a hard-fork of Gitea, to improve the security collaboration with upstream projects. It led to <a href="https://pad.gusted.xyz/s/uN6kscBuh">a security policy</a> that was <a href="https://codeberg.org/forgejo/governance/issues/159">agreed on</a> according to the <a href="https://codeberg.org/forgejo/governance/issues/159">Forgejo decision making process</a>.</p> <h2>Dependency management</h2> <p>A dedicated <a href="https://code.forgejo.org/forgejo-contrib/forgejo-renovate/src/branch/main/.forgejo/workflows/renovate.yml#L21">renovate repository</a> runs every 30 minutes in the <a href="https://code.forgejo.org">https://code.forgejo.org</a> instance to service Forgejo related projects, saving them the burden of running it individually.</p> <p>The configuration of renovate within Forgejo spaces is the same with regard to Go dependencies. Instead of repeating them in each repository (<a href="https://codeberg.org/forgejo/forgejo/src/commit/d34d8ec2cfd92451edbadb371cd101fdf2160fad/renovate.json">forgejo/renovate.json</a>, <a href="https://code.forgejo.org/forgejo/runner/src/commit/1008f44ddbfdc732a41b466985cac0785924af18/renovate.json">runner/renovate.json</a>), they <a href="https://code.forgejo.org/forgejo/runner/src/commit/82523d1d8e52f607bf7dd87d64f892b704803354/renovate.json">import a shared configuration</a> found in <a href="https://code.forgejo.org/forgejo/renovate-config/src/commit/9f969e5d320ebad4816c51ae30ff4131dc559802/renovate.json">a repository</a> created for that purpose.</p> <h2>Localization</h2> <p>5 batches of translation updates were merged with 2090 new strings and 1020 string improvements - more than the previous two months combined.</p> <p>The localization team keeps making sure that the merged translation updates are backported to the current stable versions of Forgejo, so that the releases are always shipped with the most complete and highest quality translations available.</p> <p>Forgejo is used by a wide variety of people and organizations around the world. For some of them the availability and quality of translations are important factors. Everyone is welcome to contribute to the localization by translating and checking strings. Details on how to participate can be found <a href="https://forgejo.org/docs/next/contributor/localization/">here</a>.</p> <h2>Forgejo runner</h2> <p>A new version of the Forgejo runner was published which <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#3-5-1">fixes a security issue</a>. It was made easier by using the same tooling as Forgejo itself to <a href="https://code.forgejo.org/forgejo/runner/pulls?poster=163">upgrade the dependencies</a>.</p> <p>Security is the most important aspect that the Forgejo runner needs to address before it can be considered for beta testing and will be helped <a href="https://codeberg.org/forgejo/discussions/issues/204">by a security audit</a> which is in the early stages with <a href="https://www.radicallyopensecurity.com">Radically Open Security</a>.</p> <p>It will also need more contributors to help with its long term maintenance and anyone interested is encouraged to join.</p> <h2>Sustainability</h2> <p>Donations to the <a href="https://liberapay.com/forgejo">Forgejo Liberapay team</a> reached around 40€ per week and are distributed to <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#liberapay-team-members">three beneficiaries</a>.</p> <p>Drawing upon <a href="https://codeberg.org/forgejo/discussions/issues/144">previous sustainability discussions</a>, a <a href="https://codeberg.org/forgejo/sustainability/pulls?labels=244292">grant application was submitted</a> for the <a href="https://www.sovereigntechfund.de/">Sovereign Tech Fund</a>.</p> <p>The creation of a sustainability team, tasked to map out and implement a strategy on how to make Forgejo a durable endeavour over the next years <a href="https://codeberg.org/forgejo/governance/issues/163">was proposed</a>.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/abueide">https://codeberg.org/abueide</a></li> <li><a href="https://codeberg.org/AdamGreenberg">https://codeberg.org/AdamGreenberg</a></li> <li><a href="https://codeberg.org/alex19srv">https://codeberg.org/alex19srv</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/AliveDevil">https://codeberg.org/AliveDevil</a></li> <li><a href="https://codeberg.org/Andre601">https://codeberg.org/Andre601</a></li> <li><a href="https://codeberg.org/arija">https://codeberg.org/arija</a></li> <li><a href="https://codeberg.org/AverageHelper">https://codeberg.org/AverageHelper</a></li> <li><a href="https://codeberg.org/avobs">https://codeberg.org/avobs</a></li> <li><a href="https://codeberg.org/ayakael">https://codeberg.org/ayakael</a></li> <li><a href="https://codeberg.org/behm">https://codeberg.org/behm</a></li> <li><a href="https://codeberg.org/bengrue">https://codeberg.org/bengrue</a></li> <li><a href="https://codeberg.org/Beowulf">https://codeberg.org/Beowulf</a></li> <li><a href="https://codeberg.org/bookworm">https://codeberg.org/bookworm</a></li> <li><a href="https://codeberg.org/bramh">https://codeberg.org/bramh</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/catgirll">https://codeberg.org/catgirll</a></li> <li><a href="https://codeberg.org/CPU_Blanc">https://codeberg.org/CPU_Blanc</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/depeo">https://codeberg.org/depeo</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/dploeger">https://codeberg.org/dploeger</a></li> <li><a href="https://codeberg.org/dragon">https://codeberg.org/dragon</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/el0n">https://codeberg.org/el0n</a></li> <li><a href="https://codeberg.org/ell1e">https://codeberg.org/ell1e</a></li> <li><a href="https://codeberg.org/eloy">https://codeberg.org/eloy</a></li> <li><a href="https://codeberg.org/emilylange">https://codeberg.org/emilylange</a></li> <li><a href="https://codeberg.org/fadedave">https://codeberg.org/fadedave</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/fontenot">https://codeberg.org/fontenot</a></li> <li><a href="https://codeberg.org/gedw99">https://codeberg.org/gedw99</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/h759bkyo4">https://codeberg.org/h759bkyo4</a></li> <li><a href="https://codeberg.org/heartshake">https://codeberg.org/heartshake</a></li> <li><a href="https://codeberg.org/hexa">https://codeberg.org/hexa</a></li> <li><a href="https://codeberg.org/intelfx">https://codeberg.org/intelfx</a></li> <li><a href="https://codeberg.org/io7m">https://codeberg.org/io7m</a></li> <li><a href="https://codeberg.org/ironmagma">https://codeberg.org/ironmagma</a></li> <li><a href="https://codeberg.org/izzy">https://codeberg.org/izzy</a></li> <li><a href="https://codeberg.org/JakobDev">https://codeberg.org/JakobDev</a></li> <li><a href="https://codeberg.org/j-dominguez9">https://codeberg.org/j-dominguez9</a></li> <li><a href="https://codeberg.org/jean-daricade">https://codeberg.org/jean-daricade</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jthvai">https://codeberg.org/jthvai</a></li> <li><a href="https://codeberg.org/justinsimmons">https://codeberg.org/justinsimmons</a></li> <li><a href="https://codeberg.org/jwildeboer">https://codeberg.org/jwildeboer</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/kita">https://codeberg.org/kita</a></li> <li><a href="https://codeberg.org/kuolemaa">https://codeberg.org/kuolemaa</a></li> <li><a href="https://codeberg.org/Kwonunn">https://codeberg.org/Kwonunn</a></li> <li><a href="https://codeberg.org/l_austenfeld">https://codeberg.org/l_austenfeld</a></li> <li><a href="https://codeberg.org/liberodark">https://codeberg.org/liberodark</a></li> <li><a href="https://codeberg.org/LordMZTE">https://codeberg.org/LordMZTE</a></li> <li><a href="https://codeberg.org/mahlzahn">https://codeberg.org/mahlzahn</a></li> <li><a href="https://codeberg.org/Mai-Lapyst">https://codeberg.org/Mai-Lapyst</a></li> <li><a href="https://codeberg.org/maltejur">https://codeberg.org/maltejur</a></li> <li><a href="https://codeberg.org/marcellmars">https://codeberg.org/marcellmars</a></li> <li><a href="https://codeberg.org/martinwguy">https://codeberg.org/martinwguy</a></li> <li><a href="https://codeberg.org/matrss">https://codeberg.org/matrss</a></li> <li><a href="https://codeberg.org/maxadamo">https://codeberg.org/maxadamo</a></li> <li><a href="https://codeberg.org/mehrad">https://codeberg.org/mehrad</a></li> <li><a href="https://codeberg.org/mickenordin">https://codeberg.org/mickenordin</a></li> <li><a href="https://codeberg.org/mkobel">https://codeberg.org/mkobel</a></li> <li><a href="https://codeberg.org/mrwsl">https://codeberg.org/mrwsl</a></li> <li><a href="https://codeberg.org/msrd0">https://codeberg.org/msrd0</a></li> <li><a href="https://codeberg.org/Musselman">https://codeberg.org/Musselman</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/naipotato">https://codeberg.org/naipotato</a></li> <li><a href="https://codeberg.org/omenos">https://codeberg.org/omenos</a></li> <li><a href="https://codeberg.org/paspflue">https://codeberg.org/paspflue</a></li> <li><a href="https://codeberg.org/patdyn">https://codeberg.org/patdyn</a></li> <li><a href="https://codeberg.org/paulvt">https://codeberg.org/paulvt</a></li> <li><a href="https://codeberg.org/Porkepix">https://codeberg.org/Porkepix</a></li> <li><a href="https://codeberg.org/realaravinth">https://codeberg.org/realaravinth</a></li> <li><a href="https://codeberg.org/recursive_recursion">https://codeberg.org/recursive_recursion</a></li> <li><a href="https://codeberg.org/reynir">https://codeberg.org/reynir</a></li> <li><a href="https://codeberg.org/rohitsharma09">https://codeberg.org/rohitsharma09</a></li> <li><a href="https://codeberg.org/Ryuno-Ki">https://codeberg.org/Ryuno-Ki</a></li> <li><a href="https://codeberg.org/schelmo">https://codeberg.org/schelmo</a></li> <li><a href="https://codeberg.org/sclu1034">https://codeberg.org/sclu1034</a></li> <li><a href="https://codeberg.org/SIMULATAN">https://codeberg.org/SIMULATAN</a></li> <li><a href="https://codeberg.org/skobkin">https://codeberg.org/skobkin</a></li> <li><a href="https://codeberg.org/slingamn">https://codeberg.org/slingamn</a></li> <li><a href="https://codeberg.org/sneakers-the-rat">https://codeberg.org/sneakers-the-rat</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/solomonv">https://codeberg.org/solomonv</a></li> <li><a href="https://codeberg.org/stb">https://codeberg.org/stb</a></li> <li><a href="https://codeberg.org/strk">https://codeberg.org/strk</a></li> <li><a href="https://codeberg.org/taifoss">https://codeberg.org/taifoss</a></li> <li><a href="https://codeberg.org/Techwizz">https://codeberg.org/Techwizz</a></li> <li><a href="https://codeberg.org/tepozoa">https://codeberg.org/tepozoa</a></li> <li><a href="https://codeberg.org/thefox">https://codeberg.org/thefox</a></li> <li><a href="https://codeberg.org/thilinajayanath">https://codeberg.org/thilinajayanath</a></li> <li><a href="https://codeberg.org/toolforger">https://codeberg.org/toolforger</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/vwbusguy">https://codeberg.org/vwbusguy</a></li> <li><a href="https://codeberg.org/wangyan">https://codeberg.org/wangyan</a></li> <li><a href="https://codeberg.org/waseigo">https://codeberg.org/waseigo</a></li> <li><a href="https://codeberg.org/WhyNotHugo">https://codeberg.org/WhyNotHugo</a></li> <li><a href="https://codeberg.org/xlii">https://codeberg.org/xlii</a></li> <li><a href="https://codeberg.org/xyhhx">https://codeberg.org/xyhhx</a></li> <li><a href="https://codeberg.org/yarikoptic">https://codeberg.org/yarikoptic</a></li> <li><a href="https://codeberg.org/yoctozepto">https://codeberg.org/yoctozepto</a></li> <li><a href="https://translate.codeberg.org/user/ciampix">https://translate.codeberg.org/user/ciampix</a></li> <li><a href="https://translate.codeberg.org/user/emansije">https://translate.codeberg.org/user/emansije</a></li> <li><a href="https://translate.codeberg.org/user/ewm">https://translate.codeberg.org/user/ewm</a></li> <li><a href="https://translate.codeberg.org/user/Fjuro">https://translate.codeberg.org/user/Fjuro</a></li> <li><a href="https://translate.codeberg.org/user/hahahahacker2009">https://translate.codeberg.org/user/hahahahacker2009</a></li> <li><a href="https://translate.codeberg.org/user/hankskyjames777">https://translate.codeberg.org/user/hankskyjames777</a></li> <li><a href="https://translate.codeberg.org/user/hoovad">https://translate.codeberg.org/user/hoovad</a></li> <li><a href="https://translate.codeberg.org/user/hugoalh">https://translate.codeberg.org/user/hugoalh</a></li> <li><a href="https://translate.codeberg.org/user/leana8959">https://translate.codeberg.org/user/leana8959</a></li> <li><a href="https://translate.codeberg.org/user/lotigara">https://translate.codeberg.org/user/lotigara</a></li> <li><a href="https://translate.codeberg.org/user/Outbreak2096">https://translate.codeberg.org/user/Outbreak2096</a></li> <li><a href="https://translate.codeberg.org/user/pswsm">https://translate.codeberg.org/user/pswsm</a></li> <li><a href="https://translate.codeberg.org/user/qui">https://translate.codeberg.org/user/qui</a></li> <li><a href="https://translate.codeberg.org/user/Wuzzy">https://translate.codeberg.org/user/Wuzzy</a></li> <li><a href="https://translate.codeberg.org/user/Xinayder">https://translate.codeberg.org/user/Xinayder</a></li> <li><a href="https://translate.codeberg.org/user/zub">https://translate.codeberg.org/user/zub</a></li> <li><a href="https://translate.codeberg.org/user/Zughy">https://translate.codeberg.org/user/Zughy</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo is now copyleft, just like Git</title><link>https://forgejo.org/2024-08-gpl/</link><guid isPermaLink="true">https://forgejo.org/2024-08-gpl/</guid><description>In June 2023, Forgejo agreed to allow copyleft code to be merged in the codebase. A year later, in August 2024, the first pull requests to take advantage of this opportunity were merged. Forgejo versions starting from v9.0 are now released under a copyleft license and earlier Forgejo versions, including v8.0 and v7.0 patch releases remain under the MIT license.</description><pubDate>Thu, 22 Aug 2024 00:00:00 GMT</pubDate><content:encoded><p>Forgejo is changing its license to a <a href="https://en.wikipedia.org/wiki/Copyleft">Copyleft license</a>. This blog post will try to bring clarity about the impact to you, explain the motivation behind this change and answer some questions you might have.</p> <h2>How will this impact me?</h2> <p>We have carefully considered the impact the license change has on the variety of usages of Forgejo, and we believe there is little reason to worry. We are not aware of any negative consequences implied by the license change to users who are aligned with Forgejo's values. While we cannot give legal advice of any kind, we'll give a first overview of the new requirements.</p> <p>If you set up Forgejo from our official distributions (e.g. binaries, docker images etc), it is very unlikely that you are affected at all. We do our best to ensure that our Forgejo distributions are fully compliant out of the box.</p> <p>You can also build Forgejo from source, even modify it, host it for yourself and others.</p> <p>If you are redistributing Forgejo binaries, for example because you are packaging it for GNU/Linux distributions or some specific container / package format, you are now required to provide the full source of your Forgejo variant (including potential modifications) under the same license terms as Forgejo itself.</p> <p>You are free to sell Forgejo services, including hosting it for others. If you act according to our values and ensure your users receive the freedoms Forgejo grants you, it is unlikely that you have to do adjustments to your business now or in the future.</p> <p>You might have chosen to avoid copyleft software, for example because it is discouraged in your company. However, Forgejo depends on Git, one of the most successful copyleft software. Both Forgejo and Git must be used together, either as individual binaries or bundled into the <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/v9.0-test">official container images</a>. The license of Git is <a href="https://git-scm.com/about/free-and-open-source">GNU GPL v2</a>, another version of the same <a href="https://www.gnu.org/licenses/copyleft.html">copyleft license</a>.</p> <h2>Why the license change?</h2> <p>Developers who choose to publish their work under a copyleft license are excluded from participating in software that is published under a permissive license. That is at the opposite of the <a href="https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values">core values</a> of the Forgejo project and <a href="https://codeberg.org/forgejo/governance/pulls/20">in June 2023 it was decided to also accept copylefted</a> contributions. A year later, in August 2024, the first pull request <a href="https://codeberg.org/forgejo/governance/src/branch/main/AGREEMENTS.md#licensing">to take advantage of this opportunity</a> was <a href="https://codeberg.org/forgejo/forgejo/pulls/4698/files">proposed and merged</a>.</p> <p>A copyleft license makes reusing other copyleft software easier. Recently, we discovered that <a href="https://forgejo.org/2024-07-non-free-dependency-found/">some of the dependencies we used were incompatible with the license Forgejo was distributed with</a>, and they had to be removed for now. Choosing copyleft licenses enables us to reuse more work, and saves us precious time to focus on improving Forgejo itself.</p> <p>Copyleft licenses do not only benefit the developers. They also guarantee freedoms to users of the software. They reduce the risk of exploitive business practices, like creating a modified version of Forgejo with less freedoms to the users, which could ultimately trap users in a vendor lock-in.</p> <h2>What is changing, now and in the future?</h2> <p>Forgejo versions starting from v9.0 are now released <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/LICENSE">under the GPL v3+</a> and earlier Forgejo versions, including v8.0 and v7.0 patch releases remain under <a href="https://codeberg.org/forgejo/forgejo/src/branch/v8.0/forgejo/LICENSE">the MIT license</a>.</p> <p>The license of Forgejo is not carved in stone and this change shows that it can adapt to the needs of the project. It also shows that it is a long process: it took months of discussions to reach the agreement in 2023. And another year for it to be put to use. This slow pace reflects how difficult it is to make a sound decision knowing it will have a long lasting impact.</p> <p>The <a href="https://codeberg.org/forgejo/discussions/issues/192">discussions on how to improve</a> Forgejo's licensing are still very lively and will eventually lead to decisions that will improve its legal protection, in the interest of the general public.</p> <h2>Contribute to Forgejo</h2> <p>Forgejo is in a unique position among the software forges: It serves its users and is guaranteed to be free and independent, managed by a non-profit organization and <a href="https://codeberg.org/forgejo/governance">a transparent governance process</a>.</p> <p>If you are considering contributing to Forgejo, now that your work is protected by a copyleft license, we welcome you to our exciting journey and we are looking forward to forging with you.</p> <p>If you want to back Forgejo's independence with a financial contribution, check out our newly-created <a href="https://liberapay.com/forgejo">Liberapay team</a> to compensate our developers for their invested time.</p> <p>If you have any feedback or suggestions, do not hold back, it is also your project. Open an issue in <a href="https://codeberg.org/forgejo/forgejo/issues">the issue tracker</a> for feature requests or bug reports, reach out <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop into <a href="https://matrix.to/#/#forgejo:matrix.org">the Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) and say hi!</p> </content:encoded></item><item><title>Forgejo Security Release v8.0.1 & v7.0.7</title><link>https://forgejo.org/2024-08-release-v801/</link><guid isPermaLink="true">https://forgejo.org/2024-08-release-v801/</guid><description>The Forgejo v8.0.1 & v7.0.7 releases contain a security fix for a cross-site scripting (XSS) vulnerability that allowed repository owners to create links that executed javascript when clicking on them.</description><pubDate>Fri, 09 Aug 2024 00:00:00 GMT</pubDate><content:encoded><p>Forgejo <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v8.0.1">v8.0.1</a> &amp; <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v7.0.7">v7.0.7</a> was released 9 August 2024.</p> <p>These releases contain a fix for a security issue, which can be exploited by registered Forgejo users who can change the description of a repository. A <a href="https://codeberg.org/forgejo/forgejo/pulls/1433">change introduced in Forgejo v1.21</a> allows a Forgejo user with write permission on a repository description <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">to inject a client-side script into the web page viewed by the visitor</a>. This XSS vulnerability allows for <code>href</code> in anchor elements to be set to a <code>javascript:</code> URI in the repository description, which will execute the specified script upon clicking (and not upon loading). <a href="https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs"><code>AllowStandardURLs</code></a> is now called for the repository description policy, which ensures that URIs in anchor elements are <code>mailto:</code>, <code>http://</code> or <code>https://</code> thereby disallowing the <code>javascript:</code> URI.</p> <h3>Recommended Action</h3> <p>We <em>strongly recommend</em> that all Forgejo installations are upgraded to the latest version as soon as possible.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo monthly update - July 2024</title><link>https://forgejo.org/2024-07-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-07-monthly-update/</guid><description>A non-free JavaScript library was found in the project's dependency structure, and the entire component that relied on it was re-implemented. Forgejo v8.0 is available with new features, a new approach to UI and UX, careful upgrade of dependencies to improve stability and security. Foundation parts for ActivityPub based federation and data portability were merged in.</description><pubDate>Wed, 31 Jul 2024 00:00:00 GMT</pubDate><content:encoded><p>The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <p><a href="https://forgejo.org/2024-07-non-free-dependency-found/">A non-free JavaScript library was found</a> in the project's dependency structure, and the entire component that relied on it was re-implemented. The new versions 8.0.0 and 7.0.6 were released without this library. This step is important to meet the core values of Forgejo.</p> <p><a href="https://forgejo.org/2024-07-release-v8-0/">Forgejo v8.0 is available</a> with new features (support for workflow dispatch, better defaults to avoid spam on new instances etc.), a new approach to UI and UX, careful upgrade of dependencies to improve stability and security. Foundation parts for ActivityPub based federation and data portability were merged in.</p> <h2>Forgejo v8.0 release</h2> <p>A gentle way of describing Forgejo User eXperience is that it is an acquired taste: it grew over the years, driven by the inspiration of the person with the keyboard in their hand. Once implemented it almost never changed. A user who started with Forgejo in 2022 can only see minor changes in 2024 and not all of them make intuitive sense. The solution to this problem is simple and was identified early on: <a href="https://jdittrich.github.io/userNeedResearchBook/">User Research</a>. But only in the making of Forgejo v8.0 did it get some momentum.</p> <p>A special effort was also made to reduce the breaking changes of this release to a minimum. For instance it would have been easier to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/3363">this improvement to the rootless OCI image</a> as a breaking change. But significant time was spent to figure out a way to make it backward compatible. Another example is the <a href="https://codeberg.org/forgejo/forgejo/pulls/3934">new default for self-registration</a> that only applies to new installations to not require a manual intervention to change the settings.</p> <h2>Licensing</h2> <p>The release of Forgejo v8.0 was delayed because it was discovered that a non-free dependency of a dependency initially created for Gitea was loaded into the project.</p> <p>The <a href="https://github.com/go-gitea/gitea/commit/81cfe243f9cb90b0a75de7a03bb2d264c97f0036#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R9">dependency already existed</a> at the time of the fork from Gitea and was therefore included in Forgejo from the beginning. The commitment of Forgejo is to always be <a href="https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values">free as in freedom, open source and a community-first product</a>. Non-free dependencies and distribution licenses are incompatible with the values of Forgejo. Therefore, it was of high importance to remove the problematic dependency</p> <p>Read more in <a href="/2024-07-non-free-dependency-found/">the "Non-free dependency discovered in Forgejo and removed"</a> blog post.</p> <p>In <a href="https://codeberg.org/forgejo/governance/pulls/24">June last year</a> an agreement <a href="https://codeberg.org/forgejo/governance/src/branch/main/AGREEMENTS.md#licensing">was reached</a> by which:</p> <blockquote> <p>Forgejo accepts contributions compatible with the GPLv3-or-later license. The license under which Forgejo is distributed will be changed upon the acceptance of such contributions. See the LICENSE file for the current license.</p> </blockquote> <p>This has not happened yet but there now are pull requests in flight that have copylefted code in them. <a href="https://codeberg.org/forgejo/discussions/issues/192">Discussions started</a> to find the best way to move forward.</p> <h2>Design</h2> <p>The <a href="https://codeberg.org/forgejo/design">forgejo/design</a> repository was created. Design being wider than the visual appearance, it's about User eXperience, workflows, efficiency, and even technical aspects. It is the interface between the UI and User Research Teams, they iterate on features, gather data, exchange ideas.</p> <p>The envisioned workflow is:</p> <ul> <li>Feature requests are filed to Forgejo.</li> <li>When some of them sound interesting or related, a new issue in forgejo/design is created to coordinate the work on a feature.</li> <li>New insights (e.g. from user research, but also from duplicate or related issues) can be quickly referenced in the related issue.</li> <li>The related Git repository is used for developing the actual state of the feature. People can propose changes which are documented in markdown files.</li> <li>Whenever a design is ready, it can be referenced again in the Forgejo repository and used for implementation.</li> <li>When a developer wants to start working on something and would like to get design feedback, they also open an issue in the design repo to gain input UI wise and from user research.</li> <li>Finally, the design repo should contain guidelines for consistency as a developer resource.</li> </ul> <h2>Helm chart</h2> <p>It is used to deploy the test instances v8.next.forgejo.org and v9.next.forgejo.org using a <a href="https://code.forgejo.org/infrastructure/k8s">dedicated repository</a> in the newly created <a href="https://code.forgejo.org/infrastructure">infrastructure organization</a> that contains the code automating the updates to the Forgejo infrastructure.</p> <p>The Forgejo helm chart had <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases">four patch updates</a>, one for <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v7.0.2">7.0.2</a> which depends on Forgejo v7.0.5, one for <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v7.0.3">7.0.3</a> and another for <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v5.1.3">5.1.3</a>.</p> <p>A new major version, <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v8.1.0">8.1.0</a> was published and includes <a href="https://forgejo.org/2024-07-release-v8-0/">Forgejo v8.0.0</a> as well as changes from the Gitea chart.</p> <h2>Localization</h2> <p>Malayalam and Serbian translations, although incomplete, existed in the past but were deleted from the repository over a year ago, before the Forgejo localization team was established. They were stored on a proprietary translation platform, waiting to reach a percentage of completion before being added back. But Forgejo works differently: all translations are present in the repository and only a selected subset is displayed to the user, when they reach an acceptable completion percentage. The once deleted files for Malayalam and Serbian were restored in the repository to help resume the translation effort.</p> <h2>Release notes assistant</h2> <p>Forgejo release notes do not fit the popular trend that consists on enforcing <a href="https://www.conventionalcommits.org/">conventional commits</a> so that <a href="https://github.com/orhun/git-cliff">tools</a> can collect them because:</p> <ul> <li><strong>The unit of change in Forgejo is the pull request, not the commit.</strong> It is not uncommon for a pull request to contain multiple commits that are related but independent from each other. Squashing them into a single commit is not an option. There are diverging opinions on the matter and enforcing a merge policy where pull requests are always squashed into a single commit leads to a nicely flat commit history. But Forgejo made a different choice.</li> <li><strong>A single commit or pull request may require multiple release note lines.</strong> When upgrading a dependency by modifying one line in the <code>go.mod</code> file leads to user facing changes, each of them needs to be described in the release notes. Forgejo relies on hundreds of other Free Software projects and although most of them are plumbing that the Forgejo user do not need to be aware of, others are very visible such as the web editor.</li> <li><strong>Release notes need manual editing.</strong> No matter how good and disciplined the author of a pull request is, there will be typos and unification problems that are best addressed when preparing the release, at the very last stage.</li> </ul> <p>Discussions started early 2024 (<a href="https://codeberg.org/forgejo/discussions/issues/159">here</a> and <a href="https://codeberg.org/forgejo/discussions/issues/155">there</a>) to distribute the release notes workload to the author of each pull request rather than relying on a single person manually doing the same a few days before the release. As the number of contributors to Forgejo increased significantly early 2024, the quality of the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0">v7.0.0 release notes</a> was sub-standard and a solution had to be found.</p> <p>Read more in the <a href="https://codeberg.org/forgejo/discussions/issues/197">Scaling out Forgejo release notes</a> postmortem.</p> <h2>Sustainability</h2> <p>Donations are now accepted for the <a href="https://liberapay.com/forgejo">Forgejo Liberapay team</a>. Liberapay is a French non-profit dedicated to crowdfunding with predictable income, allowing transfers via multiple payment options and providers with a comparably low fee. It was already possible to <a href="https://docs.codeberg.org/improving-codeberg/donate/">donate to Codeberg e.V.</a>, and part of the funding was used to <a href="https://codeberg.org/forgejo/sustainability/#forgejo-resources-per-year">compensate for work on Forgejo</a>. However, the Liberapay team now allows for money to go directly to developers without a roundtrip to Codeberg. Additionally, Liberapay allows for a steady and reliable funding stream next to other options, a crucial aspect for our project. The distribution of funds through Liberapay is <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#liberapay-team-members">transparently controlled using our decision-making process</a>, and Forgejo contributors are encouraged to consider applying to benefit from this funding opportunity.</p> <p>The NLnet grant application <a href="https://codeberg.org/forgejo/sustainability/pulls?labels=220838">submitted 1 April</a> passed the first round of review and will have to answer questions to qualify for the second round.</p> <p>Drawing upon <a href="https://codeberg.org/forgejo/discussions/issues/144">previous sustainability discussions</a>, a <a href="https://codeberg.org/avobs/sustainability/src/branch/main/2024-07-22%20STF/application_text.md">grant application was drafted</a> for the <a href="https://www.sovereigntechfund.de/">Sovereign Tech Fund</a>. It seems to be a good fit for Forgejo, and in particular for the a similar project outline already proposed to OTF. Unlike the OTF call, STF does not have deadlines for general funding requests. It could be submitted before mid-August.</p> <p>Discussions started to etablish a sustainability team, tasked to map out and implement a strategy on how to make Forgejo a durable endeavour over the next years. It seems that the project is at a point where it could use a concerted effort in this direction, even if, or maybe because, it isn't a very popular matter.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/ajtatum">https://codeberg.org/ajtatum</a></li> <li><a href="https://codeberg.org/alexandria">https://codeberg.org/alexandria</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/anbraten">https://codeberg.org/anbraten</a></li> <li><a href="https://codeberg.org/arija">https://codeberg.org/arija</a></li> <li><a href="https://codeberg.org/avobs">https://codeberg.org/avobs</a></li> <li><a href="https://codeberg.org/awiteb">https://codeberg.org/awiteb</a></li> <li><a href="https://codeberg.org/banaanihillo">https://codeberg.org/banaanihillo</a></li> <li><a href="https://codeberg.org/behm">https://codeberg.org/behm</a></li> <li><a href="https://codeberg.org/bencurio">https://codeberg.org/bencurio</a></li> <li><a href="https://codeberg.org/benedictjohannes">https://codeberg.org/benedictjohannes</a></li> <li><a href="https://codeberg.org/benniekiss">https://codeberg.org/benniekiss</a></li> <li><a href="https://codeberg.org/Beowulf">https://codeberg.org/Beowulf</a></li> <li><a href="https://codeberg.org/bramh">https://codeberg.org/bramh</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/chizutan5">https://codeberg.org/chizutan5</a></li> <li><a href="https://codeberg.org/clarfonthey">https://codeberg.org/clarfonthey</a></li> <li><a href="https://codeberg.org/clemensgeibel">https://codeberg.org/clemensgeibel</a></li> <li><a href="https://codeberg.org/codebert">https://codeberg.org/codebert</a></li> <li><a href="https://codeberg.org/Crown0815">https://codeberg.org/Crown0815</a></li> <li><a href="https://codeberg.org/Cyborus">https://codeberg.org/Cyborus</a></li> <li><a href="https://codeberg.org/Darthagnon">https://codeberg.org/Darthagnon</a></li> <li><a href="https://codeberg.org/dcz">https://codeberg.org/dcz</a></li> <li><a href="https://codeberg.org/depeo">https://codeberg.org/depeo</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/dleberre">https://codeberg.org/dleberre</a></li> <li><a href="https://codeberg.org/dstensnes">https://codeberg.org/dstensnes</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/efertone">https://codeberg.org/efertone</a></li> <li><a href="https://codeberg.org/el0n">https://codeberg.org/el0n</a></li> <li><a href="https://codeberg.org/Ember">https://codeberg.org/Ember</a></li> <li><a href="https://codeberg.org/ethanaobrien">https://codeberg.org/ethanaobrien</a></li> <li><a href="https://codeberg.org/evrial">https://codeberg.org/evrial</a></li> <li><a href="https://codeberg.org/floss4good">https://codeberg.org/floss4good</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/GDWR">https://codeberg.org/GDWR</a></li> <li><a href="https://codeberg.org/grosmanal">https://codeberg.org/grosmanal</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/hazy">https://codeberg.org/hazy</a></li> <li><a href="https://codeberg.org/hugorodrigues">https://codeberg.org/hugorodrigues</a></li> <li><a href="https://codeberg.org/iaxat">https://codeberg.org/iaxat</a></li> <li><a href="https://codeberg.org/ikuyo">https://codeberg.org/ikuyo</a></li> <li><a href="https://codeberg.org/Ilyas0Iks">https://codeberg.org/Ilyas0Iks</a></li> <li><a href="https://codeberg.org/JakobDev">https://codeberg.org/JakobDev</a></li> <li><a href="https://codeberg.org/jalil">https://codeberg.org/jalil</a></li> <li><a href="https://codeberg.org/jdittrich">https://codeberg.org/jdittrich</a></li> <li><a href="https://codeberg.org/jean-daricade">https://codeberg.org/jean-daricade</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jthvai">https://codeberg.org/jthvai</a></li> <li><a href="https://codeberg.org/jwildeboer">https://codeberg.org/jwildeboer</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/kita">https://codeberg.org/kita</a></li> <li><a href="https://codeberg.org/kpfleming">https://codeberg.org/kpfleming</a></li> <li><a href="https://codeberg.org/Kwonunn">https://codeberg.org/Kwonunn</a></li> <li><a href="https://codeberg.org/l_austenfeld">https://codeberg.org/l_austenfeld</a></li> <li><a href="https://codeberg.org/leana8959">https://codeberg.org/leana8959</a></li> <li><a href="https://codeberg.org/liberodark">https://codeberg.org/liberodark</a></li> <li><a href="https://codeberg.org/LunarLambda">https://codeberg.org/LunarLambda</a></li> <li><a href="https://codeberg.org/mahlzahn">https://codeberg.org/mahlzahn</a></li> <li><a href="https://codeberg.org/Mai-Lapyst">https://codeberg.org/Mai-Lapyst</a></li> <li><a href="https://codeberg.org/marcellmars">https://codeberg.org/marcellmars</a></li> <li><a href="https://codeberg.org/martinwguy">https://codeberg.org/martinwguy</a></li> <li><a href="https://codeberg.org/meaz">https://codeberg.org/meaz</a></li> <li><a href="https://codeberg.org/mrwsl">https://codeberg.org/mrwsl</a></li> <li><a href="https://codeberg.org/mysticmode">https://codeberg.org/mysticmode</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/nhathaway">https://codeberg.org/nhathaway</a></li> <li><a href="https://codeberg.org/oelmekki">https://codeberg.org/oelmekki</a></li> <li><a href="https://codeberg.org/patdyn">https://codeberg.org/patdyn</a></li> <li><a href="https://codeberg.org/pointlessone">https://codeberg.org/pointlessone</a></li> <li><a href="https://codeberg.org/poVoq">https://codeberg.org/poVoq</a></li> <li><a href="https://codeberg.org/rdvn">https://codeberg.org/rdvn</a></li> <li><a href="https://codeberg.org/rohitsharma09">https://codeberg.org/rohitsharma09</a></li> <li><a href="https://codeberg.org/sbatial">https://codeberg.org/sbatial</a></li> <li><a href="https://codeberg.org/shisui">https://codeberg.org/shisui</a></li> <li><a href="https://codeberg.org/Skivling">https://codeberg.org/Skivling</a></li> <li><a href="https://codeberg.org/slingamn">https://codeberg.org/slingamn</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/solomonv">https://codeberg.org/solomonv</a></li> <li><a href="https://codeberg.org/strk">https://codeberg.org/strk</a></li> <li><a href="https://codeberg.org/tepozoa">https://codeberg.org/tepozoa</a></li> <li><a href="https://codeberg.org/thefox">https://codeberg.org/thefox</a></li> <li><a href="https://codeberg.org/thepaperpilot">https://codeberg.org/thepaperpilot</a></li> <li><a href="https://codeberg.org/ThetaDev">https://codeberg.org/ThetaDev</a></li> <li><a href="https://codeberg.org/thetredev">https://codeberg.org/thetredev</a></li> <li><a href="https://codeberg.org/toolforger">https://codeberg.org/toolforger</a></li> <li><a href="https://codeberg.org/tseeker">https://codeberg.org/tseeker</a></li> <li><a href="https://codeberg.org/twenty-panda">https://codeberg.org/twenty-panda</a></li> <li><a href="https://codeberg.org/uda">https://codeberg.org/uda</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/wetneb">https://codeberg.org/wetneb</a></li> <li><a href="https://codeberg.org/Xinayder">https://codeberg.org/Xinayder</a></li> <li><a href="https://codeberg.org/xvello">https://codeberg.org/xvello</a></li> <li><a href="https://codeberg.org/zotan">https://codeberg.org/zotan</a></li> <li><a href="https://translate.codeberg.org/user/anonymous">https://translate.codeberg.org/user/anonymous</a></li> <li><a href="https://translate.codeberg.org/user/b1nar10">https://translate.codeberg.org/user/b1nar10</a></li> <li><a href="https://translate.codeberg.org/user/balinteus">https://translate.codeberg.org/user/balinteus</a></li> <li><a href="https://translate.codeberg.org/user/ch0ccyra1n">https://translate.codeberg.org/user/ch0ccyra1n</a></li> <li><a href="https://translate.codeberg.org/user/ciampix">https://translate.codeberg.org/user/ciampix</a></li> <li><a href="https://translate.codeberg.org/user/emansije">https://translate.codeberg.org/user/emansije</a></li> <li><a href="https://translate.codeberg.org/user/EssGeeEich">https://translate.codeberg.org/user/EssGeeEich</a></li> <li><a href="https://translate.codeberg.org/user/ewm">https://translate.codeberg.org/user/ewm</a></li> <li><a href="https://translate.codeberg.org/user/Fjuro">https://translate.codeberg.org/user/Fjuro</a></li> <li><a href="https://translate.codeberg.org/user/hankskyjames777">https://translate.codeberg.org/user/hankskyjames777</a></li> <li><a href="https://translate.codeberg.org/user/kdh8219">https://translate.codeberg.org/user/kdh8219</a></li> <li><a href="https://translate.codeberg.org/user/manolosd">https://translate.codeberg.org/user/manolosd</a></li> <li><a href="https://translate.codeberg.org/user/meskobalazs">https://translate.codeberg.org/user/meskobalazs</a></li> <li><a href="https://translate.codeberg.org/user/Nifou">https://translate.codeberg.org/user/Nifou</a></li> <li><a href="https://translate.codeberg.org/user/revi">https://translate.codeberg.org/user/revi</a></li> <li><a href="https://translate.codeberg.org/user/salif">https://translate.codeberg.org/user/salif</a></li> <li><a href="https://translate.codeberg.org/user/Wuzzy">https://translate.codeberg.org/user/Wuzzy</a></li> <li><a href="https://translate.codeberg.org/user/ZDev">https://translate.codeberg.org/user/ZDev</a></li> <li><a href="https://translate.codeberg.org/user/Zughy">https://translate.codeberg.org/user/Zughy</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Non-free dependency discovered in Forgejo and removed</title><link>https://forgejo.org/2024-07-non-free-dependency-found/</link><guid isPermaLink="true">https://forgejo.org/2024-07-non-free-dependency-found/</guid><description>A non-free JavaScript library was found in the project's dependency structure, and the entire component that relied on it was re-implemented. The new versions 8.0.0 and 7.0.6 will be released without this library. This step is important to meet the core values of Forgejo.</description><pubDate>Tue, 30 Jul 2024 00:00:00 GMT</pubDate><content:encoded><p>On 18 July 2024, a <a href="https://codeberg.org/forgejo/forgejo/issues/4569">small piece of non Free Software was discovered</a> within the Forgejo codebase. It is only used to display the top authors contribution graph (which is part of the <a href="https://codeberg.org/forgejo/forgejo/activity">repository activity</a>) in the web interface. A replacement <a href="https://codeberg.org/forgejo/forgejo/pulls/4571">was implemented</a> and merged on 20 July 2024. This piece of non-Free Software is no longer contained in the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0">v8.0.0 release</a> and the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-6">v7.0.6 point release</a>.</p> <hr /> <p>During a discussion about the future of Forgejo's license, it was discovered that a non-free dependency of a dependency initially created for Gitea was loaded into the project.</p> <p>The usage of the non-free dependency was <a href="https://codeberg.org/forgejo/forgejo/issues/4569">reported</a> in the main issue tracker on 18 July. A few hours later, a <a href="https://codeberg.org/forgejo/forgejo/pulls/4571">pull request</a> was opened to remove the dependency. In addition, <a href="https://codeberg.org/forgejo/discussions/issues/193">a discussion</a> was created to track the problem and the resulting consequences as a whole. The pull request was merged just over one day after the initial submission.</p> <p>The <a href="https://github.com/go-gitea/gitea/commit/81cfe243f9cb90b0a75de7a03bb2d264c97f0036#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519R9">dependency already existed</a> at the time of the fork from Gitea and was therefore included in Forgejo from the beginning. The commitment of Forgejo is to always be <a href="https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values">free as in freedom, open source and a community-first product</a>. Non-free dependencies and distribution licenses are incompatible with the values of Forgejo. Therefore, it was of high importance to remove the problematic dependency.</p> <p>The <a href="/2024-06-release-v8-0/">release of 8.0.0</a> was therefore blocked until the problem was solved. The removal of the binary was also ported to <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-6">7.0.6</a>.</p> <p>Additionally <a href="https://github.com/lafriks/vue-bar-graph/issues/14">the author</a> of the dependency and <a href="https://github.com/go-gitea/gitea/issues/31660">Gitea</a> were informed of the non-free subdependency.</p> <p>In order to rule out further infringements, an <a href="https://codeberg.org/forgejo/forgejo/pulls/4574">improved tool was introduced</a> to check the licenses of all dependencies. It runs in the CI, and fails if an incompatibility is found. Due to the new tool which works more precisely, it can lead to more licenses being included in the <a href="https://next.forgejo.org/assets/licenses.txt"><code>license.txt</code></a> - also from dependencies that are removed in the build process. But better this safe way than missing licenses from dependencies in the end.</p> <p>Because <a href="https://gsap.com/community/standard-license/">GSAP</a>, the indirect dependency, is not Free Software, it cannot be <a href="https://codeberg.org/forgejo">distributed in the Forgejo organization</a> hosted by Codeberg. It is prohibited by the <a href="https://codeberg.org/Codeberg/org/src/branch/main/TermsOfUse.md#2-allowed-content-usage">Codeberg Terms of Use</a> and goes against the <a href="https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values">Forgejo core values</a>. <strong>The Forgejo binaries and container images will be deleted.</strong> It will take some time, since the technical impact on existing Forgejo instances that depend on them has to be carefully addressed.</p> <hr /> <p>During the investigation, two other indirect dependencies with incompatible licenses were found.</p> <p>One is a dependency which was used for citing a repository in APA format (if the repository is set up for this) and has been <a href="https://codeberg.org/forgejo/forgejo/pulls/4595">removed for the moment</a>. It has a more restrictive, <a href="https://github.com/Juris-M/citeproc-js/blob/master/LICENSE">copyleft license</a> which is incompatible with the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/LICENSE">current license</a> of Forgejo. Repositories can therefore currently only be cited in the widely used BibTeX format. As Forgejo decided to accept copyleft license last year, this dependency may be added again in the future.</p> <p>The other is <a href="https://github.com/kieler/elkjs">elkjs</a> included by <a href="https://github.com/mermaid-js/mermaid">Mermaid</a>. It also has a more restrictive, <a href="https://github.com/kieler/elkjs/blob/master/LICENSE.md">copyleft license</a> which is incompatible with the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/LICENSE">current license</a> of Forgejo. Since <a href="https://mermaid.js.org/syntax/flowchart.html?#renderer">elk as renderer is experimental</a> so far, it was decided to <a href="https://codeberg.org/forgejo/forgejo/pulls/4670">remove elk manually</a>. If you decide to set elkjs specifically as a renderer, an error now occurs. This is currently the only solution for the license issue.</p> </content:encoded></item><item><title>Forgejo v8.0 is available</title><link>https://forgejo.org/2024-07-release-v8-0/</link><guid isPermaLink="true">https://forgejo.org/2024-07-release-v8-0/</guid><description>Forgejo v8.0 is available with new features (support for workflow dispatch, better defaults to avoid spam on new instances etc.), a new approach to UI and UX, careful upgrade of dependencies to improve stability and security. Foundation parts for ActivityPub based federation and data portability were merged in, bringing these features closer to completion, but they're not available yet.</description><pubDate>Tue, 30 Jul 2024 00:00:00 GMT</pubDate><content:encoded><p><a href="/download/">Forgejo v8.0</a> was released 30 July 2024. You will find a short selection of the changes it introduces below and in a <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0">complete list in the release notes</a>. It is released the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-6">same day as Forgejo v7.0.6</a> to address licensing issues impacting frontend features (APA citation format, mermaid ELK rendering and the display of contributor graphs). <a href="https://forgejo.org/2024-07-non-free-dependency-found/">Read more in the dedicated blog post</a>.</p> <p>It comes with <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0">a number of new features</a>, as usual. But the most impactful changes are of a different nature: increased stability, less random UI modifications and almost no breaking changes.</p> <ul> <li>A newly created <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#user-interface">UI team</a> engaged in a different approach and can be credited for a drastic reduction in random User Interface changes in this release.</li> <li><a href="https://codeberg.org/forgejo/forgejo/issues/2779">A dependency dashboard</a> is now used to carefully <a href="https://forgejo.org/docs/latest/developer/dependencies/">watch over each of them</a>, with a direct impact on stability and security.</li> <li>The breaking changes were reduced to a minimum because there is now an increased focus on backward compatibility.</li> </ul> <p>If stability is more important than new features, consider using Forgejo v7.0 instead: it is a Long Term Support release that will receive bug fixes until 16 July 2025. Forgejo v8.0 will be supported until 16 October 2024, when Forgejo v9.0 is published.</p> <p>A <a href="https://v8.next.forgejo.org/">dedicated test instance is available</a> to try it out. Before upgrading it is <em>strongly recommended</em> to make a full backup as explained in the <a href="/docs/v8.0/admin/upgrade/">upgrade guide</a> and carefully read <em>all breaking changes</em> from the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0">release notes</a>. If in doubt, do not hesitate to ask for help <a href="https://floss.social/@forgejo">on the Fediverse</a>, or in the <a href="https://matrix.to/#/#forgejo-chat:matrix.org">chat room</a>.</p> <h3>New features</h3> <ul> <li><p><strong><a href="/docs/v8.0/user/actions/#onworkflow_dispatch">Manually trigger a Forgejo Action</a></strong> workflow with the input provided by the user in the web interface.</p> <p></p> </li> <li><p><strong><a href="https://codeberg.org/forgejo/forgejo/pulls/3934">Self-registration is now disabled by default</a></strong> on the installation page. This is done to prevent the creation of unmaintained instances with open registration that are abused by spammers for malicious purposes.</p> <p></p> </li> <li><p><strong><a href="https://codeberg.org/forgejo/forgejo/pulls/3139">Generated release attachments can optionally be hidden</a></strong> to not be confused with the archives uploaded by the user. For instance, each Forgejo release includes <a href="https://codeberg.org/forgejo/forgejo/releases/download/v7.0.5/forgejo-src-7.0.5.tar.gz">a source archive</a> which is different from the generated archive.</p> <p> </p> </li> </ul> <p>Read more <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0">in the Forgejo v8.0.0 release notes</a>.</p> <h3>A new approach to UI and UX</h3> <p>The first user visible benefit of the new approach is a drastic reduction of the seemingly random User Interface changes that were frequently found in previous releases.</p> <p>A gentle way of describing Forgejo User eXperience is that it is an acquired taste: it grew over the years, driven by the inspiration of the person with the keyboard in their hand. Once implemented it almost never changed. A user who started with Forgejo in 2022 can only see minor changes in 2024 and not all of them make intuitive sense. The solution to this problem is simple and was identified early on: <a href="https://jdittrich.github.io/userNeedResearchBook/">User Research</a>. But only in the making of Forgejo v8.0 did it get some momentum.</p> <p>The time and energy of <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#user-interface">Forgejo contributors with the skills and desire to improve the User eXperience</a> went in four equally important directions:</p> <ul> <li>Conducting user testing sessions (<a href="https://codeberg.org/forgejo/user-research/issues/34">June 2024</a> and <a href="https://codeberg.org/forgejo/user-research/src/branch/main/interviews/2024-04/template.md">April 2024</a>) to observe how Forgejo is used. How do users work with Forgejo? What problems do they run into?</li> <li>Discussing <a href="https://codeberg.org/forgejo/discussions/issues/178">a new workflow for designing and implementing feature requests</a>. The focus is on the problems rather than the solution. When a user or a developer has a solution in mind, it is not uncommon that it does not solve an actual problem.</li> <li>Giving some love to the current user interface, fixing bugs and backporting them to the stable versions (e.g. <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=87703&amp;milestone=6654">7.0.5</a>). Review and apply <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=223008">upgrades</a> of <a href="https://codeberg.org/forgejo/forgejo/src/commit/8afdafebf9fa2cb748a13e56ff3d865675ae27b6/package.json">JavaScript packages</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=202906">other dependencies</a> used to build the UI.</li> <li>Improving the <a href="https://codeberg.org/forgejo/forgejo/commits/branch/forgejo/tests/e2e">JavaScript test coverage</a> which is still currently under 10% but has seen more improvement in the past three months than in the past two years.</li> </ul> <p>In a nutshell, Forgejo's goal is now to design its User eXperience based on what user needs, as demonstrated by observations, rather than what they think that they want.</p> <h3>Removal of Microsoft SQL Server support</h3> <p>When Forgejo started almost two years ago, it focused on supporting and documenting a subset of the features present in the codebase. It made a implicit promise to its users to produce quality releases where new features could be added and bug fixed. It is a simple problem to solve as long as there are two necessary ingredients:</p> <ul> <li>Contributors with the knowledge to diagnose a problem</li> <li>Automated tests guarding the code against regressions when a new feature or a bug fix is merged in the codebase</li> </ul> <p>Microsoft SQL Server never met these conditions and <a href="https://codeberg.org/forgejo/discussions/issues/122">discussions began early 2024</a> to address the problem. The short version is that there is no reported use of a Forgejo instance running Microsoft SQL Server currently, and the decision was made to remove it from the codebase.</p> <p>An alternative would have been to leave it, to give a chance to someone with the right skills to step up and contribute their knowledge to support Microsoft SQL Server. But that would not solve the other problem: because Microsoft SQL Server is not Free Software, it cannot be integrated in the automated tests. That would be adding a non Free Software dependency to Forgejo, which goes against its core values.</p> <p>Because Forgejo is still young and none of its users rely on Microsoft SQL Server support, it can be dropped without inconveniencing anyone. As Forgejo's popularity grows, keeping the feature in the codebase would increase the probability that users rely on Microsoft SQL Server. It would then be a difficult situation for Forgejo and it is best to avoid that trap.</p> <p>See also the <a href="/2024-06-monthly-update/#standard-formats-and-protocols">related section on standard formats and protocols</a> in the June 2024 report.</p> <h3>Less breaking changes</h3> <p>A special effort was made to reduce the breaking changes of this release to a minimum. For instance it would have been easier to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/3363">this improvement to the rootless OCI image</a> as a breaking change. But significant time was spent to figure out a way to make it backward compatible. Another example is the <a href="https://codeberg.org/forgejo/forgejo/pulls/3934">new default for self-registration</a> that only applies to new installations to not require a manual intervention to change the settings.</p> <h3>Improved stability</h3> <p>Forgejo directly depends on hundreds of software projects: OCI images are based on <a href="https://alpinelinux.org/">Alpine Linux</a>, markdown rendering uses <a href="https://github.com/yuin/goldmark">goldmark</a>, TLS certificates are obtained using <a href="https://github.com/caddyserver/certmagic">certmagic</a> and the list goes on, ranging from CI tooling that only matter to Forgejo developers to user interface components such as the <a href="https://microsoft.github.io/monaco-editor/">editor used to write issue comments</a>.</p> <p>Watching over those dependencies was an unsolved problem:</p> <ul> <li>bugs (or even security) fixes were not applied because no contributor had the time or the inclination to watch over them manually</li> <li>batch upgrades, dozens of direct dependencies at a time, occasionally happened without actually reading through the release notes of each of them, let alone evaluate the risk of regression or the new features they include</li> </ul> <p>It was resolved in v8.0 with <a href="https://codeberg.org/forgejo/tools/src/branch/main/scripts/wcp">specific tooling</a> and <a href="https://codeberg.org/forgejo/forgejo/issues/2779">a dependency dashboard</a> updated hourly by <a href="https://github.com/renovatebot/renovate">renovate</a> and watched over daily by Forgejo contributors. When a new release of a dependency is published, it is immediately proposed for review and the decision to upgrade is made in accordance to the new <a href="/docs/v8.0/developer/dependencies/">dependency management process</a>. The tooling made it possible and sustainable to observe the evolution of hundred of dependencies.</p> <p>The immediate benefits are:</p> <ul> <li>more stability as batch upgrades no longer happen with the associated risk of regression</li> <li>bugs and security fixes found in dependencies are applied without undue delay, and backported to stable releases</li> </ul> <h3>Gitea compatibility</h3> <p>Forgejo v8.0 was manually tested to be compatible with Gitea v1.22. Users reported successful upgrades of an instance of Gitea v1.22 to the development version of Forgejo v8.0. In addition, <a href="https://code.forgejo.org/forgejo/end-to-end/pulls/205">automated upgrade tests from Gitea v1.22 to Forgejo v8.0</a> were implemented and are run prior to each Forgejo release.</p> <ul> <li>An instance running Gitea versions up to v1.21 can be upgraded to Forgejo v7.0 or v8.0</li> <li>An instance running Gitea v1.22 can be upgraded to Forgejo v8.0</li> </ul> <p>Read more about <a href="/2024-02-forking-forward/">Gitea compatibility in the blog post explaining the hard fork that happened in February 2024</a>.</p> <h3>Release schedule and Long Term Support</h3> <p>The <a href="/docs/v8.0/developer/release/#release-cycle">time based release schedule</a> was established to publish a release every three months. Patch releases will be published more frequently, depending on the severity of the bug or security fixes they contain.</p> <table> <thead> <tr> <th><strong>Date</strong></th> <th><strong>Version</strong></th> <th><strong>Release date</strong></th> <th><strong>End Of Life</strong></th> </tr> </thead> <tbody><tr> <td>2023 Q4</td> <td>1.21.1-0</td> <td>26 November 2023</td> <td>17 July 2024</td> </tr> <tr> <td>2024 Q1</td> <td>7.0.0</td> <td>23 April 2024</td> <td><strong>16 July 2025</strong></td> </tr> <tr> <td>2024 Q2</td> <td><strong>8.0.0</strong></td> <td>30 July 2024</td> <td>16 October 2024</td> </tr> <tr> <td>2024 Q3</td> <td>9.0.0</td> <td>16 October 2024</td> <td>15 January 2025</td> </tr> </tbody></table> <h3>8.0-test daily releases</h3> <p>Releases are built daily from the latest changes found in the <a href="https://codeberg.org/forgejo/forgejo/src/branch/v8.0/forgejo">v8.0/forgejo</a> development branch. They are deployed to the <a href="https://v8.next.forgejo.org">https://v8.next.forgejo.org</a> instance for manual verification in case a bug fix is of particular interest ahead of the next patch release. It can also be installed locally with:</p> <ul> <li>OCI images: <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/8.0-test">root</a> and <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/8.0-test-rootless">rootless</a></li> <li><a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v8.0-test">Binaries</a></li> </ul> <p>Their name stays the same but they are replaced by a new build every day.</p> <h2>Localization</h2> <p>The <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#localization">localization team</a> brought a batch of translations weekly, from the Weblate <a href="https://translate.codeberg.org/projects/forgejo/forgejo/">project</a>. A particular effort was made to backport all of them to Forgejo v7.0.</p> <p>The work on refactoring base localization to improve User eXperience and translatability was also ported to v7.0, when there was no risk of regressions.</p> <p>Anyone is welcome to participate in improving translation <a href="/docs/v8.0/developer/localization">for their language</a> as well as <a href="/docs/v8.0/developer/localization-english/#contributing">the English base</a>.</p> <h3>Federation</h3> <p>Does <code>Forgejo</code> support federation? Not yet. Was there progress? Yes.</p> <p>Building blocks for both <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">ActivityPub federation</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls/3590">data portability improvements</a> were merged into the codebase. They are not yet used for any user visible feature but they are a stepping stone. Their implementation was made significantly easier by the hard fork because they can rely on a codebase that is better tested.</p> <p>The ActivityPub based communication between two Forgejo instances is used by a new internal test scenario where adding a star to a repository on one instance also adds a star on a federated repository on the other instance.</p> <p>Read more about <a href="/2024-06-monthly-update/#federation">federation</a> and <a href="/2024-06-monthly-update/#data-portability">data portability</a> in the June 2024 <a href="https://forgejo.org/2024-06-monthly-update/">Forgejo monthly update</a>.</p> <h3>Get Forgejo v8.0</h3> <p>See the <a href="/download/">download page</a> for instructions on how to install Forgejo, and read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0">release notes</a> for more information.</p> <h3>Upgrading</h3> <p>Carefully read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0">breaking changes</a> section of the release notes.</p> <p>The actual upgrade process is as simple as replacing the binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v8.0.0">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/8.0.0">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/8.0"><code>8.0</code> tag</a> to stay up to date with the latest <code>8.0.Y</code> patch release automatically.</p> <p>Make sure to check the <a href="/docs/v8.0/admin/upgrade">Forgejo upgrade documentation</a> for recommendations on how to properly backup your instance before the upgrade.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in <a href="https://codeberg.org/forgejo/forgejo/issues">the issue tracker</a> for feature requests or bug reports, reach out <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop into <a href="https://matrix.to/#/#forgejo:matrix.org">the Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) and say hi!</p> <h3>Donate</h3> <p>Forgejo is proud to be <a href="https://codeberg.org/forgejo/sustainability/">funded transparently</a>. Since a few days, we additionally accept donations from our users through <a href="https://liberapay.com/forgejo">our Forgejo Liberapay team</a>. If you appreciate Forgejo, consider setting up a donation to help going forward. Liberapay is a French non-profit dedicated to crowdfunding with predictable income, allowing transfers via multiple payment options and providers with a comparably low fee. It was already possible to <a href="https://docs.codeberg.org/improving-codeberg/donate/">donate to Codeberg e.V.</a> (you can still do in case the Liberapay option does not work out for you), and part of the funding was used to <a href="https://codeberg.org/forgejo/sustainability/#forgejo-resources-per-year">compensate for work on Forgejo</a>. However, the Liberapay team now allows for money to go directly to developers without a round-trip to Codeberg.</p> <p>Additionally, Liberapay allows for a steady and reliable funding stream next to other options, a crucial aspect for our project. The distribution of funds through Liberapay is <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#liberapay-team-members">transparently controlled using our decision-making process</a>, and Forgejo contributors are encouraged to consider applying to benefit from this funding opportunity. Thank you for using Forgejo and considering a donation, in case your financial situation allows you to.</p> <h3>Forgejo Upgrade Party and Get-Together</h3> <p>Let's upgrade together!</p> <p>The Forgejo v8 release is available. We are looking forward to meeting with you via OpenTalk, providing a space for admins and developers to assist each other. We are excited to learn from your setups and the challenges you encounter to further improve Forgejo in the future.</p> <p><a href="https://codeberg.codeberg.page/Events/events/2024/08-02-forgejo-upgrade-party/">Read the full invite on the Codeberg Event Calendar!</a></p> </content:encoded></item><item><title>Forgejo monthly update - June 2024</title><link>https://forgejo.org/2024-06-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-06-monthly-update/</guid><description>The User Research effort that gained momentum two months ago continues with a new round of user testing sessions. It is key to collect evidence about what Forgejo users need, a requirement to build a roadmap and reduce the growing backlog of bug reports and feature requests. Building blocks for both ActivityPub federation and data portability improvements were merged into the codebase. They are not yet used for any user visible feature but they are a stepping stone. Their implementation was made significantly easier by the hard fork because they can rely on a codebase that is better tested.</description><pubDate>Sun, 30 Jun 2024 00:00:00 GMT</pubDate><content:encoded><p>The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <p>The <a href="https://codeberg.org/forgejo/discussions/issues/156">User Research effort</a> that gained momentum two months ago continues with a new round of <a href="https://codeberg.org/forgejo/user-research/issues/34">user testing sessions</a>. It is key to collect evidence about what Forgejo users need, a requirement to build a roadmap and reduce the <a href="https://codeberg.org/forgejo/forgejo/issues">growing backlog</a> of bug reports and feature requests.</p> <p>Building blocks for both <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">ActivityPub federation</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls/3590">data portability improvements</a> were merged into the codebase. They are not yet used for any user visible feature but they are a stepping stone. Their implementation was made significantly easier by the hard fork because they can rely on a codebase that is better tested.</p> <h2>User Research</h2> <p>Discussions began on <a href="https://codeberg.org/forgejo/discussions/issues/178">a new workflow for design work and feature requests</a>. Users are encouraged to describe the problem rather than the solution. Feature requests typically consist of the description of a solution. However, often there are multiple solutions to one problem, and there are multiple problems with one solution.</p> <p>New feature requests are not ready to implement: they are investigated first, similar to how new bugs are triaged. A research and design process can be established, similar to what was done for the <a href="https://codeberg.org/forgejo/forgejo/issues/4119">summary tab for repositories</a> and bootstrap actual process for changes in Forgejo. This adds a step between what user needs and development, but since the backlog of feature requests is growing anyway, it may not be an issue. On the contrary: merging similar feature requests together can reduce the backlog of open feature requests and only the most valuable changes are implemented.</p> <p>A new round of <a href="https://codeberg.org/forgejo/user-research/issues/34">user testing sessions</a> was conducted from 26 June to 28 June. It is <a href="https://codeberg.org/forgejo/user-research/src/branch/main/interviews/2024-06/template.md">based on an interview script</a> improved from the one that was already used <a href="https://codeberg.org/forgejo/user-research/src/branch/main/interviews/2024-04/template.md">in April 2024</a> during the first round.</p> <h2>Features</h2> <p>Notable improvements:</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4189">Better logic for showing user feed/public activity elements</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4134">Folding results for repo search</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4072">Implement tab indentation and list continuation in the issue editor</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1680">Stars federated via ActivityPub</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/4138">Support redis alternative - redict and garnet</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3590">F3 initial driver</a></li> </ul> <p><a href="https://codeberg.org/forgejo/forgejo/pulls?labels=209916">Read more</a> in the pull requests.</p> <h2>Standard formats and protocols</h2> <p>Forgejo supports third party software and services that use standards. For instance it relies on SQL for interactions with databases, HTTP, HTML and JavaScript for web interactions. As an exception when the software or service is available under a Free Software license, the absence of standardized communication protocol is not a requirement, for instance for <a href="https://github.com/google/leveldb">LevelDB</a>.</p> <p>It is not an easy goal to achieve because software publishers keep deviating from standards or change the license of their software to no longer be Free Software.</p> <ul> <li>Microsoft SQL Server deviates from the SQL standard in <a href="https://codeberg.org/forgejo/forgejo/commit/2d9afd0c2194b60689717c2a9dc36284f012f7b6#diff-c286fd6672a72eeb3c97959eb3af0bf43959334a">ways that required special treatment</a> and the decision was made two months ago to no longer include such specific adjustments.</li> <li>Redis used to be Free Software, but the newer versions <a href="https://web.archive.org/web/20240511181042if_/https://redis.io/legal/licenses/">are not</a>. The protocol is not standard but alternative servers exist and <a href="https://codeberg.org/forgejo/forgejo/pulls/4138">Forgejo is now tested to work with them</a>. Only the older Free Software version of Redis will continue to be supported, but the proprietary versions will not.</li> <li>Safari is expected to support HTML, HTTP &amp; JavaScript in the same way other browsers do, but fails some tests. The approach chosen was to <a href="https://codeberg.org/forgejo/forgejo/pulls/3334/files#diff-d98036e3541a0bc9dcffae7c5b40a8bfeb670760">skip Safari testing</a> instead of finding a workaround. An effort is generally made to workaround the non-conformant behavior of Free Software Web browsers. But, for reasons similar to MSSQL, such an effort is not sustainable for proprietary Web browsers.</li> </ul> <p>Other discussions happened on integrating Forgejo with third party software or services that are not Free Software and do not comply with a standard format or protocol (<a href="https://codeberg.org/forgejo/forgejo/pulls/3989">Azure Blob Storage</a>, <a href="https://codeberg.org/forgejo/discussions/issues/174">CockroachDB</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls/4154">Friendly Captcha</a>).</p> <h2>Data portability</h2> <p>The <a href="https://f3.forgefriends.org/">Friendly Forge Format (F3)</a> is designed to improve data portability and make it possible to mirror software projects from one forge to another using a standard format. The <a href="https://f3.forgefriends.org/compliance.html">v2.0.0</a> was published in June 2024 and is the first stable version. It is implemented in <a href="https://code.forgejo.org/f3/gof3">a Go package</a> that can be used as a reference. A native driver for Forgejo <a href="https://codeberg.org/forgejo/forgejo/pulls/3590">was merged</a> so that it can be used, for instance, to transport data when an ActivityPub message is received. Or as an alternate implementation for the migration code.</p> <p>Read more in F3 related <a href="https://codeberg.org/forgejo/forgejo/issues?labels=114735">issues</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=114735">pull requests</a>.</p> <h2>Federation</h2> <p>The pull request to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">federated repository stars</a> was merged. The feature allows you to define following repositories such as origin of mirrors or forks. If then the mirror or fork gets a star by someone, the origin repository will also get a star via federated ActivityPub like activity. Only the star activity is federated, the unstar activity is not federated and the user interface is not available yet.</p> <p>A new federation suite was <a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/federation">added to the end-to-end tests</a>. It is very basic but the first of its kind. Launching two Forgejo instances that <a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/federation/scenario-star/run.sh">star each other via ActivityPub</a>.</p> <p>Although GitLab federation efforts are <a href="https://codeberg.org/forgejo/discussions/issues/184">now on pause</a> it includes an experimental implementation of the ActivityPub building blocks which is roughly at the same stage as Forgejo. Support for <a href="https://code.forgejo.org/forgejo/end-to-end/src/commit/e4fa6d814fce398fd4065e40c67a53acbbf2e3a5/lib/lib.sh#L199-L227">launching a GitLab instance</a> was added to the end-to-end tests. This will eventually allow to play scenarios in which GitLab and Forgejo can communicate in a controlled environment. And in the short term to apply minimal testing on each of them independently, for instance with <a href="https://codeberg.org/socialweb.coop/activitypub-testing">activitypub-testing</a>.</p> <p>Read more <a href="https://domaindrivenarchitecture.org/posts/2024-06-05-howto-federated-stars/">in the June 2024 report</a>.</p> <h2>UI team</h2> <p>The <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#user-interface">UI team</a> was <a href="https://codeberg.org/forgejo/governance/pulls/128">created</a> and has <a href="https://codeberg.org/forgejo/governance/pulls/144">three members</a>.</p> <p>Before engaging in more ambitious goals, they started to care for the day to day chores that keep Forgejo releases going:</p> <ul> <li>Implementing and reviewing <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed&amp;labels=87703%2c78139&amp;milestone=6042">new UI features</a> which is particularly challenging because the test coverage of the Web UI is still very low.</li> <li>Backporting bug fixes to the stable versions (<a href="https://codeberg.org/forgejo/forgejo/pulls?labels=87703&amp;milestone=6405">7.0.4</a> &amp; <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=87703&amp;milestone=6654">7.0.5</a>).</li> <li>Reviewing <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=223008">upgrades</a> of <a href="https://codeberg.org/forgejo/forgejo/src/commit/8afdafebf9fa2cb748a13e56ff3d865675ae27b6/package.json">JavaScript packages</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=85536">other dependencies</a> that are used to build the Web UI. It would be relatively easy if every package consistently complied with <a href="https://semver.org/">semantic versioning</a> and published descriptive release notes. But the norm is rather the opposite and each potential upgrade requires a fair amount of scrutiny.</li> </ul> <p>An experiment to hire a freelance to work on improving the JavaScript test coverage was conducted to figure out if it leads to results that are worth the effort. It was interrupted when evidence surfaced that the work was almost identical to what an AI would produce.</p> <h2>Infrastructure</h2> <p>The <a href="https://forgejo.org/docs/next/developer/infrastructure/#hetzner0104">machine</a> added last month is now in production and stable. It did not go smoothly because the hardware provisioned turned out to be unreliable and crashed frequently. The devops team spent hours over a period of a week to figure out the root cause and stabilize it. This was not transparent to Forgejo contributors because the CI stopped working half a dozen time and stayed down during a few hours. But nothing was lost and the downtime was kept to a minimum. It happened in between releases and did not disrupt the release process.</p> <p>The upside of these troubles was to check that every aspect of the disaster recovery scenario work as it should, including loosing all disks on the machine. The defective hardware was not stabilized, it could not. It turned out that all machines with the same motherboard were similarly flawed. Hetzner acknowledged their defective product range, apologized, reimbursed the costs and is in the process of changing their Q&amp;A to include the test script that was provided to demonstrate the problem.</p> <h2>Releases</h2> <p><a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-4">Forgejo v7.0.4</a> (fixing <a href="https://codeberg.org/forgejo/security-announcements/issues/11">vulnerabilities</a>) was released. The security fix it contains was also <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.21.11-2">backported and released as Forgejo v1.21.11-2</a>.</p> <p>There now is a <a href="https://codeberg.org/forgejo/discussions/issues/168">stronger requirement for testing</a> for all backports to a stable release. The bug fixes originating from Gitea were previously merged even when they were not covered by any test. Tests are now added when the fix is worth the effort. The test itself is implemented <a href="https://codeberg.org/forgejo/forgejo/pulls/4217">in the development branch</a> and the commit that contains the fix is <a href="https://codeberg.org/forgejo/forgejo/pulls/4219">cherry-picked with the backport of the test</a> to demonstrate it works as it should.</p> <p>A discussion regarding the <a href="https://codeberg.org/forgejo/discussions/issues/180">Forgejo v8.0.0 feature freeze</a> an attempt to better define the requirements imposed during such a period and the <a href="https://codeberg.org/forgejo/discussions/issues/180#issuecomment-2043685">need to fix bugs when the infrastructure to write tests is missing</a>.</p> <h2>Dependency Management</h2> <p>Caring for the hundreds of Forgejo dependencies has been a recurring activity since the beginning of the project back in 2022. When the hard fork happened early 2024 Forgejo gained the freedom to decide on each of them and began to organize accordingly. Gitea was first and using the <a href="https://codeberg.org/forgejo/tools/src/branch/main/scripts/wcp">dedicated tool</a> that was developed to sort the commits of interest became a <a href="https://codeberg.org/forgejo/forgejo/pulls?q=week+2024&amp;state=closed">comfortable weekly routine</a>.</p> <p>The backlog of all other dependencies was more challenging. A <a href="https://codeberg.org/forgejo/forgejo/issues/2779">dependency dashboard was setup</a> and started with a large backlog. Only in June 2024 was it cleared, months later. Pull requests with upgrades are <a href="https://codeberg.org/forgejo/forgejo/issues?labels=223008">now dealt with daily</a> and diligently so they do not pile up again.</p> <p>The method to analyze each of them <a href="https://forgejo.org/docs/latest/developer/dependencies/">was documented</a> and heavily relies on the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/renovate.json">dependency specifications</a> to keep the workload to a minimum. For instance it can arrange for updates to only be proposed every three months for CI tooling while it immediately proposes an upgrade if has an impact on security.</p> <h2>Helm chart</h2> <p>The Forgejo helm chart had <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases">two patch updates</a>, one for <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v7.0.1">7.0.1</a> which depends on Forgejo v7.0.4 and another for <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases/tag/v5.1.2">5.1.2</a> which depends on Forgejo v1.21.11-2.</p> <p>The <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#helm">Forgejo helm team</a> was <a href="https://codeberg.org/forgejo/governance/pulls/136">created</a> was created and <a href="https://codeberg.org/forgejo/governance/pulls/149">two members joined</a>.</p> <h2>Localization</h2> <p>4 batches of updates were merged containing total of 937 new translations and 518 improvements. Some improvements were made to the process of localization management. One of which is that now backporting of translation updates to stable versions can happen in batches before releases are published instead of weekly.</p> <p>No new team applications were submitted or accepted this month. Some languages are not actively maintained currently. View completeness of translations in our project on <a href="https://translate.codeberg.org/projects/forgejo/forgejo">Codeberg Translate</a> and <a href="https://forgejo.org/docs/latest/developer/localization/">Learn how to help</a>.</p> <h2>Sustainability</h2> <p>There is a <a href="https://codeberg.org/forgejo/discussions/issues/185">new funding opportunity</a> for <a href="https://www.sovereigntechfund.de/">Sovereign Tech Fund</a> and a <a href="https://codeberg.org/avobs/sovereign_tech/src/branch/main/application_text.md">grant application is being drafted</a>. Its scope is similar to <a href="https://www.opentech.fund/funds/free-and-open-source-software-sustainability-fund/">OTF</a> and most of the material can be re-used.</p> <p>The <a href="https://codeberg.org/forgejo/sustainability/pulls?state=all&amp;labels=217359">grant proposal</a> submitted 16 May for the <a href="https://www.opentech.fund/funds/free-and-open-source-software-sustainability-fund/">Free and Open Source Software Sustainability Fund</a> was <a href="https://codeberg.org/forgejo/sustainability/pulls/48">declined</a>. In a newsletter OTF announced that they received 80 applications.</p> <p>A reply was expected for the NLnet grant application <a href="https://codeberg.org/forgejo/sustainability/pulls?labels=220838">submitted 1 April</a> but was further delayed and is expected in July.</p> <h2>Moderation</h2> <p>There has been very few minor moderation incident (spam or trolls) and one time warning. This is significantly less than the past month where there were bursts of unsolicited activity that sometime required daily intervention. Even the smallest interventions were logged in accordance to the <a href="https://codeberg.org/forgejo/governance/src/branch/main/MODERATION-PROCESS.md">moderation process</a>.</p> <p>A concern was raised regarding the <a href="https://codeberg.org/forgejo/discussions/issues/87">lack of answer of the floss.social moderation team</a> despite numerous attempts over a period of months. There has been no major incident so far but it may be wise to take steps for Forgejo to be in a space where it is possible to reach the moderation team before it happens.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/abacabadabacaba">https://codeberg.org/abacabadabacaba</a></li> <li><a href="https://codeberg.org/Aeris1One">https://codeberg.org/Aeris1One</a></li> <li><a href="https://codeberg.org/aimuz">https://codeberg.org/aimuz</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/atimy">https://codeberg.org/atimy</a></li> <li><a href="https://codeberg.org/avidseeker">https://codeberg.org/avidseeker</a></li> <li><a href="https://codeberg.org/avobs">https://codeberg.org/avobs</a></li> <li><a href="https://codeberg.org/bdube_gh">https://codeberg.org/bdube_gh</a></li> <li><a href="https://codeberg.org/becm">https://codeberg.org/becm</a></li> <li><a href="https://codeberg.org/bengrue">https://codeberg.org/bengrue</a></li> <li><a href="https://codeberg.org/Beowulf">https://codeberg.org/Beowulf</a></li> <li><a href="https://codeberg.org/buhtz">https://codeberg.org/buhtz</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/cuboci">https://codeberg.org/cuboci</a></li> <li><a href="https://codeberg.org/Cyborus">https://codeberg.org/Cyborus</a></li> <li><a href="https://codeberg.org/Cysioland">https://codeberg.org/Cysioland</a></li> <li><a href="https://codeberg.org/delvh">https://codeberg.org/delvh</a></li> <li><a href="https://codeberg.org/dev_T">https://codeberg.org/dev_T</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/drawingpixels">https://codeberg.org/drawingpixels</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/efertone">https://codeberg.org/efertone</a></li> <li><a href="https://codeberg.org/el0n">https://codeberg.org/el0n</a></li> <li><a href="https://codeberg.org/f00">https://codeberg.org/f00</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/fr33domlover">https://codeberg.org/fr33domlover</a></li> <li><a href="https://codeberg.org/fractalf">https://codeberg.org/fractalf</a></li> <li><a href="https://codeberg.org/gerald">https://codeberg.org/gerald</a></li> <li><a href="https://codeberg.org/GKuhn">https://codeberg.org/GKuhn</a></li> <li><a href="https://codeberg.org/GooRoo">https://codeberg.org/GooRoo</a></li> <li><a href="https://codeberg.org/GT">https://codeberg.org/GT</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/h759bkyo4">https://codeberg.org/h759bkyo4</a></li> <li><a href="https://codeberg.org/hackos">https://codeberg.org/hackos</a></li> <li><a href="https://codeberg.org/Hanker">https://codeberg.org/Hanker</a></li> <li><a href="https://codeberg.org/Haui">https://codeberg.org/Haui</a></li> <li><a href="https://codeberg.org/hazy">https://codeberg.org/hazy</a></li> <li><a href="https://codeberg.org/hoijui">https://codeberg.org/hoijui</a></li> <li><a href="https://codeberg.org/how">https://codeberg.org/how</a></li> <li><a href="https://codeberg.org/ikuyo">https://codeberg.org/ikuyo</a></li> <li><a href="https://codeberg.org/jadeprime">https://codeberg.org/jadeprime</a></li> <li><a href="https://codeberg.org/jakjakob">https://codeberg.org/jakjakob</a></li> <li><a href="https://codeberg.org/jean-daricade">https://codeberg.org/jean-daricade</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jthvai">https://codeberg.org/jthvai</a></li> <li><a href="https://codeberg.org/jwildeboer">https://codeberg.org/jwildeboer</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/karolyi">https://codeberg.org/karolyi</a></li> <li><a href="https://codeberg.org/kita">https://codeberg.org/kita</a></li> <li><a href="https://codeberg.org/Kitanit">https://codeberg.org/Kitanit</a></li> <li><a href="https://codeberg.org/Kwonunn">https://codeberg.org/Kwonunn</a></li> <li><a href="https://codeberg.org/l_austenfeld">https://codeberg.org/l_austenfeld</a></li> <li><a href="https://codeberg.org/lingling">https://codeberg.org/lingling</a></li> <li><a href="https://codeberg.org/Linneris">https://codeberg.org/Linneris</a></li> <li><a href="https://codeberg.org/lordwektabyte">https://codeberg.org/lordwektabyte</a></li> <li><a href="https://codeberg.org/Mai-Lapyst">https://codeberg.org/Mai-Lapyst</a></li> <li><a href="https://codeberg.org/martianh">https://codeberg.org/martianh</a></li> <li><a href="https://codeberg.org/martinwguy">https://codeberg.org/martinwguy</a></li> <li><a href="https://codeberg.org/mirkoperillo">https://codeberg.org/mirkoperillo</a></li> <li><a href="https://codeberg.org/mnq">https://codeberg.org/mnq</a></li> <li><a href="https://codeberg.org/mritunjayr">https://codeberg.org/mritunjayr</a></li> <li><a href="https://codeberg.org/mrwsl">https://codeberg.org/mrwsl</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/neomaitre">https://codeberg.org/neomaitre</a></li> <li><a href="https://codeberg.org/nilesh">https://codeberg.org/nilesh</a></li> <li><a href="https://codeberg.org/oelmekki">https://codeberg.org/oelmekki</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/patdyn">https://codeberg.org/patdyn</a></li> <li><a href="https://codeberg.org/Pi-Cla">https://codeberg.org/Pi-Cla</a></li> <li><a href="https://codeberg.org/pmb">https://codeberg.org/pmb</a></li> <li><a href="https://codeberg.org/podhorsky-ksj">https://codeberg.org/podhorsky-ksj</a></li> <li><a href="https://codeberg.org/poVoq">https://codeberg.org/poVoq</a></li> <li><a href="https://codeberg.org/programmerjake">https://codeberg.org/programmerjake</a></li> <li><a href="https://codeberg.org/proton-ab">https://codeberg.org/proton-ab</a></li> <li><a href="https://codeberg.org/qaqland">https://codeberg.org/qaqland</a></li> <li><a href="https://codeberg.org/realaravinth">https://codeberg.org/realaravinth</a></li> <li><a href="https://codeberg.org/Renich">https://codeberg.org/Renich</a></li> <li><a href="https://codeberg.org/samcday">https://codeberg.org/samcday</a></li> <li><a href="https://codeberg.org/scruel">https://codeberg.org/scruel</a></li> <li><a href="https://codeberg.org/Senku">https://codeberg.org/Senku</a></li> <li><a href="https://codeberg.org/sevki">https://codeberg.org/sevki</a></li> <li><a href="https://codeberg.org/silverpill">https://codeberg.org/silverpill</a></li> <li><a href="https://codeberg.org/SinTan1729">https://codeberg.org/SinTan1729</a></li> <li><a href="https://codeberg.org/sirhectorin">https://codeberg.org/sirhectorin</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/solemden">https://codeberg.org/solemden</a></li> <li><a href="https://codeberg.org/soundstrip">https://codeberg.org/soundstrip</a></li> <li><a href="https://codeberg.org/stdedos">https://codeberg.org/stdedos</a></li> <li><a href="https://codeberg.org/tampler">https://codeberg.org/tampler</a></li> <li><a href="https://codeberg.org/tgy">https://codeberg.org/tgy</a></li> <li><a href="https://codeberg.org/thedustinmiller">https://codeberg.org/thedustinmiller</a></li> <li><a href="https://codeberg.org/thefox">https://codeberg.org/thefox</a></li> <li><a href="https://codeberg.org/Thesola10">https://codeberg.org/Thesola10</a></li> <li><a href="https://codeberg.org/ThetaDev">https://codeberg.org/ThetaDev</a></li> <li><a href="https://codeberg.org/thetredev">https://codeberg.org/thetredev</a></li> <li><a href="https://codeberg.org/toolforger">https://codeberg.org/toolforger</a></li> <li><a href="https://codeberg.org/twenty-panda">https://codeberg.org/twenty-panda</a></li> <li><a href="https://codeberg.org/uku">https://codeberg.org/uku</a></li> <li><a href="https://codeberg.org/vai">https://codeberg.org/vai</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/vikaschoudhary">https://codeberg.org/vikaschoudhary</a></li> <li><a href="https://codeberg.org/virtulis">https://codeberg.org/virtulis</a></li> <li><a href="https://codeberg.org/vwbusguy">https://codeberg.org/vwbusguy</a></li> <li><a href="https://codeberg.org/Wuzzy">https://codeberg.org/Wuzzy</a></li> <li><a href="https://codeberg.org/XaviCC">https://codeberg.org/XaviCC</a></li> <li><a href="https://codeberg.org/Xinayder">https://codeberg.org/Xinayder</a></li> <li><a href="https://codeberg.org/xlii">https://codeberg.org/xlii</a></li> <li><a href="https://codeberg.org/yongbin">https://codeberg.org/yongbin</a></li> <li><a href="https://translate.codeberg.org/user/wintryexit">https://translate.codeberg.org/user/wintryexit</a></li> <li><a href="https://translate.codeberg.org/user/leana8959">https://translate.codeberg.org/user/leana8959</a></li> <li><a href="https://translate.codeberg.org/user/hankskyjames777">https://translate.codeberg.org/user/hankskyjames777</a></li> <li><a href="https://translate.codeberg.org/user/Fjuro">https://translate.codeberg.org/user/Fjuro</a></li> <li><a href="https://translate.codeberg.org/user/Atalanttore">https://translate.codeberg.org/user/Atalanttore</a></li> <li><a href="https://translate.codeberg.org/user/kdh8219">https://translate.codeberg.org/user/kdh8219</a></li> <li><a href="https://translate.codeberg.org/user/ledyba">https://translate.codeberg.org/user/ledyba</a></li> <li><a href="https://translate.codeberg.org/user/purkwiat">https://translate.codeberg.org/user/purkwiat</a></li> <li><a href="https://translate.codeberg.org/user/gitcookie-1">https://translate.codeberg.org/user/gitcookie-1</a></li> <li><a href="https://translate.codeberg.org/user/yeziruo">https://translate.codeberg.org/user/yeziruo</a></li> <li><a href="https://translate.codeberg.org/user/qwerty287">https://translate.codeberg.org/user/qwerty287</a></li> <li><a href="https://translate.codeberg.org/user/SDKAAA">https://translate.codeberg.org/user/SDKAAA</a></li> <li><a href="https://translate.codeberg.org/user/mondstern">https://translate.codeberg.org/user/mondstern</a></li> <li><a href="https://translate.codeberg.org/user/Application-Maker">https://translate.codeberg.org/user/Application-Maker</a></li> <li><a href="https://translate.codeberg.org/user/sinsky">https://translate.codeberg.org/user/sinsky</a></li> <li><a href="https://translate.codeberg.org/user/emansije">https://translate.codeberg.org/user/emansije</a></li> <li><a href="https://translate.codeberg.org/user/bbjubjub2494">https://translate.codeberg.org/user/bbjubjub2494</a></li> <li><a href="https://translate.codeberg.org/user/lotigara">https://translate.codeberg.org/user/lotigara</a></li> <li><a href="https://translate.codeberg.org/user/b1nar10">https://translate.codeberg.org/user/b1nar10</a></li> <li><a href="https://translate.codeberg.org/user/overloop">https://translate.codeberg.org/user/overloop</a></li> <li><a href="https://translate.codeberg.org/user/bart">https://translate.codeberg.org/user/bart</a></li> <li><a href="https://translate.codeberg.org/user/sunwoo1524">https://translate.codeberg.org/user/sunwoo1524</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo monthly update - May 2024</title><link>https://forgejo.org/2024-05-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-05-monthly-update/</guid><description>A UI team was created by Forgejo contributors who have been at work for months on the necessary backports of bug fixes to the Forgejo v7.0 stable branch. More ambitious discussions started on the long term strategies to refactor the codebase and improve the User eXperience. Forgejo needs help to triage. If you ever create a new issue, take a moment of your time to also look at a few others and help them get to the finish line.</description><pubDate>Mon, 03 Jun 2024 00:00:00 GMT</pubDate><content:encoded><p>The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <p>A <a href="https://codeberg.org/forgejo/governance/pulls/128">UI team</a> was created by Forgejo contributors who have been at work for months on the necessary backports of bug fixes to the Forgejo v7.0 stable branch. More <a href="https://codeberg.org/forgejo/discussions/issues/160">ambitious discussions</a> started on the long term strategies to refactor the codebase and improve the User eXperience.</p> <h3>Call for help</h3> <p>Forgejo needs help to <a href="https://codeberg.org/forgejo/discussions/issues/161">triage bug reports</a> and feature requests. The growing backlog is <a href="https://codeberg.org/forgejo/discussions/issues/53">not a new problem</a> and is actively worked on. If you ever create a new issue, take a moment of your time to also look at a few others and help them get to the finish line.</p> <ul> <li><p>For a bug fix, reading the description and trying to reproduce it manually to confirm it is still relevant will bring them closer to a resolution. Either because the developer knows it is worth their time or because it cannot be reproduced and is already fixed.</p> </li> <li><p>For a feature request, read the <strong>Needs and benefits</strong> section and maybe ask the author to clarify. If you are convinced, add a short comment in the first person to describe how it would help you.</p> </li> </ul> <h3>UI team</h3> <p>The <a href="https://codeberg.org/forgejo/discussions/issues/160">Forgejo UI discussions</a> led to <a href="https://codeberg.org/forgejo/governance/pulls/128">the creation of a UI team</a> and four candidates (<a href="https://codeberg.org/forgejo/governance/issues/131">1</a>, <a href="https://codeberg.org/forgejo/governance/issues/132">2</a>, <a href="https://codeberg.org/forgejo/governance/issues/134">3</a>, <a href="https://codeberg.org/forgejo/governance/issues/138">4</a>) are lined up to be the initial members to bootstrap it.</p> <p>A <a href="https://matrix.to/#/#forgejo-ui:matrix.org">dedicated Matrix channel</a> was created and <a href="https://matrix.to/#/#forgejo:matrix.org">added to the Forgejo Matrix space</a>.</p> <p>In addition to discussions regarding future developments, the team took care of the <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=87703">UI related features and bug fixes</a>, both for the development branch and for the stable branch.</p> <h2>Code</h2> <h3>Features</h3> <p>Notable improvements and bug fixes:</p> <ul> <li>Groundwork for stars federated via ActivityPub (<a href="https://codeberg.org/forgejo/forgejo/pulls/3494">1</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/3662">2</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/3792">3</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/3871">4</a>)</li> <li><a href="https://codeberg.org/forgejo/forgejo/issues/3139">Allow hiding auto generated release archives</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/issues/3654">Code Search for non-default branches and tags when repository indexer is disabled</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/issues/3836">Parse prefix from redis URI for queues</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3847">Wiki content search using git-grep</a></li> </ul> <p><a href="https://codeberg.org/forgejo/forgejo/pulls?labels=209916">Read more</a> in the pull requests.</p> <h3>Improving tests</h3> <p>A <a href="https://codeberg.org/forgejo/discussions/issues/170">discussion started</a> to improve the tests in the Forgejo codebase. Initial ideas cover the following:</p> <ul> <li>Allow integration tests outside of the tests/integration folder</li> <li>Prevent having to store binary blobs within the codebase</li> <li>Make the tests faster</li> <li>Document the testing tweaks</li> <li>Add test coverage</li> <li>Add performance testing</li> <li>Make the playwright tests easier to use</li> </ul> <h3>End to end tests</h3> <p>The <a href="https://code.forgejo.org/forgejo/end-to-end">end to end test suite</a> race conditions (in the tests of <a href="https://code.forgejo.org/forgejo/end-to-end/pulls/175">push</a> and <a href="https://code.forgejo.org/forgejo/end-to-end/pulls/182">scheduled</a> actions) were fixed. It still suffers from transient environmental failures (it relies or a large number of external resources), but it happens less than once a week. In some cases it can be fixed by <a href="https://code.forgejo.org/forgejo/end-to-end/pulls/178">adding a retry</a>.</p> <p>A test for the <a href="https://code.forgejo.org/forgejo/end-to-end/pulls/189">pull request automerge features</a> was added.</p> <h3>Deprecating go-git</h3> <p>Discussions <a href="https://codeberg.org/forgejo/discussions/issues/164">to deprecate go-git</a> received strong support. If Forgejo wants to support go-git, every git Feature also needs to be implemented in go-git. For example: setting git notes in the Web UI is currently not possible in go-git.</p> <p>The benefits of go-git may not be worth the effort. Git is already preinstalled on many distributions. If Forgejo is installed using Docker or a package manager, Git will already be installed with it.</p> <h2>Infrastructure</h2> <p>A new <a href="https://forgejo.org/docs/next/developer/infrastructure/#hetzner0104">machine</a> was added to the Forgejo infrastructure. The capacity provisioned last year proved to be enough to sustain the increased activity since early 2024, with no slowdown or space restrictions. Even if the number of Forgejo contributors do not increase this year, testing federated features will require significantly more resources, for instance to launch a GitLab instance with ActivityPub extensions enabled.</p> <p>The <a href="https://codeberg.org/forgejo/discussions/issues/114">forgefriends hosting request</a> is partially complete. The <a href="https://code.forgejo.org/forgefriends/">https://code.forgejo.org/forgefriends/</a> and <a href="https://code.forgejo.org/f3/">https://code.forgejo.org/f3/</a> organizations were created and allocated Forgejo Actions runners. The <a href="https://f3.forgefriends.org/">F3</a> organization was migrated from the <a href="https://lab.forgefriends.org/friendlyforgeformat/">GitLab instance</a>. The <a href="https://forum.forgefriends.org/">F3 forum</a> was migrated to <a href="https://forgejo.org/docs/next/developer/infrastructure/#hetzner0104">a dedicated LXC container</a>.</p> <p>A semi-manual <a href="https://forgejo.org/docs/next/developer/static-pages/">static page hosting service</a> dedicated to code.forgejo.org was created. It is deployed to host the <a href="https://f3.forgefriends.org">F3</a> and <a href="https://forgefriends.org">forgefriends</a> websites and could be used as an alternative to <a href="https://forgejo.org/docs/v7.0/developer/infrastructure/#uberspace">Uberspace</a> for <a href="https://forgejo.org">https://forgejo.org</a>.</p> <h2>Releases</h2> <p><a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-2">Forgejo v7.0.2</a> and <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-3">Forgejo v7.0.3</a> (fixing <a href="https://codeberg.org/forgejo/security-announcements/issues/10">vulnerabilities</a>) were released.</p> <p>They both rely on the <a href="https://codeberg.org/forgejo/discussions/issues/159">release note files</a> that <a href="https://codeberg.org/forgejo/forgejo/src/commit/ade7304eea8ffdf5440adb71dfb2dcb50159379a/release-notes/8.0.0">are created at the same time as the pull requests</a>.</p> <p>After a commit made its way to the v7.0 branch and was <a href="https://codeberg.org/forgejo/forgejo/pulls/3867">reverted at the last minute</a> to avoid regression, it was <a href="https://codeberg.org/forgejo/discussions/issues/168">proposed to require testing</a> for all non-trivial commits cherry-picked from Gitea into the stable branch.</p> <h2>Dependency Management</h2> <h3>Tooling</h3> <p>The <a href="https://codeberg.org/forgejo/tools/src/commit/52e2ded048ecb080a92bc957743fa35086ce37e0/scripts/weekly-cherry-pick.sh">cherry-picking tool</a> developed to keep track of commits cherry-picked from related repositories is used for:</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3917">the Forgejo development branch</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3942">the Forgejo v7.0 stable branch</a></li> <li><a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/506">the Forgejo helm</a></li> </ul> <h3>OCI mirror</h3> <p>Forgejo maintains a set of <a href="https://code.forgejo.org/oci/-/packages">OCI images</a> mirrors for the benefit of the CI, so that it is not rate limited by docker.io. They were previously manually maintained and a weekly scheduled workflow was created to <a href="https://code.forgejo.org/forgejo/oci-mirror/src/commit/c6b1f3588f72fc9ac7a949120a084f343a716993/.forgejo/workflows/mirror.yml">take care of it automatically</a>.</p> <p>It was initially held back because of a <a href="https://codeberg.org/forgejo/forgejo/issues/780">long standing bug</a> preventing the use of <a href="https://docs.docker.com/reference/cli/docker/buildx/imagetools/create/">docker buildx imagetools create</a> to mirror multi-architecture OCI images. It was worked around using <a href="https://github.com/containers/skopeo">skopeo</a> which provides the same feature but does not run into the Forgejo bug that would prevent it to work.</p> <h2>Helm chart</h2> <p>The Forgejo helm chart had <a href="https://code.forgejo.org/forgejo-helm/forgejo-helm/releases">one major update</a>.</p> <p>The Forgejo helm chart moved from <a href="https://codeberg.org/forgejo-contrib/forgejo-helm">forgejo-contrib</a> to a <a href="https://code.forgejo.org/forgejo-helm">dedicated organization</a>.</p> <p>A <a href="https://codeberg.org/forgejo/governance/pulls/136">Forgejo helm team</a> was proposed, with two potential members. A <a href="https://matrix.to/#/#forgejo-helm-chart:matrix.org">dedicated Matrix channel</a> was created and added to <a href="https://matrix.to/#/#forgejo:matrix.org">the Forgejo Matrix space</a>.</p> <h2>Localization</h2> <p>3 new team members were onboarded: <a href="https://codeberg.org/forgejo/governance/pulls/127">[1]</a>, <a href="https://codeberg.org/forgejo/governance/pulls/137">[2]</a>. 5 batches of updates were merged containing total of 515 new translations and 1122 improvements. Traditional Chinese have seen a particularly high amount of fixes and improvements this month from a new team member. All translation changes got backported to according point releases of Forgejo v7.0, which is expected to continue receiving translation improvements.</p> <p>There are still countless improvements to be made for many languages and you can help to improve the localization too. <a href="https://forgejo.org/docs/latest/developer/localization">Learn how</a>.</p> <h2>Federation</h2> <p>The pull request to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">federated repository stars</a> was split into smaller ones, five of which were merged in the development branch.</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1680">Federated staring of repositories</a> (in review)</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3886">UI to define following repos</a> (merged)</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3871">Finalize receive activity</a> (merged)</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3792">Creation of federated user</a> (merged)</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3662">Federation: Parse ActorId &amp; cache FederationHost</a> (merged)</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3494">Validate like activities</a> (merged)</li> </ul> <p>Read more in the May 2024 reports (<a href="https://domaindrivenarchitecture.org/posts/2024-05-15-state-of-federation/">1</a>, <a href="https://domaindrivenarchitecture.org/posts/2024-05-24-state-of-federation/">2</a>).</p> <h2>Governance</h2> <h3>Sustainability</h3> <p>The <a href="https://codeberg.org/forgejo/discussions/issues/144">discussion started</a> on Forgejo durability in the next 10 years led to <a href="https://codeberg.org/forgejo/sustainability/pulls?state=all&amp;labels=217359">a grant proposal</a> submitted 16 May for the <a href="https://www.opentech.fund/funds/free-and-open-source-software-sustainability-fund/">Free and Open Source Software Sustainability Fund</a>.</p> <p>A reply was expected for the NLnet grant application <a href="https://codeberg.org/forgejo/sustainability/pulls?labels=220838">submitted 1 April</a> but was delayed because of the large number of applicants. The arrangements made to ensure the two grants do not overlap in time were changed. Because of this delay and on condition that an extension can be negotiated, avoidance of an overlap may no longer be necessary.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/9pfs">https://codeberg.org/9pfs</a></li> <li><a href="https://codeberg.org/aaronriedel">https://codeberg.org/aaronriedel</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/Andre601">https://codeberg.org/Andre601</a></li> <li><a href="https://codeberg.org/AndrewKvalheim">https://codeberg.org/AndrewKvalheim</a></li> <li><a href="https://codeberg.org/ansemjo">https://codeberg.org/ansemjo</a></li> <li><a href="https://codeberg.org/Awlex">https://codeberg.org/Awlex</a></li> <li><a href="https://codeberg.org/axd99">https://codeberg.org/axd99</a></li> <li><a href="https://codeberg.org/Beowulf">https://codeberg.org/Beowulf</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/channel-42">https://codeberg.org/channel-42</a></li> <li><a href="https://codeberg.org/clarfonthey">https://codeberg.org/clarfonthey</a></li> <li><a href="https://codeberg.org/comcloudway">https://codeberg.org/comcloudway</a></li> <li><a href="https://codeberg.org/CommanderRedYT">https://codeberg.org/CommanderRedYT</a></li> <li><a href="https://codeberg.org/crapStone">https://codeberg.org/crapStone</a></li> <li><a href="https://codeberg.org/Crown0815">https://codeberg.org/Crown0815</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/Cyborus">https://codeberg.org/Cyborus</a></li> <li><a href="https://codeberg.org/DD-P">https://codeberg.org/DD-P</a></li> <li><a href="https://codeberg.org/deblan">https://codeberg.org/deblan</a></li> <li><a href="https://codeberg.org/defanor">https://codeberg.org/defanor</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/Drakon">https://codeberg.org/Drakon</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/efertone">https://codeberg.org/efertone</a></li> <li><a href="https://codeberg.org/el0n">https://codeberg.org/el0n</a></li> <li><a href="https://codeberg.org/emersion">https://codeberg.org/emersion</a></li> <li><a href="https://codeberg.org/f00">https://codeberg.org/f00</a></li> <li><a href="https://codeberg.org/fhuberts">https://codeberg.org/fhuberts</a></li> <li><a href="https://codeberg.org/Firepup650">https://codeberg.org/Firepup650</a></li> <li><a href="https://codeberg.org/fistons">https://codeberg.org/fistons</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/foxy">https://codeberg.org/foxy</a></li> <li><a href="https://codeberg.org/Frankkkkk">https://codeberg.org/Frankkkkk</a></li> <li><a href="https://codeberg.org/FunctionalHacker">https://codeberg.org/FunctionalHacker</a></li> <li><a href="https://codeberg.org/ggpsv">https://codeberg.org/ggpsv</a></li> <li><a href="https://codeberg.org/glts">https://codeberg.org/glts</a></li> <li><a href="https://codeberg.org/h759bkyo4">https://codeberg.org/h759bkyo4</a></li> <li><a href="https://codeberg.org/hazy">https://codeberg.org/hazy</a></li> <li><a href="https://codeberg.org/hoppinglife">https://codeberg.org/hoppinglife</a></li> <li><a href="https://codeberg.org/intelfx">https://codeberg.org/intelfx</a></li> <li><a href="https://codeberg.org/io7m">https://codeberg.org/io7m</a></li> <li><a href="https://codeberg.org/jadeprime">https://codeberg.org/jadeprime</a></li> <li><a href="https://codeberg.org/JakobDev">https://codeberg.org/JakobDev</a></li> <li><a href="https://codeberg.org/james2432">https://codeberg.org/james2432</a></li> <li><a href="https://codeberg.org/jean-daricade">https://codeberg.org/jean-daricade</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/johnthomas00">https://codeberg.org/johnthomas00</a></li> <li><a href="https://codeberg.org/jwildeboer">https://codeberg.org/jwildeboer</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/KalleMP">https://codeberg.org/KalleMP</a></li> <li><a href="https://codeberg.org/kdh8219">https://codeberg.org/kdh8219</a></li> <li><a href="https://codeberg.org/kenzu">https://codeberg.org/kenzu</a></li> <li><a href="https://codeberg.org/Kladky">https://codeberg.org/Kladky</a></li> <li><a href="https://codeberg.org/Kwonunn">https://codeberg.org/Kwonunn</a></li> <li><a href="https://codeberg.org/leana8959">https://codeberg.org/leana8959</a></li> <li><a href="https://codeberg.org/leetickett">https://codeberg.org/leetickett</a></li> <li><a href="https://codeberg.org/Lgmrszd">https://codeberg.org/Lgmrszd</a></li> <li><a href="https://codeberg.org/liberodark">https://codeberg.org/liberodark</a></li> <li><a href="https://codeberg.org/magicfelix">https://codeberg.org/magicfelix</a></li> <li><a href="https://codeberg.org/Mai-Lapyst">https://codeberg.org/Mai-Lapyst</a></li> <li><a href="https://codeberg.org/mainboarder">https://codeberg.org/mainboarder</a></li> <li><a href="https://codeberg.org/martinwguy">https://codeberg.org/martinwguy</a></li> <li><a href="https://codeberg.org/matrss">https://codeberg.org/matrss</a></li> <li><a href="https://codeberg.org/mguims">https://codeberg.org/mguims</a></li> <li><a href="https://codeberg.org/milahu">https://codeberg.org/milahu</a></li> <li><a href="https://codeberg.org/minion">https://codeberg.org/minion</a></li> <li><a href="https://codeberg.org/mirkoperillo">https://codeberg.org/mirkoperillo</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/neomaitre">https://codeberg.org/neomaitre</a></li> <li><a href="https://codeberg.org/npgo22">https://codeberg.org/npgo22</a></li> <li><a href="https://codeberg.org/NRK">https://codeberg.org/NRK</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/omenos">https://codeberg.org/omenos</a></li> <li><a href="https://codeberg.org/openbrian">https://codeberg.org/openbrian</a></li> <li><a href="https://codeberg.org/pensicus">https://codeberg.org/pensicus</a></li> <li><a href="https://codeberg.org/peylight">https://codeberg.org/peylight</a></li> <li><a href="https://codeberg.org/PixelHamster">https://codeberg.org/PixelHamster</a></li> <li><a href="https://codeberg.org/popey">https://codeberg.org/popey</a></li> <li><a href="https://codeberg.org/proton-ab">https://codeberg.org/proton-ab</a></li> <li><a href="https://codeberg.org/Renich">https://codeberg.org/Renich</a></li> <li><a href="https://codeberg.org/roberth">https://codeberg.org/roberth</a></li> <li><a href="https://codeberg.org/robko23">https://codeberg.org/robko23</a></li> <li><a href="https://codeberg.org/sclu1034">https://codeberg.org/sclu1034</a></li> <li><a href="https://codeberg.org/scy">https://codeberg.org/scy</a></li> <li><a href="https://codeberg.org/SeaswimmerTheFsh">https://codeberg.org/SeaswimmerTheFsh</a></li> <li><a href="https://codeberg.org/sevki">https://codeberg.org/sevki</a></li> <li><a href="https://codeberg.org/SinTan1729">https://codeberg.org/SinTan1729</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/stephanm">https://codeberg.org/stephanm</a></li> <li><a href="https://codeberg.org/sthagen">https://codeberg.org/sthagen</a></li> <li><a href="https://codeberg.org/sthenault">https://codeberg.org/sthenault</a></li> <li><a href="https://codeberg.org/svoop">https://codeberg.org/svoop</a></li> <li><a href="https://codeberg.org/TheAwiteb">https://codeberg.org/TheAwiteb</a></li> <li><a href="https://codeberg.org/thefox">https://codeberg.org/thefox</a></li> <li><a href="https://codeberg.org/trymeout">https://codeberg.org/trymeout</a></li> <li><a href="https://codeberg.org/tseeker">https://codeberg.org/tseeker</a></li> <li><a href="https://codeberg.org/twenty-panda">https://codeberg.org/twenty-panda</a></li> <li><a href="https://codeberg.org/ujr">https://codeberg.org/ujr</a></li> <li><a href="https://codeberg.org/varp0n">https://codeberg.org/varp0n</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/voltagex">https://codeberg.org/voltagex</a></li> <li><a href="https://codeberg.org/woutput">https://codeberg.org/woutput</a></li> <li><a href="https://codeberg.org/xinnix">https://codeberg.org/xinnix</a></li> <li><a href="https://codeberg.org/xunzi">https://codeberg.org/xunzi</a></li> <li><a href="https://codeberg.org/yarikoptic">https://codeberg.org/yarikoptic</a></li> <li><a href="https://codeberg.org/ZilloweZ">https://codeberg.org/ZilloweZ</a></li> <li><a href="https://translate.codeberg.org/user/747">https://translate.codeberg.org/user/747</a></li> <li><a href="https://translate.codeberg.org/user/anonymous">https://translate.codeberg.org/user/anonymous</a></li> <li><a href="https://translate.codeberg.org/user/b1nar10">https://translate.codeberg.org/user/b1nar10</a></li> <li><a href="https://translate.codeberg.org/user/Cwpute">https://translate.codeberg.org/user/Cwpute</a></li> <li><a href="https://translate.codeberg.org/user/emansije">https://translate.codeberg.org/user/emansije</a></li> <li><a href="https://translate.codeberg.org/user/enricpineda">https://translate.codeberg.org/user/enricpineda</a></li> <li><a href="https://translate.codeberg.org/user/Fitik">https://translate.codeberg.org/user/Fitik</a></li> <li><a href="https://translate.codeberg.org/user/Fjuro">https://translate.codeberg.org/user/Fjuro</a></li> <li><a href="https://translate.codeberg.org/user/furry">https://translate.codeberg.org/user/furry</a></li> <li><a href="https://translate.codeberg.org/user/hankskyjames777">https://translate.codeberg.org/user/hankskyjames777</a></li> <li><a href="https://translate.codeberg.org/user/kita">https://translate.codeberg.org/user/kita</a></li> <li><a href="https://translate.codeberg.org/user/ledyba">https://translate.codeberg.org/user/ledyba</a></li> <li><a href="https://translate.codeberg.org/user/mareklach">https://translate.codeberg.org/user/mareklach</a></li> <li><a href="https://translate.codeberg.org/user/monstorix">https://translate.codeberg.org/user/monstorix</a></li> <li><a href="https://translate.codeberg.org/user/Mumulhl">https://translate.codeberg.org/user/Mumulhl</a></li> <li><a href="https://translate.codeberg.org/user/Mylloon">https://translate.codeberg.org/user/Mylloon</a></li> <li><a href="https://translate.codeberg.org/user/NameLessGO">https://translate.codeberg.org/user/NameLessGO</a></li> <li><a href="https://translate.codeberg.org/user/Nifou">https://translate.codeberg.org/user/Nifou</a></li> <li><a href="https://translate.codeberg.org/user/nmmr">https://translate.codeberg.org/user/nmmr</a></li> <li><a href="https://translate.codeberg.org/user/petrcech">https://translate.codeberg.org/user/petrcech</a></li> <li><a href="https://translate.codeberg.org/user/Pi-Cla">https://translate.codeberg.org/user/Pi-Cla</a></li> <li><a href="https://translate.codeberg.org/user/salif">https://translate.codeberg.org/user/salif</a></li> <li><a href="https://translate.codeberg.org/user/sunwoo1524">https://translate.codeberg.org/user/sunwoo1524</a></li> <li><a href="https://translate.codeberg.org/user/VioletLul">https://translate.codeberg.org/user/VioletLul</a></li> <li><a href="https://translate.codeberg.org/user/Werenter">https://translate.codeberg.org/user/Werenter</a></li> <li><a href="https://translate.codeberg.org/user/Wuzzy">https://translate.codeberg.org/user/Wuzzy</a></li> <li><a href="https://translate.codeberg.org/user/Xinayder">https://translate.codeberg.org/user/Xinayder</a></li> <li><a href="https://translate.codeberg.org/user/yeziruo">https://translate.codeberg.org/user/yeziruo</a></li> <li><a href="https://translate.codeberg.org/user/zyachel">https://translate.codeberg.org/user/zyachel</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo monthly update - April 2024</title><link>https://forgejo.org/2024-04-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-04-monthly-update/</guid><description>Contributors got together to celebrate the release of Forgejo v7.0 and Codeberg was upgraded the next day. A lot of effort went into the automation of the development process, for dependency management and releases, so that contributors can focus on what matters most. As Forgejo matures, more and more of the work is about day to day management of bug reports, localization, security, etc. All aspects that make Forgejo a product that can be relied on for the years ahead. 17 interviews were conducted to better understand how Forgejo is used and shape its roadmap in a user centered way.</description><pubDate>Tue, 30 Apr 2024 00:00:00 GMT</pubDate><content:encoded><p>The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <p>Contributors got together to celebrate the release of <a href="https://forgejo.org/2024-04-release-v7-0/">Forgejo v7.0</a> and Codeberg was upgraded the next day. A lot of effort went into the automation of the development process, for dependency management and releases, so that contributors can focus on what matters most. As Forgejo matures, more and more of the work is about day to day management of bug reports, localization, security, etc. All aspects that make Forgejo a product that can be relied on for the years ahead. 17 interviews were conducted to better understand how Forgejo is used and shape its roadmap in a user centered way.</p> <h2>Forgejo 7.0</h2> <p><a href="https://forgejo.org/2024-04-release-v7-0/">Forgejo v7.0 was published 23 April</a> with translations in Bulgarian, Esperanto, Filipino and Slovenian; SourceHut builds integration; support for the SHA-256 hash function in Git; source code search by default and more. It also is the first Long Term Support version and will receive updates until July 2025. The adoption of semantic versioning is the reason for the version bump from v1.21 to v7.0 and is compatible with existing tools.</p> <h3>Regressions and 7.0.1</h3> <p>Previous Forgejo releases were synchronized with the Gitea release cycle and usually published after the first patch release, when the most disruptive bugs or regressions were discovered and fixed.<a href="https://forgejo.org/2024-02-forking-forward/">Forgejo became a hard fork</a> two months ago and it was its first major release. Two significant regressions were discovered less than 48h after the release. Their impact and workarounds were documented <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0">by amending the 7.0.0 release notes</a> while the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-1">7.0.1 patch release</a> was prepared. It was released four days later.</p> <h3>Celebration and motivations</h3> <p>On 27 April Forgejo contributors got together in a videoconference to celebrate the publication of the 7.0 release and remember the evolution of the project since its inception in 2022. They also <a href="https://codeberg.org/forgejo/discussions/issues/158">shared their motivations and goals for 2024</a> in a discussion for everyone to know what they find important, but also what motivates them to contribute to a given topic.</p> <h3>Codeberg upgrade</h3> <p>The Codeberg staging instance was used with Forgejo 7.0 release candidates and a copy of the production data in an attempt to identify scaling issues and regressions.</p> <p>The <a href="https://codeberg.org/Codeberg-Infrastructure/forgejo/src/branch/codeberg-7">Codeberg specific patches</a> were ported (new templates and CSS <a href="https://forgejo.org/docs/latest/developer/customization/">need to be adapted</a>) and Codeberg was migrated to 7.0 on 28 April.</p> <h3>Release notes quality</h3> <p>In order to <a href="https://codeberg.org/forgejo/discussions/issues/155">improve the quality of the release notes</a>, a <a href="https://codeberg.org/forgejo/discussions/issues/159">new requirement</a> to merging a pull request was discussed and led to <a href="https://codeberg.org/forgejo/governance/issues/118">an agreement proposal</a>. The author of a pull request would be required to provide a snippet if their change needs to show in the release notes.</p> <h2>Backport automation</h2> <p>The <a href="https://github.com/kiegroup/git-backporting/">git-backporting</a> action was <a href="https://github.com/kiegroup/git-backporting/compare/v4.6.0...v4.8.0">improved</a> to support:</p> <ul> <li>multiple targets</li> <li>notifications on error</li> <li>merged and squash pull requests</li> </ul> <p>As expected it is now used to <a href="https://codeberg.org/forgejo/forgejo/pulls?poster=165271&amp;state=closed">backport most pull requests</a> from the development branch to the <code>v7.0/forgejo</code> branch.</p> <p>The release notes themselves that were previously only found in the development branch are now <a href="https://codeberg.org/forgejo/forgejo/pulls/3489">also backported to the stable branch</a> where they belong.</p> <h2>Code</h2> <p><a href="https://codeberg.org/forgejo/forgejo">https://codeberg.org/forgejo/forgejo</a></p> <p>Notable improvements and bug fixes:</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3139">Add Option to hide Release Archive links</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3383">Limit database max connections by default</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/3414">ldap synchronization can use a new field to make domain name configurable</a></li> </ul> <p><a href="https://codeberg.org/forgejo/forgejo/pulls?labels=209916">Read more</a> in the pull requests.</p> <h2>Security</h2> <p>There is <a href="https://forgejo.org/2024-03-xz/">no direct impact of the xz backdoor (CVE-2024-3094) on Forgejo</a>. This CVE got a lot of attention and a blog post was published to explain why Forgejo is not affected.</p> <p>The Forgejo v1.21.11-0 release <a href="https://forgejo.org/2024-04-release-v1-21-11-0/">was published 18 April</a> and contains two security fixes: a privilege escalation that allows any registered user to change the visibility of any public repository; and a cross-site scripting (XSS) vulnerability that enabled attackers to run unsandboxed client-side scripts on pages served from the forge's domain.</p> <h2>User Research</h2> <p>The work started early March on <a href="https://codeberg.org/forgejo/discussions/issues/130">Forgejo Usability</a> and <a href="https://codeberg.org/forgejo/discussions/issues/131">Designing a modern contribution workflow</a> led to 17 interviews <a href="https://codeberg.org/forgejo/user-research/src/branch/main/interviews/2024-04">for which transcripts were archived</a>. They provide material that can be re-used in various contexts, even for the benefit of forges other than Forgejo.</p> <p>Some of the information already influenced decisions and implementation details in discussions, and <a href="https://codeberg.org/forgejo/forgejo/issues/?q=&amp;type=all&amp;state=open&amp;labels=208298&amp;milestone=0&amp;assignee=0&amp;poster=179">issues were created</a> in response to the user interviews, for example to improve the new repo units button and feedback for features that are still in development, such as <a href="https://codeberg.org/forgejo/forgejo/issues/3502">improving assignment to issues</a>.</p> <p>A discussion on how to <a href="https://codeberg.org/forgejo/discussions/issues/156">move on with user research</a> was started.</p> <p>A <a href="https://codeberg.org/forgejo/discussions/issues/157">survey started</a> on <strong>Exploring the Contributor Experience</strong> where Forgejo contributors are asked to answer a series of questions.</p> <h2>Dependency Management</h2> <p>The <a href="https://codeberg.org/forgejo/forgejo/issues/2779">dependency update dashboard</a> is used daily to observe and update Forgejo dependencies. When a new release is available, <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/.forgejo/workflows/renovate.yml">a daily scheduled workflow</a> will create a <a href="https://codeberg.org/forgejo/forgejo/pulls?poster=165503">pull request</a> which:</p> <ul> <li>will be merged automatically, for instance if it is a patch upgrade from a dependency known to have a trusted release process</li> <li>be reviewed by a Forgejo contributor to decided if it worth an upgrade</li> </ul> <p>With hundreds of dependencies, there is a significant backlog to absorb and it is done incrementally by improving the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/renovate.json">configuration file</a> with:</p> <ul> <li>groups of dependencies, for instance <a href="https://codeberg.org/forgejo/forgejo/src/commit/27fa12427ce86cd81dbecd184b13a3dd3d7061d9/renovate.json#L7">postcss</a> where multiple dependencies are treated as one</li> <li>automerging <a href="https://codeberg.org/forgejo/forgejo/src/commit/27fa12427ce86cd81dbecd184b13a3dd3d7061d9/renovate.json#L80">patch releases</a></li> <li>adding <a href="https://codeberg.org/forgejo/forgejo/src/commit/27fa12427ce86cd81dbecd184b13a3dd3d7061d9/renovate.json#L134">custom dependency detection</a></li> </ul> <p>When Forgejo became a hard fork two months ago, maintainers switched from rebasing weekly on top of Gitea to cherry picking commits instead. A <a href="https://codeberg.org/forgejo/tools">tool</a> has been developed to make this process easier, and automate as much of it as possible. As the tool keeps evolving, the weekly cherry pick pull request become <a href="https://codeberg.org/forgejo/tools/issues/31#issuecomment-1792960">easier to create</a>, review, and even includes <a href="https://codeberg.org/forgejo/forgejo/pulls/3513">interesting statistics</a> at the bottom of the summary.</p> <h2>Forgejo v1.20 end of life</h2> <p>With the release of Forgejo 7.0, the Forgejo v1.20 release is EOL (End Of Life) and will no longer receive security patches. The last of them was <a href="https://codeberg.org/forgejo/forgejo/pulls/3319">backported</a> and made available in the <a href="https://codeberg.org/forgejo/forgejo/commits/branch/v1.20/forgejo">v1.20/forgejo</a> branch for the benefit of source builds in April.</p> <p>The <a href="https://code.forgejo.org/forgejo/end-to-end">end-to-end tests</a> were also <a href="https://code.forgejo.org/forgejo/end-to-end/pulls/167">updated</a> to remove v1.20 support and <a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/README.md#removing-legacy-tests">the policy to managed</a> legacy tests was documented.</p> <h2>Debian packages</h2> <p>The <a href="https://codeberg.org/forgejo-contrib/forgejo-deb">Debian package</a> has undergone extensive changes. In addition to gaining support for Forgejo v7.0 LTS, its CI was <a href="https://codeberg.org/forgejo-contrib/forgejo-deb/src/branch/main/.forgejo/workflows/forgejo-deb.yml">migrated to Forgejo Actions</a> and includes a pull request test suite. The repository now has an LTS release channel. Enhancements are in the works to remove Forgejo's common data from the compiled binaries and instead storing it in a forgejo-common package. This lays the groundwork for things like multi-architecture builds.</p> <p>A <a href="https://codeberg.org/forgejo-contrib/forgejo-deb/issues/34">call for maintainers</a> was posted so that there are at least three maintainers to ensure:</p> <ul> <li>Debian packages are available within 12 hours of Forgejo releases</li> <li>Pull requests can be reviewed by at least one maintainer</li> </ul> <p>References:</p> <ul> <li><a href="https://codeberg.org/forgejo-contrib/forgejo-deb">https://codeberg.org/forgejo-contrib/forgejo-deb</a></li> </ul> <h2>Helm chart</h2> <p>The Forgejo helm chart had <a href="https://codeberg.org/forgejo-contrib/forgejo-helm/releases">one major updates</a>.</p> <p>References:</p> <ul> <li><a href="https://codeberg.org/forgejo-contrib/forgejo-helm/releases">https://codeberg.org/forgejo-contrib/forgejo-helm/releases</a></li> </ul> <h2>Localization</h2> <p>The localization keeps going forward. 1 member <a href="https://codeberg.org/forgejo/governance/pulls/112">was onboarded</a> and 2 more applications were created. Some optimizations to the merge process were made to make it go faster. 6 batches of updates <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed&amp;poster=67160">were merged</a>, containing total of 2273 new translations and 1913 improvements. The translation effort had finally seen the light with the Forgejo 7.0.0 release, which is the first release containing major Forgejo localization improvements. There are still countless improvements to be made for many languages and you can help to improve the localization too. <a href="https://forgejo.org/docs/latest/developer/localization">Learn how</a>.</p> <h2>Federation</h2> <p>The pull request to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">federated stars</a> passes tests and is ready for merging. It is a very large pull request and it was requested by reviewers to split it into smaller, more manageable pull requests. In the same way the large webhook refactor was done. The first pull request <a href="https://codeberg.org/forgejo/forgejo/pulls/3494">was open and is its final stage</a> to validate ActivityPub messages.</p> <p>A new pull request to <a href="https://codeberg.org/forgejo/forgejo/pulls/3128">implement federated search</a> was proposed with a demonstration searching for an actor on <a href="https://next.forgejo.org">https://next.forgejo.org</a> from a locally running Forgejo instance.</p> <h2>Governance</h2> <h3>Sustainability</h3> <p>The <a href="https://codeberg.org/forgejo/discussions/issues/144">discussion started</a> on Forgejo durability in the next 10 years led to drafting a grant proposal for the new <a href="https://www.opentech.fund/funds/free-and-open-source-software-sustainability-fund/">Free and Open Source Software Sustainability Fund</a>. It proposes the creation of a non-profit organization managed transparently so that it can be audited at any time. Its purpose would be to define a collective roadmap and use the grant to fund the work. To preserve the Forgejo dynamic that is key to its momentum, it will be setup to ensure volunteers keep being its driving force.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/adaaa">https://codeberg.org/adaaa</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/Andre601">https://codeberg.org/Andre601</a></li> <li><a href="https://codeberg.org/anri">https://codeberg.org/anri</a></li> <li><a href="https://codeberg.org/AverageHelper">https://codeberg.org/AverageHelper</a></li> <li><a href="https://codeberg.org/axd99">https://codeberg.org/axd99</a></li> <li><a href="https://codeberg.org/banaanihillo">https://codeberg.org/banaanihillo</a></li> <li><a href="https://codeberg.org/bapt">https://codeberg.org/bapt</a></li> <li><a href="https://codeberg.org/BaumiCoder">https://codeberg.org/BaumiCoder</a></li> <li><a href="https://codeberg.org/bdr9">https://codeberg.org/bdr9</a></li> <li><a href="https://codeberg.org/bdube">https://codeberg.org/bdube</a></li> <li><a href="https://codeberg.org/Beowulf">https://codeberg.org/Beowulf</a></li> <li><a href="https://codeberg.org/buhtz">https://codeberg.org/buhtz</a></li> <li><a href="https://codeberg.org/ChrSt">https://codeberg.org/ChrSt</a></li> <li><a href="https://codeberg.org/clarfonthey">https://codeberg.org/clarfonthey</a></li> <li><a href="https://codeberg.org/con-f-use">https://codeberg.org/con-f-use</a></li> <li><a href="https://codeberg.org/Crown0815">https://codeberg.org/Crown0815</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/Cyborus">https://codeberg.org/Cyborus</a></li> <li><a href="https://codeberg.org/ddevault">https://codeberg.org/ddevault</a></li> <li><a href="https://codeberg.org/deblan">https://codeberg.org/deblan</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/Drakon">https://codeberg.org/Drakon</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/el0n">https://codeberg.org/el0n</a></li> <li><a href="https://codeberg.org/eo">https://codeberg.org/eo</a></li> <li><a href="https://codeberg.org/flipreverse">https://codeberg.org/flipreverse</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/foxy">https://codeberg.org/foxy</a></li> <li><a href="https://codeberg.org/Frankkkkk">https://codeberg.org/Frankkkkk</a></li> <li><a href="https://codeberg.org/gmask">https://codeberg.org/gmask</a></li> <li><a href="https://codeberg.org/grosmanal">https://codeberg.org/grosmanal</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/h759bkyo4">https://codeberg.org/h759bkyo4</a></li> <li><a href="https://codeberg.org/hazy">https://codeberg.org/hazy</a></li> <li><a href="https://codeberg.org/ikidd">https://codeberg.org/ikidd</a></li> <li><a href="https://codeberg.org/iminfinity">https://codeberg.org/iminfinity</a></li> <li><a href="https://codeberg.org/intelfx">https://codeberg.org/intelfx</a></li> <li><a href="https://codeberg.org/itsdrike">https://codeberg.org/itsdrike</a></li> <li><a href="https://codeberg.org/JakobDev">https://codeberg.org/JakobDev</a></li> <li><a href="https://codeberg.org/jean-daricade">https://codeberg.org/jean-daricade</a></li> <li><a href="https://codeberg.org/JeremyStarTM">https://codeberg.org/JeremyStarTM</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jfinkhaeuser">https://codeberg.org/jfinkhaeuser</a></li> <li><a href="https://codeberg.org/Justman10000">https://codeberg.org/Justman10000</a></li> <li><a href="https://codeberg.org/jwells">https://codeberg.org/jwells</a></li> <li><a href="https://codeberg.org/jwildeboer">https://codeberg.org/jwildeboer</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/kB01">https://codeberg.org/kB01</a></li> <li><a href="https://codeberg.org/kita">https://codeberg.org/kita</a></li> <li><a href="https://codeberg.org/KlavsKlavsen">https://codeberg.org/KlavsKlavsen</a></li> <li><a href="https://codeberg.org/KOLANICH">https://codeberg.org/KOLANICH</a></li> <li><a href="https://codeberg.org/lampajr">https://codeberg.org/lampajr</a></li> <li><a href="https://codeberg.org/liberodark">https://codeberg.org/liberodark</a></li> <li><a href="https://codeberg.org/Link1J">https://codeberg.org/Link1J</a></li> <li><a href="https://codeberg.org/Mai-Lapyst">https://codeberg.org/Mai-Lapyst</a></li> <li><a href="https://codeberg.org/mainboarder">https://codeberg.org/mainboarder</a></li> <li><a href="https://codeberg.org/maltfield">https://codeberg.org/maltfield</a></li> <li><a href="https://codeberg.org/markuzcha">https://codeberg.org/markuzcha</a></li> <li><a href="https://codeberg.org/matheusmoreira">https://codeberg.org/matheusmoreira</a></li> <li><a href="https://codeberg.org/maya">https://codeberg.org/maya</a></li> <li><a href="https://codeberg.org/MichaelTen">https://codeberg.org/MichaelTen</a></li> <li><a href="https://codeberg.org/mlncn">https://codeberg.org/mlncn</a></li> <li><a href="https://codeberg.org/mnq">https://codeberg.org/mnq</a></li> <li><a href="https://codeberg.org/moonglum">https://codeberg.org/moonglum</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/natct">https://codeberg.org/natct</a></li> <li><a href="https://codeberg.org/nercon">https://codeberg.org/nercon</a></li> <li><a href="https://codeberg.org/nezbednik">https://codeberg.org/nezbednik</a></li> <li><a href="https://codeberg.org/NicolasCARPi">https://codeberg.org/NicolasCARPi</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/payas">https://codeberg.org/payas</a></li> <li><a href="https://codeberg.org/Pi-Cla">https://codeberg.org/Pi-Cla</a></li> <li><a href="https://codeberg.org/PixelHamster">https://codeberg.org/PixelHamster</a></li> <li><a href="https://codeberg.org/popey">https://codeberg.org/popey</a></li> <li><a href="https://codeberg.org/programmerjake">https://codeberg.org/programmerjake</a></li> <li><a href="https://codeberg.org/rafadc">https://codeberg.org/rafadc</a></li> <li><a href="https://codeberg.org/realaravinth">https://codeberg.org/realaravinth</a></li> <li><a href="https://codeberg.org/ReptoxX">https://codeberg.org/ReptoxX</a></li> <li><a href="https://codeberg.org/saltstack-admin">https://codeberg.org/saltstack-admin</a></li> <li><a href="https://codeberg.org/sbatial">https://codeberg.org/sbatial</a></li> <li><a href="https://codeberg.org/sergeyk">https://codeberg.org/sergeyk</a></li> <li><a href="https://codeberg.org/shanzez">https://codeberg.org/shanzez</a></li> <li><a href="https://codeberg.org/silverwind">https://codeberg.org/silverwind</a></li> <li><a href="https://codeberg.org/SinTan1729">https://codeberg.org/SinTan1729</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/SnowCode">https://codeberg.org/SnowCode</a></li> <li><a href="https://codeberg.org/sosasees">https://codeberg.org/sosasees</a></li> <li><a href="https://codeberg.org/SR-G">https://codeberg.org/SR-G</a></li> <li><a href="https://codeberg.org/stsp">https://codeberg.org/stsp</a></li> <li><a href="https://codeberg.org/Sunner">https://codeberg.org/Sunner</a></li> <li><a href="https://codeberg.org/tampler">https://codeberg.org/tampler</a></li> <li><a href="https://codeberg.org/thefox">https://codeberg.org/thefox</a></li> <li><a href="https://codeberg.org/theoryshaw">https://codeberg.org/theoryshaw</a></li> <li><a href="https://codeberg.org/thepaperpilot">https://codeberg.org/thepaperpilot</a></li> <li><a href="https://codeberg.org/Thesola10">https://codeberg.org/Thesola10</a></li> <li><a href="https://codeberg.org/thomas-maurice">https://codeberg.org/thomas-maurice</a></li> <li><a href="https://codeberg.org/tmb">https://codeberg.org/tmb</a></li> <li><a href="https://codeberg.org/VehementHam">https://codeberg.org/VehementHam</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/VicinityNeurosis">https://codeberg.org/VicinityNeurosis</a></li> <li><a href="https://codeberg.org/vsz">https://codeberg.org/vsz</a></li> <li><a href="https://codeberg.org/wangito33">https://codeberg.org/wangito33</a></li> <li><a href="https://codeberg.org/wetneb">https://codeberg.org/wetneb</a></li> <li><a href="https://codeberg.org/Wuzzy">https://codeberg.org/Wuzzy</a></li> <li><a href="https://codeberg.org/Xinayder">https://codeberg.org/Xinayder</a></li> <li><a href="https://codeberg.org/yarikoptic">https://codeberg.org/yarikoptic</a></li> <li><a href="https://codeberg.org/yumisea">https://codeberg.org/yumisea</a></li> <li><a href="https://codeberg.org/zareck">https://codeberg.org/zareck</a></li> <li><a href="https://codeberg.org/zontreck">https://codeberg.org/zontreck</a></li> <li><a href="https://codeberg.org/zotan">https://codeberg.org/zotan</a></li> <li><a href="https://codeberg.org/Zottelchen">https://codeberg.org/Zottelchen</a></li> <li><a href="https://codeberg.org/zwanto">https://codeberg.org/zwanto</a></li> <li><a href="https://translate.codeberg.org/user/747">https://translate.codeberg.org/user/747</a></li> <li><a href="https://translate.codeberg.org/user/emansije">https://translate.codeberg.org/user/emansije</a></li> <li><a href="https://translate.codeberg.org/user/Eriwi">https://translate.codeberg.org/user/Eriwi</a></li> <li><a href="https://translate.codeberg.org/user/EssGeeEich">https://translate.codeberg.org/user/EssGeeEich</a></li> <li><a href="https://translate.codeberg.org/user/FedericoSchonborn">https://translate.codeberg.org/user/FedericoSchonborn</a></li> <li><a href="https://translate.codeberg.org/user/Fjuro">https://translate.codeberg.org/user/Fjuro</a></li> <li><a href="https://translate.codeberg.org/user/FunctionalHacker">https://translate.codeberg.org/user/FunctionalHacker</a></li> <li><a href="https://translate.codeberg.org/user/furry">https://translate.codeberg.org/user/furry</a></li> <li><a href="https://translate.codeberg.org/user/hankskyjames777">https://translate.codeberg.org/user/hankskyjames777</a></li> <li><a href="https://translate.codeberg.org/user/kdh8219">https://translate.codeberg.org/user/kdh8219</a></li> <li><a href="https://translate.codeberg.org/user/kecrily">https://translate.codeberg.org/user/kecrily</a></li> <li><a href="https://translate.codeberg.org/user/leana8959">https://translate.codeberg.org/user/leana8959</a></li> <li><a href="https://translate.codeberg.org/user/lucasmz">https://translate.codeberg.org/user/lucasmz</a></li> <li><a href="https://translate.codeberg.org/user/m0s">https://translate.codeberg.org/user/m0s</a></li> <li><a href="https://translate.codeberg.org/user/Mormegil">https://translate.codeberg.org/user/Mormegil</a></li> <li><a href="https://translate.codeberg.org/user/Mylloon">https://translate.codeberg.org/user/Mylloon</a></li> <li><a href="https://translate.codeberg.org/user/Quitaxd">https://translate.codeberg.org/user/Quitaxd</a></li> <li><a href="https://translate.codeberg.org/user/rguards">https://translate.codeberg.org/user/rguards</a></li> <li><a href="https://translate.codeberg.org/user/salif">https://translate.codeberg.org/user/salif</a></li> <li><a href="https://translate.codeberg.org/user/sinsky">https://translate.codeberg.org/user/sinsky</a></li> <li><a href="https://translate.codeberg.org/user/SteffoSpieler">https://translate.codeberg.org/user/SteffoSpieler</a></li> <li><a href="https://translate.codeberg.org/user/toasterbirb">https://translate.codeberg.org/user/toasterbirb</a></li> <li><a href="https://translate.codeberg.org/user/WithLithum">https://translate.codeberg.org/user/WithLithum</a></li> <li><a href="https://translate.codeberg.org/user/yeziruo">https://translate.codeberg.org/user/yeziruo</a></li> <li><a href="https://translate.codeberg.org/user/ZilloweZ">https://translate.codeberg.org/user/ZilloweZ</a></li> <li><a href="https://translate.codeberg.org/user/Zughy">https://translate.codeberg.org/user/Zughy</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo v7.0 is available</title><link>https://forgejo.org/2024-04-release-v7-0/</link><guid isPermaLink="true">https://forgejo.org/2024-04-release-v7-0/</guid><description>Forgejo v7.0 is available with translations in Bulgarian, Esperanto, Filipino and Slovenian; SourceHut builds integration; support for the SHA-256 hash function in Git; source code search by default and more. It also is the first Long Term Support version and will receive updates until July 2025. The adoption of semantic versioning is the reason for the version bump from v1.21 to v7.0 and is compatible with existing tools.</description><pubDate>Tue, 23 Apr 2024 00:00:00 GMT</pubDate><content:encoded><p><a href="/download/">Forgejo v7.0</a> was released 23 April 2024. You will find the most interesting changes it introduces below and in a <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0">complete list in the release notes</a>.</p> <p>A <a href="https://v7.next.forgejo.org/">dedicated test instance is available</a> to try it out. Before upgrading it is <em>strongly recommended</em> to make a full backup as explained in the <a href="/docs/v7.0/admin/upgrade/">upgrade guide</a> and carefully read <em>all breaking changes</em> from the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0">release notes</a>. If in doubt, do not hesitate to ask for help <a href="https://floss.social/@forgejo">on the Fediverse</a>, or in the <a href="https://matrix.to/#/#forgejo-chat:matrix.org">chat room</a>.</p> <p>The adoption of <a href="https://semver.org/spec/v2.0.0.html">Semantic Versioning 2.0.0</a> is the reason for the version bump from <code>v1.21</code> to <code>v7.0</code> and is compatible with existing tools.</p> <ul> <li><p><strong><a href="https://translate.codeberg.org/projects/forgejo/forgejo">Translations in four new languages</a></strong> with a usable level of completion are available to users: Bulgarian, Esperanto, Filipino and Slovenian.</p> <p></p> </li> <li><p><strong><a href="/docs/v7.0/user/webhooks/">SourceHut Builds integration</a></strong> can be used to submit jobs to <a href="https://man.sr.ht/builds.sr.ht/">SourceHut</a> on push events.</p> <p></p> </li> <li><p><strong><a href="/docs/v7.0/user/code-search/#basic-git-grep">Source code search code now available by default</a></strong> using <a href="https://git-scm.com/docs/git-grep">git grep</a>.</p> <p></p> </li> <li><p><strong><a href="https://forgejo.org/docs/v7.0/user/repository-activity/">Activity graphs</a></strong> show the contributors, code frequency and the recent commits in the activity tab of repositories.</p> <p></p> </li> <li><p><strong><a href="https://forgejo.org/docs/v7.0/user/wiki/#activation-and-permissions">The wiki can be edited by any user</a></strong> with read permissions by selecting <code>Allow anyone to edit the wiki</code> on the repository settings. The default is to only allow users with write permissions on the repository.</p> <p></p> </li> <li><p><strong><a href="https://codeberg.org/forgejo/forgejo/commit/d68a613ba8fd860863a3465b5b5945b191b87b25">Git repositories using SHA-256 are supported</a></strong>. Although Git repositories using SHA-1 are not vulnerable to <a href="https://shattered.io/">collision attacks</a> since Git v2.13.0, this hash algorithm is still weak. Git <a href="https://git-scm.com/docs/hash-function-transition">transition to a SHA-256 hash function</a> was decided to be trustworthy and useful in practice for at least 10 years. <strong>As of Forgejo 7.0.2 some features are <a href="https://codeberg.org/forgejo/forgejo/issues/3613">still unreliable when using SHA-256</a>.</strong></p> </li> <li><p><strong><a href="https://forgejo.org/docs/v7.0/user/readme-badges/">Repository badges</a></strong> can be used to embed information about a given repository such as the CI state, the number of issues, etc.</p> <p></p> </li> </ul> <p>Read more <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0">in the Forgejo v7.0.0 release notes</a>.</p> <h2>7.0 Long Term Support (LTS) and semantic versioning</h2> <p>The <code>7.0</code> version is the first Long Term Support (LTS) release. Critical bug and security fixes will be published in patch releases (<code>7.0.1</code>, <code>7.0.2</code>, etc.) until <strong>July 2025</strong>. It is also the first version to use <a href="https://semver.org/spec/v2.0.0.html">semantic versioning</a>. Forgejo implemented semantic versioning internally in earlier releases (for instance <code>v1.21</code> is <code>v6.0</code>) and it is now exposed publicly.</p> <h3>Gitea API compatibility</h3> <p>Tools that are developed for the Gitea API will keep working with the new Forgejo numbering scheme. They typically make assertions on the release number to unlock new functionalities and that logic will not be impacted by a bump in the release number. The proprietary version of Gitea has a different numbering scheme (v21.X.Y, v22.X.Y) and is in a similar situation.</p> <p>Read more about <a href="/2024-02-forking-forward/">Gitea compatibility in the blog post explaining the hard fork that happened in February 2024</a>.</p> <h3>Time based release schedule</h3> <p>The <a href="https://forgejo.org/docs/v7.0/developer/release/#release-cycle">time based release schedule</a> was established to publish a release every three months. Patch releases will be published more frequently, depending on the severity of the bug or security fixes they contain. The exact number of the release cannot be known in advance because it will be determined by the features and breaking changes it contains, as specified by the <a href="https://semver.org/spec/v2.0.0.html">Semantic Versioning 2.0.0</a> specifications.</p> <table> <thead> <tr> <th><strong>Date</strong></th> <th><strong>Version</strong></th> <th><strong>Release date</strong></th> <th><strong>End Of Life</strong></th> </tr> </thead> <tbody><tr> <td>2024 Q1</td> <td>7.0.0+gitea-1.22.0</td> <td>23 April 2024</td> <td><strong>16 July 2025</strong></td> </tr> <tr> <td>2024 Q2</td> <td>8.0.0+gitea-A.B.C</td> <td>17 July 2024</td> <td>16 October 2024</td> </tr> <tr> <td>2024 Q3</td> <td>X.Y.Z+gitea-A.B.C</td> <td>16 October 2024</td> <td>15 January 2025</td> </tr> <tr> <td>2024 Q4</td> <td>X.Y.Z+gitea-A.B.C</td> <td>15 January 2025</td> <td>16 April 2025</td> </tr> </tbody></table> <h3>7.0-test daily releases</h3> <p>Releases are built daily from the latest changes found in the <a href="https://codeberg.org/forgejo/forgejo/src/branch/v7.0/forgejo">v7.0/forgejo</a> development branch. They are deployed to the <a href="https://v7.next.forgejo.org">https://v7.next.forgejo.org</a> instance for manual verification in case a bug fix is of particular interest ahead of the next patch release. It can also be installed locally with:</p> <ul> <li>OCI images: <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/7.0-test">root</a> and <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/7.0-test-rootless">rootless</a></li> <li><a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v7.0-test">Binaries</a></li> </ul> <p>Their name stays the same but they are replaced by a new build every day.</p> <h2>Webhook subsystem refactor</h2> <p>The webhook subsystem underwent a <a href="https://codeberg.org/forgejo/forgejo/pulls/2717">substantial refactor</a> to ease the additions of new webhook types. The <a href="https://codeberg.org/forgejo/forgejo/issues/2714">SourceHut Builds</a> is a driving example of how the refactored webhook architecture can be used to implement a new webhook type.</p> <h2>Localization</h2> <p>Forgejo now got its own independent <a href="https://forgejo.org/docs/v7.0/developer/localization">localization foundation</a>. New <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#localization">teams</a> were formed, a Weblate <a href="https://translate.codeberg.org/projects/forgejo/forgejo/">project</a> was set up. The localization no longer relies on a proprietary service.</p> <p>Work on refactoring base localization to improve User eXperience and translatability is in progress. Lots of strings were updated to improve readability and be easier to understand, many got basic plural support. File and repo sizes were <a href="https://codeberg.org/forgejo/forgejo/pulls/2528">made translatable</a>, localization of activity heatmap <a href="https://codeberg.org/forgejo/forgejo/pulls/2612">was fixed</a>.</p> <p>As soon as the initiative <a href="https://forgejo.org/2024-01-monthly-update/#localization">was announced</a> in January, the call for participation got a great response and volunteers from around the world are working daily to improve translations. New languages were added. The ones which got active maintainers and have reached a usable level of completion <a href="https://codeberg.org/forgejo/forgejo/pulls/2724">were made available</a> to the users: Bulgarian, Esperanto, Filipino, Slovenian.</p> <p>Anyone is welcome to participate in improving translation <a href="https://forgejo.org/docs/latest/developer/localization">for their language</a> as well as <a href="https://forgejo.org/docs/v7.0/developer/localization-english/#contributing">the English base</a>.</p> <h3>Federation</h3> <p>Does <code>Forgejo</code> support federation? Not yet. Was there progress? Yes.</p> <p>The monthly reports <a href="/tag/report/">have details</a> on these progress.</p> <p>Forges have existed for over twenty years and none of them has achieved data portability let alone federation. Forgejo is one year old and it will take it a some time to get there.</p> <h3>Get Forgejo v7.0</h3> <p>See the <a href="/download/">download page</a> for instructions on how to install Forgejo, and read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0">release notes</a> for more information.</p> <h3>Upgrading</h3> <p>Carefully read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-0">breaking changes</a> section of the release notes.</p> <p>The actual upgrade process is as simple as replacing the binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v7.0.0">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/7.0.0">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/7.0"><code>7.0</code> tag</a> to stay up to date with the latest <code>7.0.Y</code> patch release automatically.</p> <p>Make sure to check the <a href="/docs/v7.0/admin/upgrade">Forgejo upgrade documentation</a> for recommendations on how to properly backup your instance before the upgrade.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in <a href="https://codeberg.org/forgejo/forgejo/issues">the issue tracker</a> for feature requests or bug reports, reach out <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop into <a href="https://matrix.to/#/#forgejo:matrix.org">the Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) and say hi!</p> </content:encoded></item><item><title>Forgejo Security Release 1.21.11-0</title><link>https://forgejo.org/2024-04-release-v1-21-11-0/</link><guid isPermaLink="true">https://forgejo.org/2024-04-release-v1-21-11-0/</guid><description>The Forgejo v1.21.11-0 release contains two security fixes: a privilege escalation that allows any registered user to change the visibility of any public repository; and a cross-site scripting (XSS) vulnerability that enabled attackers to run unsandboxed client-side scripts on pages served from the forge's domain.</description><pubDate>Thu, 18 Apr 2024 00:00:00 GMT</pubDate><content:encoded><p><a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.21.11-0">Forgejo v1.21.11-0</a> was released 18 April 2024.</p> <p>This release contains <em>two security fixes</em>, both of which can be exploited by registered Forgejo users. One flaw allows <em>anyone</em> who can open a pull request against a repository to change its visibility. The other lets the attacker run unsandboxed client-side scripts on pages served from the forge's domain, a <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting (XSS)</a> vulnerability.</p> <h3>Recommended Action</h3> <p>We <em>strongly recommend</em> that all Forgejo installations are upgraded to the latest version as soon as possible.</p> <h3>Privilege escalation through <code>git push</code> options</h3> <p>By far the more serious issue is a privilege escalation through <code>git push</code> options, which allowed any registered user to change the visibility of any repository they could see - public repositories included -, regardless of what level of access they had.</p> <p>A more detailed deep-dive about this vulnerability will follow in a later blog post.</p> <h3>Cross-site scripting (XSS) vulnerability</h3> <p>The other vulnerability is a <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting (XSS)</a> vulnerability that could be exploited by a registered Forgejo user.</p> <p>In certain situations, rendered repository contents weren't properly guarded, and allowed unsandboxed client-side scripts to run from the same domain as the forge itself.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo monthly update - March 2024</title><link>https://forgejo.org/2024-03-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-03-monthly-update/</guid><description>Forgejo 7.0.0 release candidates are now available for testing at https://v7.next.forgejo.org or by downloading OCI images and binaries, updated daily. It will be the first LTS release, supported until July 2025. Four new translations that were added are Filipino, Esperanto, Slovenian and Bulgarian and the localization team keeps growing.</description><pubDate>Sun, 31 Mar 2024 00:00:00 GMT</pubDate><content:encoded><p>The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <p>Forgejo 7.0.0 release candidates are now available for testing at <a href="https://v7.next.forgejo.org">https://v7.next.forgejo.org</a> or by downloading OCI images (<a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/7.0-test">root</a> / <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/7.0-test-rootless">rootless</a>) and <a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v7.0-test">binaries</a> that are updated updated daily.</p> <p>The <code>7.0.0+LTS-gitea-1.22.0</code> version is the first Long Term Support (LTS) release and will receive critical bug and security fixes until July 2025. It is an additional burden on Forgejo contributors and members of the release team. Individuals and organizations who need that kind of stability are kindly invited to contribute to this effort so it can be sustained in the long run.</p> <p>New languages that got active translators and have reached a usable level of completion <a href="https://codeberg.org/forgejo/forgejo/pulls/2724">were added</a> and are now visible to users: Bulgarian, Esperanto, Filipino and Slovenian.</p> <h2>New release management</h2> <p>Now that <a href="https://forgejo.org/2024-02-forking-forward/">Forgejo forked its own way forward</a>, it became necessary to define when and how releases are published.</p> <h3>Semantic versioning</h3> <p>The first Forgejo version to be published with its own release management will be <code>7.0.0+LTS-gitea-1.22.0</code> and the <a href="https://forgejo.org/docs/v7.0/user/versions/">documentation was updated</a> to explain the new numbering scheme.</p> <h3>Gitea API compatibility</h3> <p>Tools that are developed for the Gitea API will keep working with the new Forgejo numbering scheme. They typically make assertions on the release number to unlock new functionalities and that logic will not be impacted by a bump in the release number. The proprietary version of Gitea has a different numbering scheme (v21.X.Y, v22.X.Y) and is in a similar situation.</p> <h3>Forgejo 7.0 release candidates</h3> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/v7.0/forgejo">7.0/forgejo</a> branch was cut 30 March 2024 and the <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v8.0.0-dev">v8.0.0-dev</a> tag set to the development branch. While the release-critical bugs are being fixed so that the version can be published, <a href="https://v7.next.forgejo.org">https://v7.next.forgejo.org</a> will keep being updated daily with a build of the latest commit, acting as a release candidate where anyone can safely try and break it. It can also be installed locally with:</p> <ul> <li>OCI images: <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/7.0-test">root</a> and <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/7.0-test-rootless">rootless</a></li> <li><a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v7.0-test">Binaries</a></li> </ul> <p>Their name stays the same but they are replaced by a new build every day.</p> <h3>Forgejo 7.0 LTS</h3> <p>Now that Forgejo has given itself the mean to avoid most of the regressions that it suffered from in the past, it can provide support for releases during a longer period of time. The <code>7.0.0+LTS-gitea-1.22.0</code> version is the first Long Term Support (LTS) release and will receive critical bug and security fixes until July 2025.</p> <h3>Time based release schedule</h3> <p>The <a href="https://forgejo.org/docs/v7.0/developer/release/#release-cycle">time based release schedule</a> was established to publish a release every three months. Patch releases will be published more frequently, depending on the severity of the bug or security fixes they contain. The exact number of the release cannot be known in advance because it will be determined by the features and breaking changes it contains, as specified by the <a href="https://semver.org/spec/v2.0.0.html">Semantic Versioning 2.0.0</a> specifications.</p> <table> <thead> <tr> <th><strong>Date</strong></th> <th><strong>Version</strong></th> <th><strong>Release date</strong></th> <th><strong>End Of Life</strong></th> </tr> </thead> <tbody><tr> <td>2024 Q1</td> <td>7.0.0+LTS-gitea-1.22.0</td> <td>17 April 2024</td> <td><strong>16 July 2025</strong></td> </tr> <tr> <td>2024 Q2</td> <td>X.Y.Z+gitea-A.B.C</td> <td>17 July 2024</td> <td>16 October 2024</td> </tr> <tr> <td>2024 Q3</td> <td>X.Y.Z+gitea-A.B.C</td> <td>16 October 2024</td> <td>15 January 2025</td> </tr> <tr> <td>2024 Q4</td> <td>X.Y.Z+gitea-A.B.C</td> <td>15 January 2025</td> <td>16 April 2025</td> </tr> </tbody></table> <h2>Code</h2> <p><a href="https://codeberg.org/forgejo/forgejo">https://codeberg.org/forgejo/forgejo</a></p> <p>Notable improvements and bug fixes:</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2717">Webhook refactor and addition of SourceHut builds</a> is a series of 7 pull requests, 6 of which have been merged.</li> <li>A number of localization improvements (<a href="https://codeberg.org/forgejo/forgejo/pulls/2828">1</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2756">2</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2644">3</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2612">4</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2610">5</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2584">6</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2492">7</a>, etc.)</li> <li>Tests <a href="https://codeberg.org/forgejo/forgejo/pulls/2657">now fail instead of just displaying error logs</a>. This should help catch missing translations and ensure that an error is logged only when an inconsistency is detected within Forgejo (which shouldn’t happen if the test is realistically setup).</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2520">Recognize SSH signed tags in addition to OpenPGP</a>.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2482">Add S3 bucket lookup type</a> and <a href="https://codeberg.org/forgejo/docs/pulls/465">documentation</a>.</li> </ul> <p><a href="https://codeberg.org/forgejo/forgejo/pulls?q=&amp;type=all&amp;sort=&amp;state=closed&amp;labels=&amp;milestone=0&amp;project=0&amp;assignee=0&amp;poster=0">Read more</a> in the pull requests.</p> <h2>Backport automation</h2> <p>When pull requests are merged, a <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/.forgejo/workflows/backport.yml">workflow will automatically open a backport</a>. If the <code>backport/v1.21</code> label is found, it will <a href="https://codeberg.org/forgejo/forgejo/pulls/2827">target the Forgejo v1.21 branch</a>. If there are no conflicts and tests pass, it can be merged right away and save valuable time.</p> <p>As Forgejo 7.0 enters the release candidate stage of its life cycle a significant number of backports are expected during the first few weeks and such an automation will have even more of an impact.</p> <h2>Dependency Management</h2> <p>A <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/.forgejo/workflows/renovate.yml">dependency update detection</a> cron job has been setup to automatically <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed&amp;poster=165503">open pull request proposing updates</a> when new versions of Go or JavaScript packages, OCI images and more are available. It <a href="https://codeberg.org/forgejo/forgejo/pulls/2800">finds the release notes</a>, adds them to the pull request description and Forgejo contributors can then conveniently decide whether an upgrade is necessary. This recurring observations of Forgejo dependencies is <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/renovate.json">fine tuned by a configuration file</a> that, among other things, ensures there are at most five pull requests proposed at all times.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/pulls?q=gitea%20week&amp;state=closed">weekly cherry-pick of commits from Gitea</a> became a routine collectively managed by two Forgejo contributors. It is one of the improvements brought by the hard fork decision from last month. Rebasing was more involved and managed by a single person: an undesirable single point of failure. A <a href="https://codeberg.org/forgejo/tools">tool</a> was created to automate the most tedious and error prone tasks.</p> <h2>End to end tests</h2> <p>The <a href="https://code.forgejo.org/forgejo/end-to-end">end-to-end tests</a> were entirely refactored for unification and simplicity. They cover the following areas:</p> <ul> <li><a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/actions">actions</a></li> <li><a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/packages">packages</a></li> <li><a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/upgrade">upgrades</a></li> <li><a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/storage">storage</a></li> </ul> <p>They can now all be run by adding the <code>run-end-to-end-test</code> label to a pull request (see <a href="https://codeberg.org/forgejo/forgejo/pulls/2465">this example</a>). Before the refactor, only Forgejo Actions tests were run.</p> <h2>Localization</h2> <p>New languages that got active translators and have reached a usable level of completion <a href="https://codeberg.org/forgejo/forgejo/pulls/2724">were added</a> and are now visible to users: Bulgarian, Esperanto, Filipino and Slovenian.</p> <p>New contributors were onboarded (<a href="https://codeberg.org/forgejo/governance/pulls/98">1</a>, <a href="https://codeberg.org/forgejo/governance/pulls/108">2</a>) to the localization team.</p> <p>The English source strings saw a lot of activity for unification and rewording. There were no notable conflicts with Gitea translations. There was one conflict caused by merged pull request in Forgejo that locked translations for about half of a day. Although Weblate owns all translated files and they are not to be modified in pull requests, there are exceptions. When mass modification can be automated, this can be done by a pull request and to save valuable translators' time. But when it happens, care must be taken to avoid conflicts and <a href="https://forgejo.org/docs/v1.21/developer/localization-admin/#merging-a-pull-request-that-changes-translations">the required steps were documented</a>.</p> <p>The upside of this incident was to show that resolving such conflicts is as simple as reverting the faulty commit and opening a new pull request. It is not the most efficient way to go about it, but it is simple.</p> <h2>Federation</h2> <p>The pull request to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">federated stars</a> made progress. In the settings of a repository there is now a field allowing to define its federated repositories. Read <a href="https://domaindrivenarchitecture.org/posts/2024-03-27-state-of-federation/">more in the activity summary</a>.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/issues/59">federation implementation task list</a> was updated.</p> <h2>Helm chart</h2> <p>The Forgejo helm chart had <a href="https://codeberg.org/forgejo-contrib/forgejo-helm/releases">one major updates</a> because of a major bump of the postgresql dependencies.</p> <p>References:</p> <ul> <li><a href="https://codeberg.org/forgejo-contrib/forgejo-helm/releases">https://codeberg.org/forgejo-contrib/forgejo-helm/releases</a></li> </ul> <h2>Runner</h2> <p>The <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#3-4-0">Forgejo runner version 3.4.1</a> was published and supports for the artifacts@v4 protocol when used with the development version of Forgejo 7.0, as <a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/actions/example-artifacts-v4/.forgejo/workflows/test.yml">demonstrated by the end-to-end tests</a>.</p> <p>With the caveat that a forked version of the matching <a href="https://code.forgejo.org/forgejo/download-artifact">download</a> and <a href="https://code.forgejo.org/forgejo/upload-artifact">upload</a> actions must be used because they both assume a GitHub environment. Chasing such features is high maintenance and casts a doubt on its long term viability. The Forgejo runner makes no promise of compatibility with GitHub and an alternative action with the same interface but implemented differently may be, for example, a more sustainable choice.</p> <p>References</p> <ul> <li><a href="https://code.forgejo.org/forgejo/runner">https://code.forgejo.org/forgejo/runner</a></li> <li><a href="https://code.forgejo.org/forgejo/act">https://code.forgejo.org/forgejo/act</a></li> </ul> <h2>Governance</h2> <h3>Sustainability</h3> <p>A <a href="https://codeberg.org/forgejo/discussions/issues/144">discussion started</a> in an attempt to find an answer and make Forgejo durable for the next 10 years.</p> <p>A <a href="https://codeberg.org/forgejo/sustainability/pulls/41">grant proposal</a> was drafted to support the development of Forgejo.</p> <p>An additional <a href="https://codeberg.org/forgejo/sustainability/pulls/42">Request for Payment was sent</a> to NLnet in the context of the <a href="https://codeberg.org/forgejo/sustainability/pulls?labels=123038">ongoing grant</a> and the funds will go to Codeberg.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/6543">https://codeberg.org/6543</a></li> <li><a href="https://codeberg.org/abacabadabacaba">https://codeberg.org/abacabadabacaba</a></li> <li><a href="https://codeberg.org/airbreather">https://codeberg.org/airbreather</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/Andre601">https://codeberg.org/Andre601</a></li> <li><a href="https://codeberg.org/antoyo">https://codeberg.org/antoyo</a></li> <li><a href="https://codeberg.org/aral">https://codeberg.org/aral</a></li> <li><a href="https://codeberg.org/axd99">https://codeberg.org/axd99</a></li> <li><a href="https://codeberg.org/banaanihillo">https://codeberg.org/banaanihillo</a></li> <li><a href="https://codeberg.org/captainepoch">https://codeberg.org/captainepoch</a></li> <li><a href="https://codeberg.org/con-f-use">https://codeberg.org/con-f-use</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/dasasd122311">https://codeberg.org/dasasd122311</a></li> <li><a href="https://codeberg.org/dboerlage">https://codeberg.org/dboerlage</a></li> <li><a href="https://codeberg.org/defanor">https://codeberg.org/defanor</a></li> <li><a href="https://codeberg.org/denyskon">https://codeberg.org/denyskon</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/doomedguppy">https://codeberg.org/doomedguppy</a></li> <li><a href="https://codeberg.org/Drakon">https://codeberg.org/Drakon</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/Edgarsons">https://codeberg.org/Edgarsons</a></li> <li><a href="https://codeberg.org/ell1e">https://codeberg.org/ell1e</a></li> <li><a href="https://codeberg.org/eo">https://codeberg.org/eo</a></li> <li><a href="https://codeberg.org/Eveeifyeve">https://codeberg.org/Eveeifyeve</a></li> <li><a href="https://codeberg.org/ezra">https://codeberg.org/ezra</a></li> <li><a href="https://codeberg.org/f00">https://codeberg.org/f00</a></li> <li><a href="https://codeberg.org/fauxmight">https://codeberg.org/fauxmight</a></li> <li><a href="https://codeberg.org/flipreverse">https://codeberg.org/flipreverse</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/foxy">https://codeberg.org/foxy</a></li> <li><a href="https://codeberg.org/GamePlayer-8">https://codeberg.org/GamePlayer-8</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/HarryK">https://codeberg.org/HarryK</a></li> <li><a href="https://codeberg.org/Haui">https://codeberg.org/Haui</a></li> <li><a href="https://codeberg.org/hazy">https://codeberg.org/hazy</a></li> <li><a href="https://codeberg.org/hexa">https://codeberg.org/hexa</a></li> <li><a href="https://codeberg.org/inference">https://codeberg.org/inference</a></li> <li><a href="https://codeberg.org/intelfx">https://codeberg.org/intelfx</a></li> <li><a href="https://codeberg.org/jadeprime">https://codeberg.org/jadeprime</a></li> <li><a href="https://codeberg.org/JakobDev">https://codeberg.org/JakobDev</a></li> <li><a href="https://codeberg.org/james2432">https://codeberg.org/james2432</a></li> <li><a href="https://codeberg.org/jean-daricade">https://codeberg.org/jean-daricade</a></li> <li><a href="https://codeberg.org/JeremyStarTM">https://codeberg.org/JeremyStarTM</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jilen">https://codeberg.org/jilen</a></li> <li><a href="https://codeberg.org/jmshrtn">https://codeberg.org/jmshrtn</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/kallisti5">https://codeberg.org/kallisti5</a></li> <li><a href="https://codeberg.org/kita">https://codeberg.org/kita</a></li> <li><a href="https://codeberg.org/lampajr">https://codeberg.org/lampajr</a></li> <li><a href="https://codeberg.org/Laxystem">https://codeberg.org/Laxystem</a></li> <li><a href="https://codeberg.org/lyssieth">https://codeberg.org/lyssieth</a></li> <li><a href="https://codeberg.org/Mai-Lapyst">https://codeberg.org/Mai-Lapyst</a></li> <li><a href="https://codeberg.org/maunzCache">https://codeberg.org/maunzCache</a></li> <li><a href="https://codeberg.org/mishra">https://codeberg.org/mishra</a></li> <li><a href="https://codeberg.org/mmarif">https://codeberg.org/mmarif</a></li> <li><a href="https://codeberg.org/MorsMortium">https://codeberg.org/MorsMortium</a></li> <li><a href="https://codeberg.org/msrd0">https://codeberg.org/msrd0</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/neox">https://codeberg.org/neox</a>_</li> <li><a href="https://codeberg.org/nis">https://codeberg.org/nis</a></li> <li><a href="https://codeberg.org/nmmr">https://codeberg.org/nmmr</a></li> <li><a href="https://codeberg.org/noth">https://codeberg.org/noth</a></li> <li><a href="https://codeberg.org/OdinVex">https://codeberg.org/OdinVex</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/payas">https://codeberg.org/payas</a></li> <li><a href="https://codeberg.org/Pi-Cla">https://codeberg.org/Pi-Cla</a></li> <li><a href="https://codeberg.org/popey">https://codeberg.org/popey</a></li> <li><a href="https://codeberg.org/pyfisch">https://codeberg.org/pyfisch</a></li> <li><a href="https://codeberg.org/RaptaG">https://codeberg.org/RaptaG</a></li> <li><a href="https://codeberg.org/realaravinth">https://codeberg.org/realaravinth</a></li> <li><a href="https://codeberg.org/rikh">https://codeberg.org/rikh</a></li> <li><a href="https://codeberg.org/sertonix">https://codeberg.org/sertonix</a></li> <li><a href="https://codeberg.org/SinTan1729">https://codeberg.org/SinTan1729</a></li> <li><a href="https://codeberg.org/skobkin">https://codeberg.org/skobkin</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/SteffoSpieler">https://codeberg.org/SteffoSpieler</a></li> <li><a href="https://codeberg.org/tampler">https://codeberg.org/tampler</a></li> <li><a href="https://codeberg.org/Techwizz">https://codeberg.org/Techwizz</a></li> <li><a href="https://codeberg.org/tek256">https://codeberg.org/tek256</a></li> <li><a href="https://codeberg.org/tengkuizdihar">https://codeberg.org/tengkuizdihar</a></li> <li><a href="https://codeberg.org/thefinn93">https://codeberg.org/thefinn93</a></li> <li><a href="https://codeberg.org/thefox">https://codeberg.org/thefox</a></li> <li><a href="https://codeberg.org/thepaperpilot">https://codeberg.org/thepaperpilot</a></li> <li><a href="https://codeberg.org/timmwille">https://codeberg.org/timmwille</a></li> <li><a href="https://codeberg.org/tuxcoder">https://codeberg.org/tuxcoder</a></li> <li><a href="https://codeberg.org/twenty-panda">https://codeberg.org/twenty-panda</a></li> <li><a href="https://codeberg.org/uncomfyhalomacro">https://codeberg.org/uncomfyhalomacro</a></li> <li><a href="https://codeberg.org/VehementHam">https://codeberg.org/VehementHam</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/wangito33">https://codeberg.org/wangito33</a></li> <li><a href="https://codeberg.org/wetneb">https://codeberg.org/wetneb</a></li> <li><a href="https://codeberg.org/wolfogre">https://codeberg.org/wolfogre</a></li> <li><a href="https://codeberg.org/Wuzzy">https://codeberg.org/Wuzzy</a></li> <li><a href="https://codeberg.org/Xinayder">https://codeberg.org/Xinayder</a></li> <li><a href="https://codeberg.org/zareck">https://codeberg.org/zareck</a></li> <li><a href="https://codeberg.org/zbolo-wd">https://codeberg.org/zbolo-wd</a></li> <li><a href="https://codeberg.org/zotan">https://codeberg.org/zotan</a></li> <li><a href="https://translate.codeberg.org/user/acioustick">https://translate.codeberg.org/user/acioustick</a></li> <li><a href="https://translate.codeberg.org/user/be4zad">https://translate.codeberg.org/user/be4zad</a></li> <li><a href="https://translate.codeberg.org/user/cherryb">https://translate.codeberg.org/user/cherryb</a></li> <li><a href="https://translate.codeberg.org/user/EOWNERDEAD">https://translate.codeberg.org/user/EOWNERDEAD</a></li> <li><a href="https://translate.codeberg.org/user/EssGeeEich">https://translate.codeberg.org/user/EssGeeEich</a></li> <li><a href="https://translate.codeberg.org/user/Fjuro">https://translate.codeberg.org/user/Fjuro</a></li> <li><a href="https://translate.codeberg.org/user/flactwin">https://translate.codeberg.org/user/flactwin</a></li> <li><a href="https://translate.codeberg.org/user/jadedctrl">https://translate.codeberg.org/user/jadedctrl</a></li> <li><a href="https://translate.codeberg.org/user/ledyba">https://translate.codeberg.org/user/ledyba</a></li> <li><a href="https://translate.codeberg.org/user/MatseVH">https://translate.codeberg.org/user/MatseVH</a></li> <li><a href="https://translate.codeberg.org/user/maytha8">https://translate.codeberg.org/user/maytha8</a></li> <li><a href="https://translate.codeberg.org/user/mondstern">https://translate.codeberg.org/user/mondstern</a></li> <li><a href="https://translate.codeberg.org/user/mumulhl">https://translate.codeberg.org/user/mumulhl</a></li> <li><a href="https://translate.codeberg.org/user/ormai">https://translate.codeberg.org/user/ormai</a></li> <li><a href="https://translate.codeberg.org/user/salif">https://translate.codeberg.org/user/salif</a></li> <li><a href="https://translate.codeberg.org/user/TheAwiteb">https://translate.codeberg.org/user/TheAwiteb</a></li> <li><a href="https://translate.codeberg.org/user/WithLithum">https://translate.codeberg.org/user/WithLithum</a></li> <li><a href="https://translate.codeberg.org/user/yeziruo">https://translate.codeberg.org/user/yeziruo</a></li> <li><a href="https://translate.codeberg.org/user/zenobit">https://translate.codeberg.org/user/zenobit</a></li> <li><a href="https://translate.codeberg.org/user/Zughy">https://translate.codeberg.org/user/Zughy</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Impact of CVE-2024-3094 on Forgejo</title><link>https://forgejo.org/2024-03-xz/</link><guid isPermaLink="true">https://forgejo.org/2024-03-xz/</guid><description>No direct impact of the xz backdoor (CVE-2024-3094) on Forgejo. The infrastructure that powers Forgejo is not impacted by this vulnerability. Forgejo itself is also not affected, however if you run an OpenSSH server for Git over SSH you could be affected by this CVE.</description><pubDate>Sun, 31 Mar 2024 00:00:00 GMT</pubDate><content:encoded><p>On 29 March 2024 <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4">the details were shared</a> of a backdoor in the <code>xz</code> source code. This backdoor, according <a href="https://www.openwall.com/lists/oss-security/2024/03/30/36">to the latest reports</a>, is capable of executing arbitrary code on affected machines which can lead to a full compromise of that machine.</p> <h2>Impact on Forgejo</h2> <p>Forgejo itself is not impacted by this backdoor, because it doesn't load the <code>liblzma</code> library that contained the backdoor, Forgejo does import the <a href="https://github.com/ulikunitz/xz">xz</a> library but this has no relation to the <code>liblzma</code> library. Forgejo allows to use Git over SSH feature in two different ways.</p> <h3>Builtin SSH server</h3> <p>The builtin SSH server is integrated into every Forgejo binary, it uses an <a href="https://github.com/gliderlabs/ssh">SSH server library</a> to provide an SSH server. It is written in Go and doesn't load the <code>liblzma</code> library, therefore it is not affected.</p> <p>Please read on if you're using Forgejo in a containerized environment such as Docker.</p> <h3>OpenSSH server</h3> <p>If you run an OpenSSH server that you installed independently of Forgejo, you could be affected by the backdoor. It depends on your distribution and configuration: the vulnerable <code>xz</code> versions (<code>5.6.0</code>, <code>5.6.1</code>) could be in the package store and may have been installed. If you discover that your machine had it installed at any time, you should refer to your distribution's support or security advisories for more accurate information and to better understand the impact of this CVE on your installation.</p> <p>If you deployed Forgejo using our official container images that also bundle an OpenSSH server, rest assured that these images <strong>never contained a vulnerable version</strong>. There is no need for action, because the images were based on Alpine Linux 3.19, which is not affected as per <a href="https://security.alpinelinux.org/vuln/CVE-2024-3094">https://security.alpinelinux.org/vuln/CVE-2024-3094</a>.</p> <h2>Impact on infrastructure</h2> <p>The infrastructure that powers Forgejo consists of:</p> <ul> <li>Forgejo's own hardware used to create and sign the releases.</li> <li>Codeberg that hosts Forgejo's source code and the releases.</li> </ul> <p>These machines all run Debian GNU/Linux Bookworm, a stable version of Debian. <a href="https://lists.debian.org/debian-security-announce/2024/msg00057.html">The security advisory</a> of Debian for this CVE clarified that no Debian stable versions were impacted by this backdoor. Additionally, the <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4/3">public detection script</a> was run on the Forgejo machines and confirmed that the vulnerable <code>liblzma</code> library is not present on the machine.</p> </content:encoded></item><item><title>Forgejo monthly update - February 2024</title><link>https://forgejo.org/2024-02-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-02-monthly-update/</guid><description>Forgejo started as a soft fork of Gitea, in reaction to governance changes within the project. Over time, it developed its own identity, adopted both development and governance practices - to ensure the stability, quality, and openness of the project - that made it more challenging to remain a soft fork. The decision was made to become a hard fork, and for Forgejo to forge its own path going forward.</description><pubDate>Thu, 29 Feb 2024 00:00:00 GMT</pubDate><content:encoded><p>The monthly report is meant to provide a high level view of what happened in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <p>Since its <a href="../2022-12-15-hello-forgejo/">inception</a>, Forgejo has been a soft fork of Gitea. Over time, it developed its own identity, adopted both development and governance practices - to ensure the stability, quality, and openness of the project - that made it more challenging to remain a soft fork. The decision was made to become a hard fork, and for Forgejo to forge its own path going forward. Read more in the <a href="../2024-02-forking-forward/">blog post announcing the decision</a>.</p> <p>Forgejo reached <a href="https://codeberg.org/forgejo/forgejo/stars">1,000 stars on Codeberg</a> and it is heartwarming to see so much support. Each of these stars are more valuable than those loaned by proprietary forges: they really belong to Forgejo and come from developers who made an effort to register on Codeberg.</p> <h2>Implementation of the hard fork</h2> <p>The hard part was to make a decision, the implementation itself (as <a href="https://codeberg.org/forgejo/governance/issues/58">laid out in the decision</a>) is comparatively simpler and is now in place.</p> <ul> <li>Publish a blog post <a href="../2024-02-forking-forward/">explaining the decision</a>.</li> <li>Switch from rebasing weekly (see <a href="https://codeberg.org/forgejo/forgejo/issues/2293">this rebase example</a>) to cherry-picking weekly (see <a href="https://codeberg.org/forgejo/forgejo/pulls/2478">this cherry-pick example</a>).</li> <li>Update the <a href="https://forgejo.org/docs/v1.21/developer/workflow/">developer documentation</a> to update the parts that are no longer needed.</li> <li>Merge all feature branches and <a href="https://codeberg.org/forgejo/discussions/issues/123">delete the branches</a> that are no longer necessary.</li> <li>Develop tools and procedures are in the design phase and <a href="https://codeberg.org/forgejo/forgejo/pulls/2478">discussions mostly happen</a> whenever cherry-picking from Gitea.</li> </ul> <h2>Code</h2> <p><a href="https://codeberg.org/forgejo/forgejo">https://codeberg.org/forgejo/forgejo</a></p> <p>Notable improvements and bug fixes:</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1746">Add colorblind theme variants</a>.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1594">Use <code>git grep</code></a> to search repositories <a href="https://forgejo.org/docs/v7.0/user/code-search/">when the repository indexer is not configured</a>.</li> <li>Improvement to the <a href="https://forgejo.org/docs/v7.0/user/agit-support/">Agit workflow</a> (PRs <a href="https://codeberg.org/forgejo/forgejo/pulls/2444">1</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2386">2</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2344">3</a>).</li> <li>Fix error when marking outdated code reviews as resolved (PR <a href="https://codeberg.org/forgejo/forgejo/pulls/2282">1</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2306">2</a>).</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2445">Allow instance-wide disabling of forking</a>.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2466">Improve display of 404/500 error pages</a>.</li> </ul> <p><a href="https://codeberg.org/forgejo/forgejo/pulls?q=&amp;type=all&amp;sort=&amp;state=closed&amp;labels=&amp;milestone=0&amp;project=0&amp;assignee=0&amp;poster=0">Read more</a> in the pull requests.</p> <h3>In flight pull requests</h3> <p>Most <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed">pull requests</a> are opened and closed within a week. But some of them take a longer time, either because they are more complex or because they are taken care of by volunteers who can only occasionally work on them in their free time. This is a list of those that were updated since the last monthly report. If they are of interest to you, reviewing the changes or providing solutions would be appreciated.</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2223">Add initial layout support for right-to-left languages</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1680">Federated repository stars</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1445">Implement external release assets</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1518">Add optional pronoun field in user settings</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2465">Implement remote user login source and promotion to regular user</a></li> </ul> <h3>Documentation</h3> <ul> <li>Updates cherry-picked from the <a href="https://docs.codeberg.org/">Codeberg</a> and <a href="https://docs.gitea.com/">Gitea</a> documentation.</li> <li>Newer <a href="https://forgejo.org/docs/v7.0/user/agit-support/">user guide on the AGit workflow</a>.</li> <li>New section in the developer guide for <a href="https://forgejo.org/docs/v7.0/developer/testing/">testing strategies and requirements</a>.</li> </ul> <h2>FOSDEM 2024</h2> <p>Codeberg's stand at FOSDEM was a success and it appears to have <a href="https://codeberg.org/forgejo/discussions/issues/115">also been a success for Forgejo</a>. There was a notable amount of people who were still looking for a self-hosted option and were curious to learn about Forgejo instead of GitLab or Gitea. The transparent stickers did not work out very well, because the colours do not cover enough, so the result was unreadable on dark background. Still, many people were interested in Forgejo stickers: several hundred of them were distributed. The NLnet stand had a <a href="https://nlnet.nl/project/Forgejo/">different Forgejo sticker</a> (hex variant) and probably used up their whole budget with distributing them. <a href="https://codeberg.org/forgejo/discussions/issues/115">Read more in the FOSDEM 2024 discussion</a>.</p> <h2>Discussions</h2> <p>A significant number of discussions revolved around the hard fork decision and most of them are linked from the <a href="https://codeberg.org/forgejo/governance/issues/58">governance tracker</a>. A few long term discussions are also worth mentioning and participation would be welcome.</p> <h3>Monitoring forge features and its impact on forge federation</h3> <p>GitLab and GitHub releases are being analysed to <a href="https://codeberg.org/forgejo/discussions/issues/120">figure out which features are added to each release</a>. These projects are driven by gigantic corporations and the rhythm at which features are added is intimidating. The idea is not for Forjego to compete on the same ground: this is a race that is already lost. However gaining and maintaining a good understanding of their features is key to the success of the implementation of federation in Forgejo.</p> <h3>Gathering user feedback on accessibility</h3> <p>User feedback is the most valuable resource for projects. Lowering the barrier for its collection helps to get much more insights, because there are a lot of problems where users don't bother opening an issue. <a href="https://codeberg.org/forgejo/discussions/issues/124">Read more</a>.</p> <h3>(Scope of) Moderation of Forgejo instances</h3> <p>A discussion <a href="https://codeberg.org/forgejo/discussions/issues/107">started a month ago about how to develop effective moderation mechanisms</a> within Forgejo while maintaining means of dynamically reacting to changing problems. It aims at collecting feedback. How much is in the scope for Forgejo? What kinds of moderation actions do Forgejo admins need to perform? This kind of user research is instrumental to understand existing best practices in order to figure out what problems needs to be resolved first.</p> <h2>Federation</h2> <p>The pull request to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">federated stars</a> made progress. Discussions happened on how a federated Person should be mapped to a local FederatedUser representation. Read <a href="https://codeberg.org/meissa/forgejo/src/branch/forgejo-federated-star/docs/unsure-where-to-put/blog.md">more in the activity summary</a>.</p> <p>The F3 Forgejo driver <a href="https://codeberg.org/forgejo/forgejo/pulls/2388">refactor is complete</a>: it is back where it was about six month ago. The representation of a remote user <a href="https://codeberg.org/forgejo/forgejo/pulls/2465">was split out of the driver</a> as it is generally useful for both data portability and federation.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/issues/59">federation implementation task list</a> was updated.</p> <h2>Localization</h2> <p>The Forgejo translations <a href="https://codeberg.org/forgejo/discussions/issues/104">have been liberated</a> and now <a href="https://translate.codeberg.org/">rely on a Free Software service</a>. A localization team was bootstraped and their work can already be seen in the <a href="https://next.forgejo.org">experimental Forgejo instance</a>. Translations for a few new languages began and will show when they are added to the Forgejo codebase. If you are fluent in another language and would like to help, please <a href="https://forgejo.org/docs/v1.21/developer/localization/#joining-the-localization-team">apply</a> or join the <a href="https://matrix.to/#/#forgejo-localization:matrix.org">localization chatroom</a> to figure out what it entails.</p> <p>References:</p> <ul> <li><a href="https://forgejo.org/docs/next/developer/localization/">https://forgejo.org/docs/next/developer/localization/</a></li> </ul> <h2>Helm chart</h2> <p>The Forgejo helm chart had <a href="https://codeberg.org/forgejo-contrib/forgejo-helm/releases">three major updates</a>. Two because of major bumps of the postgresql dependencies and one because of merging upstream changes from Gitea chart.</p> <p>References:</p> <ul> <li><a href="https://codeberg.org/forgejo-contrib/forgejo-helm/releases">https://codeberg.org/forgejo-contrib/forgejo-helm/releases</a></li> </ul> <h2>Alpine Package Registry</h2> <p>The <a href="https://forgejo.org/docs/v1.21/user/packages/alpine/">Alpine Package Registry</a> now properly supports <code>noarch</code> package files, maintaining compatibility with the official Alpine Linux package repositories.</p> <p>The logic for uploading a package to the Alpine Registry stored architecture independent packages (<code>noarch</code>) in their own architecture repository, instead of being available to all architectures available in the repository. Because of this, the Alpine Package Keeper wasn't able to locate the packages in the repository.</p> <p>The architecture independent packages are now copied to all available architectures in the repository, and a fallback to <code>x86_64</code> is used if the repository is brand new and doesn't contain any packages.</p> <h2>Releases</h2> <p>There has been <a href="https://forgejo.org/releases/">one security release</a> in February 2024. Forgejo admins are encouraged to <a href="https://codeberg.org/forgejo/security-announcements">subscribe to security announcement</a> so they can better plan their upgrades.</p> <p>Test release were once published manually on a weekly basis and used to upgrade <a href="https://next.forgejo.org">https://next.forgejo.org</a> upgraded. This <a href="https://codeberg.org/forgejo/discussions/issues/116">process was automated</a> and <a href="https://forgejo.org/docs/v7.0/developer/release/#experimental-releases">documented</a> to happen daily. It runs the <a href="https://code.forgejo.org/forgejo/end-to-end">end to end</a> test suite before being upgraded which helps detect regressions early.</p> <p>References</p> <ul> <li><a href="https://code.forgejo.org/forgejo/forgejo">https://code.forgejo.org/forgejo/forgejo</a></li> <li><a href="https://code.forgejo.org/forgejo/end-to-end">https://code.forgejo.org/forgejo/end-to-end</a></li> <li><a href="https://forgejo.org/releases/">https://forgejo.org/releases/</a></li> <li><a href="https://codeberg.org/forgejo/security-announcements">https://codeberg.org/forgejo/security-announcements</a></li> </ul> <h2>Governance</h2> <h3>Sustainability</h3> <p><a href="https://prototypefund.de">https://prototypefund.de</a> is open to proposal in 2024 and there <a href="https://codeberg.org/forgejo/sustainability/issues/38">were discussions</a> about applications around Forgejo and federation.</p> <h3>Moderation</h3> <p>A <a href="https://codeberg.org/forgejo/governance/src/branch/main/MODERATION-PROCESS.md">moderation action</a> was carried out to put an end to an <a href="https://codeberg.org/forgejo/governance/issues/91">ad-hominem attack</a>. A few days later it turned out the person responsible was someone banned from Forgejo space in 2023. The ban was enforced and extended to help prevent future misbehavior.</p> <p>References:</p> <ul> <li><a href="https://codeberg.org/forgejo/governance">https://codeberg.org/forgejo/governance</a></li> </ul> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/6543">https://codeberg.org/6543</a></li> <li><a href="https://codeberg.org/AdamGreenberg">https://codeberg.org/AdamGreenberg</a></li> <li><a href="https://codeberg.org/adrinux">https://codeberg.org/adrinux</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/andar1an">https://codeberg.org/andar1an</a></li> <li><a href="https://codeberg.org/Andre601">https://codeberg.org/Andre601</a></li> <li><a href="https://codeberg.org/argrat">https://codeberg.org/argrat</a></li> <li><a href="https://codeberg.org/axd99">https://codeberg.org/axd99</a></li> <li><a href="https://codeberg.org/bramh">https://codeberg.org/bramh</a></li> <li><a href="https://codeberg.org/CactiChameleon9">https://codeberg.org/CactiChameleon9</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/CodeDoctor">https://codeberg.org/CodeDoctor</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/Cyborus">https://codeberg.org/Cyborus</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/denyskon">https://codeberg.org/denyskon</a></li> <li><a href="https://codeberg.org/domske">https://codeberg.org/domske</a></li> <li><a href="https://codeberg.org/douglasparker">https://codeberg.org/douglasparker</a></li> <li><a href="https://codeberg.org/DraconicNEO">https://codeberg.org/DraconicNEO</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/eNBeWe">https://codeberg.org/eNBeWe</a></li> <li><a href="https://codeberg.org/fkooman">https://codeberg.org/fkooman</a></li> <li><a href="https://codeberg.org/flvffywvffy">https://codeberg.org/flvffywvffy</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/fractalf">https://codeberg.org/fractalf</a></li> <li><a href="https://codeberg.org/goddess">https://codeberg.org/goddess</a></li> <li><a href="https://codeberg.org/GottemHams">https://codeberg.org/GottemHams</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/gwymor">https://codeberg.org/gwymor</a></li> <li><a href="https://codeberg.org/halibut">https://codeberg.org/halibut</a></li> <li><a href="https://codeberg.org/hazy">https://codeberg.org/hazy</a></li> <li><a href="https://codeberg.org/hexaheximal">https://codeberg.org/hexaheximal</a></li> <li><a href="https://codeberg.org/i9e1">https://codeberg.org/i9e1</a></li> <li><a href="https://codeberg.org/inference">https://codeberg.org/inference</a></li> <li><a href="https://codeberg.org/ivanhercaz">https://codeberg.org/ivanhercaz</a></li> <li><a href="https://codeberg.org/JakobDev">https://codeberg.org/JakobDev</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jilen">https://codeberg.org/jilen</a></li> <li><a href="https://codeberg.org/jthvai">https://codeberg.org/jthvai</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/Kladky">https://codeberg.org/Kladky</a></li> <li><a href="https://codeberg.org/KN4CK3R">https://codeberg.org/KN4CK3R</a></li> <li><a href="https://codeberg.org/KOLANICH">https://codeberg.org/KOLANICH</a></li> <li><a href="https://codeberg.org/krumelmonster">https://codeberg.org/krumelmonster</a></li> <li><a href="https://codeberg.org/lanodan">https://codeberg.org/lanodan</a></li> <li><a href="https://codeberg.org/ledyba">https://codeberg.org/ledyba</a></li> <li><a href="https://codeberg.org/lhinderberger">https://codeberg.org/lhinderberger</a></li> <li><a href="https://codeberg.org/lime360">https://codeberg.org/lime360</a></li> <li><a href="https://codeberg.org/maltejur">https://codeberg.org/maltejur</a></li> <li><a href="https://codeberg.org/mathilde">https://codeberg.org/mathilde</a></li> <li><a href="https://codeberg.org/mbateman">https://codeberg.org/mbateman</a></li> <li><a href="https://codeberg.org/mjtimblin">https://codeberg.org/mjtimblin</a></li> <li><a href="https://codeberg.org/mokazemi">https://codeberg.org/mokazemi</a></li> <li><a href="https://codeberg.org/moralpanic">https://codeberg.org/moralpanic</a></li> <li><a href="https://codeberg.org/msrd0">https://codeberg.org/msrd0</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/neuhalje">https://codeberg.org/neuhalje</a></li> <li><a href="https://codeberg.org/nykula">https://codeberg.org/nykula</a></li> <li><a href="https://codeberg.org/oatbiscuits">https://codeberg.org/oatbiscuits</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/PatchMixolydic">https://codeberg.org/PatchMixolydic</a></li> <li><a href="https://codeberg.org/PierreLannoy">https://codeberg.org/PierreLannoy</a></li> <li><a href="https://codeberg.org/puzzle-it-nu">https://codeberg.org/puzzle-it-nu</a></li> <li><a href="https://codeberg.org/qwerty287">https://codeberg.org/qwerty287</a></li> <li><a href="https://codeberg.org/realaravinth">https://codeberg.org/realaravinth</a></li> <li><a href="https://codeberg.org/rpoovey">https://codeberg.org/rpoovey</a></li> <li><a href="https://codeberg.org/salif">https://codeberg.org/salif</a></li> <li><a href="https://codeberg.org/Salt">https://codeberg.org/Salt</a></li> <li><a href="https://codeberg.org/santalet">https://codeberg.org/santalet</a></li> <li><a href="https://codeberg.org/seodisparate">https://codeberg.org/seodisparate</a></li> <li><a href="https://codeberg.org/silverwind">https://codeberg.org/silverwind</a></li> <li><a href="https://codeberg.org/sininenkissa">https://codeberg.org/sininenkissa</a></li> <li><a href="https://codeberg.org/skobkin">https://codeberg.org/skobkin</a></li> <li><a href="https://codeberg.org/slatian">https://codeberg.org/slatian</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/thatonecoder">https://codeberg.org/thatonecoder</a></li> <li><a href="https://codeberg.org/thefinn93">https://codeberg.org/thefinn93</a></li> <li><a href="https://codeberg.org/tuxcoder">https://codeberg.org/tuxcoder</a></li> <li><a href="https://codeberg.org/VadZ">https://codeberg.org/VadZ</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/voltagex">https://codeberg.org/voltagex</a></li> <li><a href="https://codeberg.org/wangito33">https://codeberg.org/wangito33</a></li> <li><a href="https://codeberg.org/Werenter">https://codeberg.org/Werenter</a></li> <li><a href="https://codeberg.org/wondercollective">https://codeberg.org/wondercollective</a></li> <li><a href="https://codeberg.org/Wuzzy">https://codeberg.org/Wuzzy</a></li> <li><a href="https://codeberg.org/Xinayder">https://codeberg.org/Xinayder</a></li> <li><a href="https://codeberg.org/zareck">https://codeberg.org/zareck</a></li> <li><a href="https://codeberg.org/Zip">https://codeberg.org/Zip</a></li> <li><a href="https://translate.codeberg.org/user/Application-Maker">https://translate.codeberg.org/user/Application-Maker</a></li> <li><a href="https://translate.codeberg.org/user/b1nar10">https://translate.codeberg.org/user/b1nar10</a></li> <li><a href="https://translate.codeberg.org/user/bart">https://translate.codeberg.org/user/bart</a></li> <li><a href="https://translate.codeberg.org/user/bizdelnick">https://translate.codeberg.org/user/bizdelnick</a></li> <li><a href="https://translate.codeberg.org/user/Dirk">https://translate.codeberg.org/user/Dirk</a></li> <li><a href="https://translate.codeberg.org/user/dobrvlskyi">https://translate.codeberg.org/user/dobrvlskyi</a></li> <li><a href="https://translate.codeberg.org/user/esensar">https://translate.codeberg.org/user/esensar</a></li> <li><a href="https://translate.codeberg.org/user/ika">https://translate.codeberg.org/user/ika</a></li> <li><a href="https://translate.codeberg.org/user/jadedctrl">https://translate.codeberg.org/user/jadedctrl</a></li> <li><a href="https://translate.codeberg.org/user/kikocorreoso">https://translate.codeberg.org/user/kikocorreoso</a></li> <li><a href="https://translate.codeberg.org/user/meskobalazs">https://translate.codeberg.org/user/meskobalazs</a></li> <li><a href="https://translate.codeberg.org/user/micash">https://translate.codeberg.org/user/micash</a></li> <li><a href="https://translate.codeberg.org/user/mondstern">https://translate.codeberg.org/user/mondstern</a></li> <li><a href="https://translate.codeberg.org/user/Mormegil">https://translate.codeberg.org/user/Mormegil</a></li> <li><a href="https://translate.codeberg.org/user/nebras">https://translate.codeberg.org/user/nebras</a></li> <li><a href="https://translate.codeberg.org/user/nightm4re">https://translate.codeberg.org/user/nightm4re</a></li> <li><a href="https://translate.codeberg.org/user/noureddin">https://translate.codeberg.org/user/noureddin</a></li> <li><a href="https://translate.codeberg.org/user/rmorettibr">https://translate.codeberg.org/user/rmorettibr</a></li> <li><a href="https://translate.codeberg.org/user/rohandebsarkar">https://translate.codeberg.org/user/rohandebsarkar</a></li> <li><a href="https://translate.codeberg.org/user/sinsky">https://translate.codeberg.org/user/sinsky</a></li> <li><a href="https://translate.codeberg.org/user/Squel">https://translate.codeberg.org/user/Squel</a></li> <li><a href="https://translate.codeberg.org/user/tranzystorekk">https://translate.codeberg.org/user/tranzystorekk</a></li> <li><a href="https://translate.codeberg.org/user/xtex">https://translate.codeberg.org/user/xtex</a></li> <li><a href="https://translate.codeberg.org/user/yeziruo">https://translate.codeberg.org/user/yeziruo</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo Security Release 1.21.6-0</title><link>https://forgejo.org/2024-02-release-v1-21-6-0/</link><guid isPermaLink="true">https://forgejo.org/2024-02-release-v1-21-6-0/</guid><description>The Forgejo v1.21.6-0 release contains a security fix for Cross-site scripting (XSS) vulnerabilities. It enabled attackers to inject client-side scripts into web pages displayed to Forgejo visitors.</description><pubDate>Thu, 22 Feb 2024 00:00:00 GMT</pubDate><content:encoded><p><a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.21.6-0">Forgejo v1.21.6-0</a> was released 22 February 2024.</p> <p>This release contains <em>a security fix</em> related to <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting (XSS)</a> vulnerabilities that can be exploited by registered Forgejo users.</p> <h3>Recommended Action</h3> <p>We <em>strongly recommend</em> that all Forgejo installations are upgraded to the latest version as soon as possible.</p> <h3>Cross-site scripting (XSS) vulnerability</h3> <p>The <a href="https://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting (XSS)</a> vulnerabilities can be exploited by a registered Forgejo user.</p> <p>In some situations where a repository or user name contains HTML scripts, those values are not always properly escaped, thus leading to an XSS attack. For instance when:</p> <ul> <li><a href="https://docs.codeberg.org/advanced/migrating-repos/">Migrating a repository</a></li> <li><a href="https://forgejo.org/docs/v1.21/user/wiki/">Publishing content in the wiki</a></li> <li><a href="https://forgejo.org/docs/v1.21/user/push-to-create/">Creating a repository on first push</a></li> </ul> <p>It allows the attacker to inject a <a href="https://en.wikipedia.org/wiki/Client-side_script">client-side script</a> targetting visitors browsing a repository being migrated, the repository settings or the wiki. Note that the repository settings are only visible to repository admins.</p> <h3>Responsible disclosure to Gitea</h3> <p>On 22 January 2024, the Forgejo security team identified multiple Cross-site scripting (XSS) vulnerabilities could be exploited by registered Forgejo users, and the Gitea security team was notified. A 30-day embargo was requested, after which a patch to the v1.21 point release could be published.</p> <p>On 14 February 2024, Gitea <a href="https://github.com/go-gitea/gitea/pull/29165">published a pull request</a> that fixes the vulnerability, before the end of the requested embargo. It is embedded in a large refactor and not labeled to be security related but to a trained eye, this does catch attention.</p> <p>On 17 February 2024, the Gitea security team privately sent a patch that fixes an additional XSS vulnerability.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo forks its own path forward</title><link>https://forgejo.org/2024-02-forking-forward/</link><guid isPermaLink="true">https://forgejo.org/2024-02-forking-forward/</guid><description>Forgejo started as a soft fork of Gitea, in reaction to governance changes within the project. Over time, it developed its own identity, adopted both development and governance practices - to ensure the stability, quality, and openness of the project - that made it more challenging to remain a soft fork. In early 2024, a decision was made to become a hard fork, and for Forgejo to forge its own path going forward. This post explains the consequences this decision will have.</description><pubDate>Thu, 15 Feb 2024 00:00:00 GMT</pubDate><content:encoded><p>Since its <a href="../2022-12-15-hello-forgejo/">inception</a>, Forgejo (a self-hosted git forge, like GitHub) has been a soft fork of Gitea. Upgrading to it was - and for the time being, remains to be - as simple as <a href="../download/">changing the URL from which the release is downloaded</a>. Over time, the way Forgejo is governed and developed evolved. To be able to provide stable, secure, reliable releases, Forgejo requires a <a href="https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md">reasonable effort made at writing tests</a> for each change that goes into the code. This has worked out remarkably well, as it caught both regressions in imported code, and mistakes in proposed changes. Furthermore, Forgejo has accepted features and other changes that are not available in Gitea, and has <a href="#the-hard-forking-process">diverged</a> in other ways already.</p> <p>Today, Forgejo has a healthy number of people contributing to its main mission:</p> <blockquote> <ol> <li>The community is in control, and ensures we develop to address community needs.</li> <li>We will help liberate software development from the shackles of proprietary tools.</li> </ol> </blockquote> <p>To continue living by that statement, a <a href="https://codeberg.org/forgejo/governance/issues/58">decision was made</a> in early 2024 to become a hard fork. By doing so, Forgejo is no longer bound to Gitea, and can forge its own path going forward, allowing maintainers and contributors to reduce tech debt at a much higher pace, and implement changes - whether they're new features or bug fixes - that would otherwise have a high risk of conflicting with changes made in Gitea. Simply put, the governance and development models of Gitea and Forgejo diverged over time, and so did their goals. Becoming a hard fork is the culmination of that divergence.</p> <h2>The hard forking process</h2> <p>Forgejo has been, since its inception late 2022, a soft fork of Gitea which means it contains all of Gitea, both good and bad, with Forgejo having little control over what it is built on. However, some parts of Gitea were already "hard-forked" before:</p> <ul> <li>Forgejo used <a href="https://woodpecker-ci.org/">Woodpecker</a> first, then <a href="../docs/v1.21/user/actions/">Forgejo Actions</a> as its continuous integration system.<ul> <li>In addition, the <a href="https://code.forgejo.org/forgejo/runner">forgejo-runner</a> is also a hard fork.</li> </ul> </li> <li>Documentation has been <a href="https://codeberg.org/forgejo/docs">maintained independently</a> for a good while now.</li> <li>Stable releases are a <a href="../docs/latest/developer/workflow/#stable-branches">hard fork</a> since <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-1-0">v1.20</a>.</li> <li>More recently, <a href="../docs/v1.21/developer/localization/">localization</a> has been moved from Crowdin to Weblate.</li> </ul> <p>Most of these steps were taken to liberate parts of the code base from proprietary solutions, to manage them with free software instead, and in the same process, make it simpler to manage Forgejo-specific changes. All while keeping the impact on the software itself minimal.</p> <h2>Consequences of becoming a hard fork</h2> <p>As of Forgejo v1.21, Forgejo contains all of Gitea, and that has the benefit of allowing Forgejo to be a drop-in replacement. With the decision to become a hard fork, this will no longer be guaranteed. It will remain possible to upgrade from the latest <a href="https://github.com/go-gitea/gitea/releases/tag/v1.21.5">Gitea version released</a> at the time of the hard fork, but versions past that will not have such a guarantee.</p> <p>As such, if you were considering upgrading to Forgejo, we encourage you to do that sooner rather than later, because as the projects naturally diverge further, doing so will become ever harder. It will not happen overnight, it may not even happen soon, but eventually, Forgejo will stop being a drop-in replacement.</p> <p>The Forgejo API will strive to remain compatible with the Gitea API going forward, after the hard fork. Existing APIs at the time of the fork are public, and changing them is a breaking change, which has to be evaluated very carefully, and not done lightly. Future APIs should similarly be evaluated, and Forgejo will try to remain compatible with Gitea. However, Forgejo contributors shall also use their own judgement whether to implement an API or not, and how - with the previous goals in mind.</p> </content:encoded></item><item><title>Forgejo monthly update - January 2024</title><link>https://forgejo.org/2024-01-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2024-01-monthly-update/</guid><description>Forgejo may become a hard fork of Gitea; user research is on the way to figure out the scope of moderation in Forgejo instances; a new requirement for tests was added to the development workflow; the "You pushed on branch" user experience was improved; the migration of translations to Weblate began.</description><pubDate>Sun, 28 Jan 2024 00:00:00 GMT</pubDate><content:encoded><ul> <li>An <a href="https://codeberg.org/forgejo/governance/issues/58">agreement is discussed</a> to make Forgejo a hard fork of Gitea.</li> <li>User research is on the way regarding the <a href="https://codeberg.org/forgejo/discussions/issues/107">(Scope of) moderation of Forgejo instances</a>.</li> <li>A new <a href="https://codeberg.org/forgejo/governance/pulls/51">requirement to the development workflow</a> was added to contain the technical debt.</li> <li>The <a href="https://codeberg.org/forgejo/discussions/issues/104">migration of Forgejo translations</a> to <a href="https://translate.codeberg.org">the Codeberg instance of Weblate</a> is on the way.</li> </ul> <p>The monthly report is meant to provide a high level view of what happened in Forgejo in the past month. If you would like to help, please get in touch in <a href="https://matrix.to/#/!JpOtsqTARyyfkoizCU:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <h2>Forgejo</h2> <p><a href="https://codeberg.org/forgejo/forgejo">https://codeberg.org/forgejo/forgejo</a></p> <p>Notable improvements and bug fixes:</p> <ul> <li>Repository administrators can <a href="https://forgejo.org/docs/v7.0/user/wiki/#activation-and-permissions">allow anyone to edit the wiki</a> in the repository Settings. (<a href="https://codeberg.org/forgejo/forgejo/pulls/2001">#2001</a>)</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2222">nuget api support serving package manifest</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2216">Fix false positive in database migration</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2140">Log SQL queries when the database return error</a></li> <li>Instance administrators can enable <a href="https://forgejo.org/docs/v7.0/user/readme-badges/">repository badges</a> in the <a href="https://forgejo.org/docs/v7.0/admin/config-cheat-sheet/#badges-badges">configuration file</a>. This feature depends on a shield generator service such as shields.io, and is disabled by default. (<a href="https://codeberg.org/forgejo/forgejo/pulls/2070">#2070</a>)</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1900">Allow viewing the latest Action on the web</a>: a tiny little convenience route that allows linking to the latest action of a repository. Useful for READMEs and CI badges.</li> <li>Forgejo now recognizes more <a href="https://forgejo.org/docs/v7.0/user/language-detection/">linguist attributes</a>, making it possible to include documentation in the repository language statistics, for example. (<a href="https://codeberg.org/forgejo/forgejo/pulls/2088">#2088</a>)</li> <li>Users who signed up, but have not activated their accounts yet, are now able to <a href="https://codeberg.org/forgejo/forgejo/pulls/1891">change their email before activation</a>. (<a href="https://codeberg.org/forgejo/forgejo/pulls/1891">#1891</a>)</li> <li>The "You pushed on branch ...." banner user experience was improved (<a href="https://codeberg.org/forgejo/forgejo/pulls/2141">#2141</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2195">#2195</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/2196">#2196</a>)</li> </ul> <p><a href="https://codeberg.org/forgejo/forgejo/pulls?q=&amp;type=all&amp;sort=&amp;state=closed&amp;labels=&amp;milestone=0&amp;project=0&amp;assignee=0&amp;poster=0">Read more</a> in the pull requests.</p> <h3>In flight pull requests</h3> <p>Most <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed">pull requests</a> are opened and closed within a week. But some of them take a longer time, either because they are more complex or because they are taken care of by volunteers who can only occasionally work on them in their free time. This is a list of those that were updated since the last monthly report. If they are of interest to you, reviewing the changes or providing solutions would be appreciated.</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2223">Add initial layout support for right-to-left languages</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/2231">Refactor webhook logic in preparation for custom webhook</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1680">Federated repository stars</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1746">Add colorblind theme variants</a></li> </ul> <h3>Documentation</h3> <ul> <li>New section on <a href="https://codeberg.org/forgejo/docs/pulls/371">how repo language detection works</a></li> <li>New section on <a href="https://codeberg.org/forgejo/docs/pulls/358">globally editable wikis</a></li> <li>New setting <a href="https://codeberg.org/forgejo/docs/pulls/357/files">[repository].DOWNLOAD_OR_CLONE_METHODS</a></li> <li>new section on <a href="https://codeberg.org/forgejo/docs/pulls/356">README badges feature</a></li> <li>The <a href="https://forgejo.org/docs/v1.21/user/actions">Forgejo Actions</a> reference guide was significantly improved. The <a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/actions">Forgejo Actions tests</a> were refactored to capture the event payloads. For instance when a workflow is triggered from pushing a commit, the event will contain information about the repository, the SHA etc. The captured events are <strong>automatically used to <a href="https://code.forgejo.org/forgejo/end-to-end/src/branch/main/.forgejo/workflows/actions.yml#L65-L82">update the documentation</a></strong>. The <code>event</code> <a href="https://forgejo.org/docs/v1.21/user/actions/#githubevent">section of the Forgejo Actions documentation</a> links to these examples and help figure out which fields are available depending on the type of event.</li> </ul> <h2>(Scope of) Moderation of Forgejo instances</h2> <p>A discussion <a href="https://codeberg.org/forgejo/discussions/issues/107">started about how to develop effective moderation mechanisms</a> within Forgejo while maintaining means of dynamically reacting to changing problems. It aims at collecting feedback. How much is in the scope for Forgejo? What kinds of moderation actions do Forgejo admins need to perform? This kind of user research is instrumental to understand existing best practices in order to figure out what problems needs to be resolved first.</p> <h2>Reducing the technical debt</h2> <p>A discussion on <a href="https://codeberg.org/forgejo/discussions/issues/93">defining expectations regarding tests in the development workflow</a> was <a href="https://codeberg.org/forgejo/governance/pulls/51">concluded</a> with a new requirement <a href="https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md">in the development workflow</a> by which:</p> <blockquote> <ol> <li>A reasonable effort has been made to test the change.</li> </ol> </blockquote> <p>When developers do not perform tests (either automated or manual) end users experience bugs and regressions that <a href="https://codeberg.org/forgejo/discussions/issues/103">are much more time consuming</a> to diagnose and resolve.</p> <p>Ideally Forgejo would have a hard commitment to only merge changes that are covered by automated tests. But there are many areas where the test infrastructure itself is still lacking (the web UI for instance) and <a href="https://codeberg.org/forgejo/discussions/issues/100">manual tests are to be documented</a> instead.</p> <p>A <a href="https://codeberg.org/Cyborus/forgejo-api">draft implementation of a Rust based Forgejo SDK</a> started using the <a href="https://code.forgejo.org/swagger.v1.json">Swagger file</a> to generate code instead of manually implementing each API endpoint. Because the Forgejo Swagger file is currently manually maintained and only has a handful of recently added <a href="https://codeberg.org/forgejo-contrib/forgejo-manual-testing/issues">manual tests</a> verifying it actually reflects the implementation, the author discovered inconsistencies that were fixed (see <a href="https://codeberg.org/forgejo/forgejo/pulls/2182">this PR for instance</a>). When complete this SDK could be integrated in the Forgejo testsuite to verify the Swagger specification consistency and guard against regressions.</p> <h2>Federation</h2> <p>The pull request to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">federated stars</a> made progress, replay attacks were analyzed and mitigated in k8s. Read <a href="https://codeberg.org/meissa/forgejo/src/branch/forgejo-federated-star/docs/unsure-where-to-put/blog.md#2024-01-federated-staring-with-like-activity">more in the activity summary</a>.</p> <p>The F3 reference implementation <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3">was refactored</a> and the old codebase <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3/-/tree/2023-main">archived</a>. Read more in the <a href="https://forum.forgefriends.org/t/f3-monthly-update-january-2024/1007">January 2024</a> report. The F3 Forgejo driver <a href="https://codeberg.org/forgejo/discussions/issues/105">refactor started</a>.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/issues/59">federation implementation task list</a> was updated.</p> <h2>Localization</h2> <p>The Forgejo translations are depending on Gitea translations which are trapped in a proprietary service. A strategy was put in place to workaround the problem in 2022 and it worked fine until now, the overhead and problems were close to non-existent. Back then nobody knew Forgejo and establishing a brand new translation team would have been difficult but things are different now. There are significantly more people aware of what Forgejo is and willing to help.</p> <p>Plans <a href="https://codeberg.org/forgejo/discussions/issues/104">were made</a> to bootstrap a translation team on <a href="https://translate.codeberg.org/">Codeberg's Weblate instance</a> and the implementation is well under way, with an initial localization team covering Arabic, Dutch, French, Russian, Hungarian, Greek and German. If you are fluent in another language and would like to help, please <a href="https://forgejo.org/docs/v1.21/developer/localization/#joining-the-localization-team">apply</a> or join the <a href="https://matrix.to/#/#forgejo-localization:matrix.org">localization chatroom</a> to figure out what it entails.</p> <h2>Releases</h2> <p>There has been <a href="https://forgejo.org/releases/">one minor security release</a> in January 2024. Forgejo admins are encouraged to <a href="https://codeberg.org/forgejo/security-announcements">subscribe to security announcement</a> so they can better plan their upgrades.</p> <p>Codeberg <a href="https://blog.codeberg.org/letter-from-codeberg-looking-into-the-new-year.html">suffered a DDoS attack</a> that brought it down during more than 24h. Forgejo's own infrastructure was not impacted because it is hosted elsewhere and could have been used as an alternative to download releases. Only it did not have a mirror of the Forgejo releases. A <a href="https://codeberg.org/forgejo/discussions/issues/98">daily scheduled action</a> was created and the releases are now also available at <a href="https://code.forgejo.org/forgejo/forgejo/">https://code.forgejo.org/forgejo/forgejo/</a>.</p> <p>References</p> <ul> <li><a href="https://code.forgejo.org/forgejo/forgejo">https://code.forgejo.org/forgejo/forgejo</a></li> <li><a href="https://forgejo.org/releases/">https://forgejo.org/releases/</a></li> <li><a href="https://codeberg.org/forgejo/security-announcements">https://codeberg.org/forgejo/security-announcements</a></li> </ul> <h2>End-to-end tests</h2> <p>Forgejo <a href="https://code.forgejo.org/forgejo/end-to-end">end-to-end tests</a> require running an actual Forgejo instance.</p> <p>They were extended to include <strong><a href="https://code.forgejo.org/forgejo/end-to-end/pulls/71">Alpine packages</a></strong>, verifying a package built out of an Alpine container image can actually be installed.</p> <p>References:</p> <ul> <li><a href="https://forgejo.org/docs/v1.21/user/packages/alpine">https://forgejo.org/docs/v1.21/user/packages/alpine</a></li> <li><a href="https://code.forgejo.org/forgejo/end-to-end">https://code.forgejo.org/forgejo/end-to-end</a></li> </ul> <h2>Governance</h2> <h3>Hard fork</h3> <p>A discussion started on the <a href="https://codeberg.org/forgejo/discussions/issues/96">opportunity for Forgejo to become a hard fork of Gitea</a>.</p> <p>Over the past year a number of components have been developed in Forgejo independently of Gitea, they are already hard forks. The documentation, the release process, end-to-end tests, the Forgejo Runner etc. It even happened within the Forgejo codebase. For instance, the <a href="https://forgejo.org/docs/v1.21/user/blocking-user/">user blocking feature</a> is independent from Gitea. It has its own database tables and migrations while being part of the same binary. However Forgejo still cherry-picks commits on top of the <a href="https://codeberg.org/forgejo/forgejo/milestones?state=closed&amp;q=furnace">Gitea codebase on a weekly basis</a>.</p> <p>The discussion led to an <a href="https://codeberg.org/forgejo/governance/issues/58">agreement proposal</a> where Forgejo community members expressed concerns that are addressed in accordance of the <a href="https://codeberg.org/forgejo/governance/src/branch/main/DECISION-MAKING.md">Forgejo decision making process</a>. If an agreement is reached, the previous logic will be reversed and <strong>commits from Gitea will be cherry-picked on top of the Forgejo codebase</strong>.</p> <p>The discussions related to this agreement are:</p> <ul> <li><a href="https://codeberg.org/forgejo/discussions/issues/103">Testing strategies and containing regressions</a> to support the main benefit of a hard fork which is to shield Forgejo from endemic regressions introduced in Gitea due to insufficient testing.</li> <li><a href="https://codeberg.org/forgejo/discussions/issues/108">Integration of the Gitea changes inside Forgejo</a> should the agreement pass.</li> <li><a href="https://codeberg.org/forgejo/discussions/issues/99">Explicitly encourage contributions to Forgejo</a>.</li> <li><a href="https://codeberg.org/forgejo/discussions/issues/103">Gitea is Open Core</a> explains why, with links for fact checking.</li> <li><a href="https://codeberg.org/forgejo/discussions/issues/92">cloud.gitea.com shared account</a> shows some of the proprietary features of Gitea Cloud and the non-Free Software version of Gitea that it runs.</li> </ul> <p>Unless new concerns emerge, the agreement may be finalized in February.</p> <h3>Moderation</h3> <p>A <a href="https://codeberg.org/forgejo/governance/src/branch/main/MODERATION-PROCESS.md">moderation action</a> was carried out to put an end to <a href="https://codeberg.org/forgejo/governance/issues/53">ad-hominem attacks and harassment</a>: the person responsible for this behavior was banned for a period of two years. They have since created half a dozen accounts in an attempt to circumvent the ban but all content was removed or redacted within 24h.</p> <p>References:</p> <ul> <li><a href="https://codeberg.org/forgejo/governance">https://codeberg.org/forgejo/governance</a></li> </ul> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/0ko">https://codeberg.org/0ko</a></li> <li><a href="https://codeberg.org/6543">https://codeberg.org/6543</a></li> <li><a href="https://codeberg.org/adz">https://codeberg.org/adz</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/asandikci">https://codeberg.org/asandikci</a></li> <li><a href="https://codeberg.org/banaanihillo">https://codeberg.org/banaanihillo</a></li> <li><a href="https://codeberg.org/basebuilder">https://codeberg.org/basebuilder</a></li> <li><a href="https://codeberg.org/CanisHelix">https://codeberg.org/CanisHelix</a></li> <li><a href="https://codeberg.org/Crown0815">https://codeberg.org/Crown0815</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/Cwpute">https://codeberg.org/Cwpute</a></li> <li><a href="https://codeberg.org/Cyborus">https://codeberg.org/Cyborus</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/Fl1tzi">https://codeberg.org/Fl1tzi</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/foxy">https://codeberg.org/foxy</a></li> <li><a href="https://codeberg.org/GamePlayer-8">https://codeberg.org/GamePlayer-8</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/gwymor">https://codeberg.org/gwymor</a></li> <li><a href="https://codeberg.org/halibut">https://codeberg.org/halibut</a></li> <li><a href="https://codeberg.org/houkime">https://codeberg.org/houkime</a></li> <li><a href="https://codeberg.org/hwpplayer1">https://codeberg.org/hwpplayer1</a></li> <li><a href="https://codeberg.org/jfinkhaeuser">https://codeberg.org/jfinkhaeuser</a></li> <li><a href="https://codeberg.org/jornfranke">https://codeberg.org/jornfranke</a></li> <li><a href="https://codeberg.org/kaffeeknecht">https://codeberg.org/kaffeeknecht</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/KOLANICH">https://codeberg.org/KOLANICH</a></li> <li><a href="https://codeberg.org/lukawaay">https://codeberg.org/lukawaay</a></li> <li><a href="https://codeberg.org/macfanpl">https://codeberg.org/macfanpl</a></li> <li><a href="https://codeberg.org/mmarif">https://codeberg.org/mmarif</a></li> <li><a href="https://codeberg.org/mokazemi">https://codeberg.org/mokazemi</a></li> <li><a href="https://codeberg.org/moralpanic">https://codeberg.org/moralpanic</a></li> <li><a href="https://codeberg.org/msrd0">https://codeberg.org/msrd0</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/neuhalje">https://codeberg.org/neuhalje</a></li> <li><a href="https://codeberg.org/nevarr0">https://codeberg.org/nevarr0</a></li> <li><a href="https://codeberg.org/oatbiscuits">https://codeberg.org/oatbiscuits</a></li> <li><a href="https://codeberg.org/OdinVex">https://codeberg.org/OdinVex</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/panos">https://codeberg.org/panos</a></li> <li><a href="https://codeberg.org/rdwz">https://codeberg.org/rdwz</a></li> <li><a href="https://codeberg.org/Salt">https://codeberg.org/Salt</a></li> <li><a href="https://codeberg.org/santalet">https://codeberg.org/santalet</a></li> <li><a href="https://codeberg.org/spla">https://codeberg.org/spla</a></li> <li><a href="https://codeberg.org/swaggboi">https://codeberg.org/swaggboi</a></li> <li><a href="https://codeberg.org/thepaperpilot">https://codeberg.org/thepaperpilot</a></li> <li><a href="https://codeberg.org/tuxcoder">https://codeberg.org/tuxcoder</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/Visne">https://codeberg.org/Visne</a></li> <li><a href="https://codeberg.org/voltagex">https://codeberg.org/voltagex</a></li> <li><a href="https://codeberg.org/wackbyte">https://codeberg.org/wackbyte</a></li> <li><a href="https://codeberg.org/Werenter">https://codeberg.org/Werenter</a></li> <li><a href="https://codeberg.org/wetneb">https://codeberg.org/wetneb</a></li> <li><a href="https://codeberg.org/wolftune">https://codeberg.org/wolftune</a></li> <li><a href="https://codeberg.org/Xinayder">https://codeberg.org/Xinayder</a></li> <li><a href="https://codeberg.org/zareck">https://codeberg.org/zareck</a></li> <li><a href="https://translate.codeberg.org/user/walpo">https://translate.codeberg.org/user/walpo</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo monthly update - December 2023</title><link>https://forgejo.org/2023-12-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-12-monthly-update/</guid><description>Codeberg migrated to Forgejo v1.21, a long awaited forge comparison page was published, the Forgejo Helm Chart reached GA, end-to-end tests proved useful to fix Forgejo Actions bugs and two new machines were added to the infrastructure.</description><pubDate>Sat, 30 Dec 2023 00:00:00 GMT</pubDate><content:encoded><ul> <li>Codeberg migrated to Forgejo v1.21 and suffered a downtime related to performance issues. Although it was quickly recovered, it shows work is still needed to improve scaling and stability.</li> <li>A new <a href="https://forgejo.org/compare/">forge comparison</a> page is available. Gitea turned Open Core this month and it articulates why Forgejo is a safe heaven for admins who want to escape this trap.</li> <li>The <a href="https://codeberg.org/forgejo-contrib/forgejo-helm">Forgejo Helm Chart</a> reached general availability with version 1.0.0.</li> <li><a href="https://code.forgejo.org/forgejo/end-to-end">Forgejo end-to-end testing</a> can now be triggered from Forgejo pull requests by setting a label. For instance, they were <a href="https://code.forgejo.org/forgejo/end-to-end/src/commit/d3bd171b6edeab58ea5cbb547a2b1af9c63196dd/actions/example-cron/run.sh#L3-L16">used to verify</a> a bug fix in how <a href="https://forgejo.org/docs/v1.21/user/actions/#onschedule">scheduled actions</a> work by automatically running an actual Forgejo instance and a runner.</li> <li>Two new machines were <a href="https://forgejo.org/docs/next/developer/infrastructure/#hetzner0203">added to the Forgejo infrastructure</a> to service <a href="https://code.forgejo.org">https://code.forgejo.org</a>, an instance dedicated to Forgejo development.</li> </ul> <p>As Forgejo grows, the format of this monthly report changed to distribute the workload among all Forgejo contributors. The summary is replaced with a bullet list of the highlights and the sections are written by the Forgejo contributors who have been active on a given subject. If you would like to help, please get in touch in <a href="https://matrix.to/#/!JpOtsqTARyyfkoizCU:matrix.org">the chatroom</a> or participate in the <a href="https://codeberg.org/forgejo/discussions">ongoing discussions</a>.</p> <h2>Forgejo</h2> <p><a href="https://codeberg.org/forgejo/forgejo">https://codeberg.org/forgejo/forgejo</a></p> <p>Notable improvements or bug fixes:</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1891">Allow changing the email address before activation</a>: In case someone accidentally registered with the wrong email address (made a typo, for example), with this PR, they will be able to change the email address, and request a new activation mail to be sent. This requires logging in, which <em>is</em> possible, even while the account isn't activated yet. Previously, this required help from an instance administrator, now it can be self-serviced.</li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1900">Allow viewing the latest Action on the web</a>: a tiny little convenience route that allows linking to the latest action of a repository. Useful for READMEs and CI badges.</li> </ul> <h3>In flight pull requests</h3> <p>Most <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed">pull requests</a> are opened and closed within a week. But some of them take a longer time, either because they are more complex or because they are taken care of by volunteers who can only occasionally work on them in their free time. This is a list of those that were updated since the last monthly report. If they are of interest to you, reviewing the changes or providing solutions would be appreciated.</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1866">Actions: Link to Workflow in View</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1992">pulls: "Edit File" button in "Files Changed" tab</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1680">Federated repository stars</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1746">Add colorblind theme variants</a></li> </ul> <h3>Federation</h3> <p>The pull request to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">federated stars</a> can now be tested manually and <a href="https://codeberg.org/meissa/forgejo/src/branch/forgejo-federated-star/docs/unsure-where-to-put/blog.md#2023-12-federated-staring-open-for-test">an activity summary was published</a>.</p> <p>The <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3/-/merge_requests/90/commits">F3 refactor</a> is making daily progress.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/issues/59">federation implementation task list</a> was updated.</p> <h3>Releases</h3> <p>Forgejo <a href="https://forgejo.org/docs/latest/admin/upgrade/#release-life-cycle">maintains <strong>two</strong> stable releases</a> at any given time:</p> <ul> <li>Stable (latest major version): receives full support, bugfixes and security fixes.</li> <li>Old Stable (previous major version): receives only critical security support.</li> </ul> <p>There has been <a href="https://forgejo.org/releases/">one release a week</a> in the past month, an unusually high frequency explained by a series of security vulnerabilities. They are labeled with a different color <strong>Stable</strong> and <strong>Oldstable</strong> to make it easier for the Forgejo admin to figure out which one applies to their instance.</p> <p>The <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49946">CVE-2023-49946</a> was created a week after the publication of the <a href="https://forgejo.org/2023-11-release-v1-20-5-1/">Forgejo v1.20.5-1 release that fixes this critical vulnerability</a>. As a reminder the Forgejo v1.21 stable release already includes the associated security fixes and was never vulnerable.</p> <p>Forgejo admins are encouraged to <a href="https://codeberg.org/forgejo/security-announcements">subscribe to security announcement</a> so they can better plan their upgrades.</p> <p>References</p> <ul> <li><a href="https://forgejo.org/releases/">https://forgejo.org/releases/</a></li> <li><a href="https://codeberg.org/forgejo/security-announcements">https://codeberg.org/forgejo/security-announcements</a></li> </ul> <h2>End-to-end testing</h2> <p>Forgejo end-to-end tests require running an actual instance and were moved to <a href="https://code.forgejo.org/forgejo/end-to-end">a dedicated repository</a> which requires a significant number of manual steps to run them on a given Forgejo pull request. It was made simpler by triggering them with the <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=159443"><code>run-end-to-end-tests</code></a> label. For instance, in <a href="https://codeberg.org/forgejo/forgejo/pulls/2015">this Forgejo pull request</a> setting the label triggered <a href="https://code.forgejo.org/forgejo/end-to-end/actions/runs/391/jobs/1">this workflow in the end-to-end</a> repository, using a binary <a href="https://codeberg.org/forgejo/forgejo/src/commit/c98322ed9c877a9bf717f22c4035d3fc45a5ea54/.forgejo/workflows/cascade-setup-end-to-end.yml">created with the pull request</a>.</p> <p>References:</p> <ul> <li><a href="https://code.forgejo.org/actions/cascading-pr/">https://code.forgejo.org/actions/cascading-pr/</a></li> <li><a href="https://code.forgejo.org/forgejo/end-to-end">https://code.forgejo.org/forgejo/end-to-end</a></li> </ul> <h2>Forgejo helm</h2> <p>Forgejo Helm Chart reached GA version 1.0.0 and is basically HA ready thanks to upstream Gitea Chart.</p> <p>The only remaining issue is that all cron jobs are run on all instances because there's no leader elections yet.</p> <p>References:</p> <ul> <li><a href="https://codeberg.org/forgejo-contrib/forgejo-helm">https://codeberg.org/forgejo-contrib/forgejo-helm</a></li> <li><a href="https://code.forgejo.org/forgejo-contrib/forgejo-renovate/">https://code.forgejo.org/forgejo-contrib/forgejo-renovate/</a></li> </ul> <h2>Codeberg</h2> <p>Codeberg migrated to Forgejo v1.21 and despite preliminary testing and a <a href="https://codeberg.org/forgejo/forgejo/issues/1783">curated list of potential regressions</a>, a performance issue prevented it from running. It was quickly diagnosed and fixed but the root problem remains: there is a lack of performance tests in Forgejo. That could be mitigated if there were other Forgejo (or Gitea) instances running at the same scale (~100,000 users and projects, publicly available) as they would also run into the same problems. But in the past years the vast majority of performance issues were discovered in the context of Codeberg, which strongly suggests it is the largest instance in existence.</p> <p>A <a href="https://codeberg.org/Codeberg/Community/issues/1356">priority list</a> has been established so Forgejo contributors can quickly figure out which problems deserve their attention.</p> <p>References:</p> <ul> <li><a href="https://codeberg.org/Codeberg/Community">https://codeberg.org/Codeberg/Community</a></li> <li><a href="https://codeberg.org/Codeberg/Community/issues/1356">https://codeberg.org/Codeberg/Community/issues/1356</a></li> </ul> <h2>Forgejo runner</h2> <p><a href="https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#3-3-0">Forgejo runner 3.3.0</a> was published and is now IPv6 capable. Unfortunately there is <a href="https://code.forgejo.org/forgejo/lxc-helpers/issues/19">a bug in Debian LXC support</a> that limits the scope of tests it can support.</p> <p>References:</p> <ul> <li><a href="https://code.forgejo.org/forgejo/lxc-helpers">https://code.forgejo.org/forgejo/lxc-helpers</a></li> <li><a href="https://code.forgejo.org/forgejo/runner">https://code.forgejo.org/forgejo/runner</a></li> </ul> <h2>Governance</h2> <h3>Mergers team</h3> <p>The <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#contributors">Contributors</a> team has no permissions on "Code" which prevents members from merging pull requests although they have write permissions on "PullRequests" for the Forgejo repository. There is not much scrutiny to enter the contributors team because it bears almost no risk to the integrity of the Forgejo project. Being given permission to write the repository is a different matter. The new "Mergers" team is created <a href="https://codeberg.org/forgejo/governance/issues/46">and requires a formal application process</a>. However light, it will make a difference that matters in terms of trust and commitment.</p> <h3>Moderation</h3> <p>Two <a href="https://codeberg.org/forgejo/governance/src/branch/main/MODERATION-PROCESS.md">moderation actions</a> were carried out: one regarding an <a href="https://codeberg.org/forgejo/governance/issues/45">ad-hominem attack</a> and another regarding the publication of <a href="https://codeberg.org/forgejo/governance/issues/49">private information</a>.</p> <p>References:</p> <ul> <li><a href="https://codeberg.org/forgejo/governance">https://codeberg.org/forgejo/governance</a></li> </ul> <h2>Professional services</h2> <p>Forgejo, just like any other Free Software can be the base of commercial activity from service providers independent from the project itself. Forgejo exists under the umbrella of the Codeberg e.V. non profit which does not provide professional services so there is no competition and will never be.</p> <p>Even if to address a handful of requests per year, it is convenient to have a place where people in need of professional services can meet service providers with the will and the skills to meet their needs. Here are some similar places in other Free Software projects:</p> <ul> <li>Drupal <a href="https://www.drupal.org/drupal-services">https://www.drupal.org/drupal-services</a></li> <li>OpenStack <a href="https://www.openstack.org/marketplace/consulting/">https://www.openstack.org/marketplace/consulting/</a></li> <li>OSD <a href="https://discourse.opensourcedesign.net/t/posting-jobs-read-this-first/3416">https://discourse.opensourcedesign.net/t/posting-jobs-read-this-first/3416</a></li> </ul> <p>It was <a href="https://codeberg.org/forgejo/governance/issues/47">decided</a> to create a kind of job board which was bootstrapped as a <a href="https://codeberg.org/forgejo/professional-services">dedicated issue tracker</a>.</p> <p>References:</p> <ul> <li><a href="https://codeberg.org/forgejo/professional-services">https://codeberg.org/forgejo/professional-services</a></li> </ul> <h2>Hardware infrastructure</h2> <p>Two new machines were <a href="https://forgejo.org/docs/next/developer/infrastructure/#hetzner0203">added to the Forgejo infrastructure</a> and are now hosting <code>code.forgejo.org</code> that was previously in an OpenStack virtual machine. It is faster (10 times more bandwidth) and also is IPv6 capable. The LXC containers are setup and maintained using <a href="https://code.forgejo.org/forgejo/lxc-helpers/">lxc-helpers</a>.</p> <p>A LXC container with extended capabilities required to run a nested k8s cluster was setup on an dedicated hardware for better isolation. Forgejo runners are installed for both <a href="https://code.forgejo.org/forgejo/lxc-helpers">lxc-helpers</a> and <a href="https://code.forgejo.org/forgejo-contrib/forgejo-helm">forgejo-helm</a> so they can <a href="https://code.forgejo.org/forgejo/lxc-helpers/src/branch/main/.forgejo/workflows/test.yml#L13">run workflows that depend on k8s</a>. For instance, it helped detect regressions with the Forgejo Helm chart prior to version 1.0.0.</p> <p>The <code>next.forgejo.org</code> instance that is running the development branch of Forgejo (updated weekly) is now also hosted on this hardware. It was reset entirely on that occasion and displays a prominent reminder that there is no guarantee that any data will persist. It is only for experimental purposes.</p> <p>References:</p> <ul> <li><a href="https://code.forgejo.org/forgejo/lxc-helpers">https://code.forgejo.org/forgejo/lxc-helpers</a></li> <li><a href="https://forgejo.org/docs/next/developer/next-forgejo-org/">https://forgejo.org/docs/next/developer/next-forgejo-org/</a></li> <li><a href="https://forgejo.org/docs/next/developer/infrastructure/#hetzner0203">https://forgejo.org/docs/next/developer/infrastructure/#hetzner0203</a></li> </ul> <h2>OCI mirrors</h2> <p>Container images hosted at <a href="https://hub.docker.com/">https://hub.docker.com/</a> are subject to rate limiting which can be disrupting, for instance when the CI is used intensively by multiple contributors.</p> <p>Some of the most commonly used container images used by Forgejo were manually mirrored in a <a href="https://code.forgejo.org/oci/-/packages">dedicated organization</a> to partially resolve that problem. Updating these images should be done automatically but there still is no script to do so.</p> <p>References:</p> <ul> <li><a href="https://code.forgejo.org/oci/-/packages">https://code.forgejo.org/oci/-/packages</a></li> </ul> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/6543">https://codeberg.org/6543</a></li> <li><a href="https://codeberg.org/adrinux">https://codeberg.org/adrinux</a></li> <li><a href="https://codeberg.org/adz">https://codeberg.org/adz</a></li> <li><a href="https://codeberg.org/algernon">https://codeberg.org/algernon</a></li> <li><a href="https://codeberg.org/APoniatowski">https://codeberg.org/APoniatowski</a></li> <li><a href="https://codeberg.org/Aqa-Ib">https://codeberg.org/Aqa-Ib</a></li> <li><a href="https://codeberg.org/asandikci">https://codeberg.org/asandikci</a></li> <li><a href="https://codeberg.org/ashimokawa">https://codeberg.org/ashimokawa</a></li> <li><a href="https://codeberg.org/Cs137">https://codeberg.org/Cs137</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/dejan">https://codeberg.org/dejan</a></li> <li><a href="https://codeberg.org/delgh1">https://codeberg.org/delgh1</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/foxy">https://codeberg.org/foxy</a></li> <li><a href="https://codeberg.org/Freso">https://codeberg.org/Freso</a></li> <li><a href="https://codeberg.org/GamePlayer-8">https://codeberg.org/GamePlayer-8</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/halibut">https://codeberg.org/halibut</a></li> <li><a href="https://codeberg.org/hazy">https://codeberg.org/hazy</a></li> <li><a href="https://codeberg.org/HexagonCDN">https://codeberg.org/HexagonCDN</a></li> <li><a href="https://codeberg.org/JakobDev">https://codeberg.org/JakobDev</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jfinkhaeuser">https://codeberg.org/jfinkhaeuser</a></li> <li><a href="https://codeberg.org/joeroe">https://codeberg.org/joeroe</a></li> <li><a href="https://codeberg.org/jornfranke">https://codeberg.org/jornfranke</a></li> <li><a href="https://codeberg.org/jthvai">https://codeberg.org/jthvai</a></li> <li><a href="https://codeberg.org/KN4CK3R">https://codeberg.org/KN4CK3R</a></li> <li><a href="https://codeberg.org/lmaotrigine">https://codeberg.org/lmaotrigine</a></li> <li><a href="https://codeberg.org/luca-pellegrini">https://codeberg.org/luca-pellegrini</a></li> <li><a href="https://codeberg.org/macfanpl">https://codeberg.org/macfanpl</a></li> <li><a href="https://codeberg.org/Miraha">https://codeberg.org/Miraha</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/oelmekki">https://codeberg.org/oelmekki</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/realaravinth">https://codeberg.org/realaravinth</a></li> <li><a href="https://codeberg.org/Ryuno-Ki">https://codeberg.org/Ryuno-Ki</a></li> <li><a href="https://codeberg.org/sachaz">https://codeberg.org/sachaz</a></li> <li><a href="https://codeberg.org/schwarze">https://codeberg.org/schwarze</a></li> <li><a href="https://codeberg.org/sdolan99">https://codeberg.org/sdolan99</a></li> <li><a href="https://codeberg.org/Septem9er">https://codeberg.org/Septem9er</a></li> <li><a href="https://codeberg.org/SteffoSpieler">https://codeberg.org/SteffoSpieler</a></li> <li><a href="https://codeberg.org/teutat3s">https://codeberg.org/teutat3s</a></li> <li><a href="https://codeberg.org/twann">https://codeberg.org/twann</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/Weebull">https://codeberg.org/Weebull</a></li> <li><a href="https://codeberg.org/wetneb">https://codeberg.org/wetneb</a></li> <li><a href="https://codeberg.org/Wild-Turtles">https://codeberg.org/Wild-Turtles</a></li> <li><a href="https://codeberg.org/wolcen">https://codeberg.org/wolcen</a></li> <li><a href="https://codeberg.org/woofman420">https://codeberg.org/woofman420</a></li> <li><a href="https://codeberg.org/Xinayder">https://codeberg.org/Xinayder</a></li> <li><a href="https://codeberg.org/xyhhx">https://codeberg.org/xyhhx</a></li> <li><a href="https://codeberg.org/zareck">https://codeberg.org/zareck</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo Security Release 1.21.2-1</title><link>https://forgejo.org/2023-12-release-v1-21-2-1/</link><guid isPermaLink="true">https://forgejo.org/2023-12-release-v1-21-2-1/</guid><description>The Forgejo v1.21.2-1 release contains an additional security fix related to permissions enforcement of API endpoints.</description><pubDate>Tue, 12 Dec 2023 00:00:00 GMT</pubDate><content:encoded><p><a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.21.2-1">Forgejo v1.21.2-1</a> was released 12 December 2023.</p> <p>This release contains <em>a security fix</em> related to permissions enforcement of web endpoints.</p> <h3>Recommended Action</h3> <p>We <em>strongly recommend</em> that all Forgejo installations are upgraded to the latest version as soon as possible.</p> <h3>The project page of private users is publicly visible</h3> <p>The <a href="https://forgejo.org/docs/v1.21/user/project/">project page</a> of a private user was missing a permission check and was visible publicly. The other pages (packages, repositories, etc.) of this user or even its existence are not visible publicly.</p> <h3>Reminder of responsible disclosure</h3> <p>On 11 December 2023 the project page vulnerability was <a href="https://github.com/go-gitea/gitea/pull/28423">revealed publicly</a> in contradiction with the <a href="https://github.com/go-gitea/gitea/blob/763938e889c233e82a1a046010b9d332abaa833f/SECURITY.md#reporting-a-vulnerability">Gitea</a> and <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING.md">Forgejo</a> security policies as well as the <a href="https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure">general principles of responsible disclosure</a>.</p> <p>This unfortunate incident forced the immediate preparation of this Forgejo patch release. With no advance warning it only allowed for limited testing and there is a non negligible risk of a regression.</p> <p>In such a situation the Forgejo admins and users are suffering the consequences, either because they are left unecessarily exposed to publicly known vulnerabilities or because their instance may run into regressions due to insufficient preparation time and testing.</p> <p>If you discover a new vulnerability, you are <strong>urged to not reveal it publicly</strong> but to <a href="https://forgejo.org/.well-known/security.txt">send an encrypted email</a> to <a href="mailto:security@forgejo.org">security@forgejo.org</a> so this situation does not happen again.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo monthly update - November 2023</title><link>https://forgejo.org/2023-11-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-11-monthly-update/</guid><description>Forgejo is one year old and just published v1.21 its fourth major release. Developed in the interest of the general public it grew to become more secure, include more features while staying true to its commitment to only develop Free Software. Your help will make a difference and you are kindly invited to join the Forgejo contributors who work daily to implement federation.</description><pubDate>Thu, 30 Nov 2023 00:00:00 GMT</pubDate><content:encoded><p>Forgejo was <a href="https://forgejo.org/2022-12-15-hello-forgejo/">created in October 2022</a> after a for profit company took over the Gitea project. In the beginning they were almost identical, except for the name and the color. But in the past year, this difference in governance led to choices that made Forgejo significantly and durably different from Gitea.</p> <ul> <li><strong>Better security</strong>. Forgejo focuses on identifying and fixing security vulnerabilities as soon as they are discovered. Gitea is always notified in advance via encrypted channels (e.g. <a href="https://forgejo.org/2023-11-release-v1-20-5-1/">Forgejo v1.20.5-1</a> or <a href="https://forgejo.org/2023-10-release-v1-20-5-0/">Forgejo v1.20.5-0</a>).</li> <li><strong>More features</strong>. Forgejo includes all of Gitea features and integrates new one as soon as they are available. It is a 100% compatible drop-in replacement with additional features, <a href="https://forgejo.org/docs/v1.21/user/blocking-user/">self moderation</a> being the first one.</li> <li><strong>Better stability</strong>. Forgejo relies on <a href="https://code.forgejo.org/forgejo/end-to-end/">end-to-end</a> and upgrade tests. The upgrade tests were introduced to address an <a href="https://forgejo.org/2023-08-release-v1-20-3-0/">instability caused by a regression in the storage settings</a>.</li> </ul> <p>Since its inception Forgejo has been strongly committed to provide forge federation. This long term work <a href="https://codeberg.org/forgejo/forgejo/issues/59">keeps contributors busy daily</a> and it will still be a while before it is complete. Your help will make a difference and you are kindly invited to <a href="https://matrix.to/#/#forgejo-development:matrix.org">join the team</a>. Your work will not help build a startup chasing unicorns, it will benefit the general public and yourself. You will only use Free Software as Forgejo is developed with Forgejo on <a href="https://codeberg.org">Codeberg</a> with a CI and releases powered by Forgejo Actions.</p> <h2>Development</h2> <h3>v1.21 release</h3> <p>After eight release candidates over eight weeks, the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-21-1-0">Forgejo v1.21 release</a> was published and the <a href="https://forgejo.org/2023-11-release-v1211-0/">companion blog post</a> provides a summary of the work it includes.</p> <h3>In flight pull requests</h3> <p>Most <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed">pull requests</a> are opened and closed within a week. But some of them take a longer time, either because they are more complex or because they are taken care of by volunteers who can only occasionally work on them in their free time. This is a list of those that were updated since the last monthly report. If they are of interest to you, reviewing the changes or providing solutions would be appreciated.</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1790">Avoid conflicts of issue and PR numbers in GitLab migration</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls/1841">Mock HTTP calls in GitLab migration unit test </a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1746">Add colorblind theme variants</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/pulls/1680">Federated repository stars</a></li> </ul> <h3>End to end tests</h3> <p>Forgejo contributors developed end to end tests which require running actual instances and realistic use cases. The proved particularly useful to fix and debug the <a href="https://forgejo.org/2023-08-release-v1-20-3-0/#fixing-the-risk-of-data-loss-related-to-storage-sections">regressions related to storage settings</a> and verifying the workflows sent to the <a href="https://code.forgejo.org/forgejo/runner">Forgejo runner</a> succeed.</p> <p>There were all moved into a <a href="https://code.forgejo.org/forgejo/end-to-end/">dedicated repository</a> where they can conveniently be run and developed rather than being scattered in the Forgejo repository itself or the <a href="https://code.forgejo.org/actions/setup-forgejo">setup-forgejo</a> action.</p> <h3>Experimental releases</h3> <p>Starting 25 November 2023, test releases including the latest developments <a href="https://forgejo.org/docs/v1.21/developer/release/#experimental-release-process">will be published</a> on a regular basis, usually every week. They will be used to run <a href="https://next.forgejo.org">https://next.forgejo.org</a>. It is not recommended to use them in production.</p> <h3>Testing requirements</h3> <p>As a rule changes introduced in Forgejo are associated with tests that verify they work. Without such tests they are prone to regressions over time and more difficult to review. However, it is sometime challenging to create a new test when the underlying codebase lacks the basic infrastructure to do so. It is the case, for instance, for the JavaScript parts of the frontend or more generally user interface changes in Forgejo. As an exception, some pull requests will be merged without tests and <a href="https://codeberg.org/forgejo/forgejo/pulls?labels=167348">tagged as such</a> when they can be contributed back to the main author of the codebase and not burden Forgejo with the associated technical debt.</p> <h3>Federation</h3> <p>A new pull request was open to implement <a href="https://codeberg.org/forgejo/forgejo/pulls/1680">federated stars</a> and <a href="https://codeberg.org/meissa/forgejo/src/commit/d6c49675438fe5d5f84364e081ab1cb60ca42d75/docs/unsure-where-to-put/blog.md">an activity summary was published</a>.</p> <p>The <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3/-/merge_requests/90/commits">F3 refactor</a> is making daily progress.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/issues/59">task list</a> created a year ago to track federation work is now updated monthly.</p> <h2>Forgejo Actions</h2> <p>With the <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#320">3.2.0</a> release of the Forgejo runner, the <a href="https://forgejo.org/docs/v1.21/admin/actions/#lxc">LXC backend</a> was improved and can now be configured with capabilities to run k8s. It <a href="https://code.forgejo.org/forgejo/runner/issues/55#issuecomment-3332">unblocked the work</a> started a few months ago to verify a helm chart using Forgejo can run in a workflow.</p> <p>Groundwork for <a href="https://code.forgejo.org/forgejo/runner/issues/119">IPv6 support</a> is done and needs testing before it can be released.</p> <h2>Security releases</h2> <p>Late October, the <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#security">Forgejo security team</a> discovered critical vulnerabilities and worked on fixes that were published as part of Forgejo v1.21 and <a href="https://forgejo.org/2023-11-release-v1-20-5-1/">backported to Forgejo v1.20.5-1</a> after a 30-day embargo. To better prepare for such upgrades, Forgejo admins can now watch <a href="https://codeberg.org/forgejo/security-announcements/issues">a repository</a> dedicated to security announcements or subscribe to the <a href="https://codeberg.org/forgejo/security-announcements.rss">associated RSS feed</a>.</p> <p>The severity of the vulnerabilities motivated security team members to <a href="https://codeberg.org/forgejo/discussions/issues/86">write a post-mortem</a> and ask for input and ideas in an open discussion.</p> <h2>User research</h2> <p>Although it is largely agreed that <a href="https://jdittrich.github.io/userNeedResearchBook/">user research</a> is one of the areas where Forgejo needs more work, it has not seen significant progress in the past year. The effort has resumed, starting with <a href="https://codeberg.org/forgejo/user-research/issues/20">sorting issues into categories</a>. The goal is to better understand Forgejo users.</p> <h2>Hardware infrastructure</h2> <p>As <a href="https://code.forgejo.org">https://code.forgejo.org</a> keeps growing, <a href="https://codeberg.org/forgejo/docs/pulls/262">new hardware is being provisioned</a> so it can move from the cloud and have more disk space, mostly.</p> <h2>Governance and communication</h2> <p>The moderation team is now composed of <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#moderation">two members</a>. A Forgejo contributor also <a href="https://codeberg.org/forgejo/governance/issues/41">applied</a> to the security team.</p> <p>A few <a href="https://codeberg.org/forgejo/governance/pulls/44">new members</a> were added to the contributors team and it <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#contributors">does not require a formal application process</a>.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/abyxcos">https://codeberg.org/abyxcos</a></li> <li><a href="https://codeberg.org/arkdae">https://codeberg.org/arkdae</a></li> <li><a href="https://codeberg.org/asandikci">https://codeberg.org/asandikci</a></li> <li><a href="https://codeberg.org/bodsch">https://codeberg.org/bodsch</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/cbn8krgm">https://codeberg.org/cbn8krgm</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/hazy">https://codeberg.org/hazy</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/jfinkhaeuser">https://codeberg.org/jfinkhaeuser</a></li> <li><a href="https://codeberg.org/jwildeboer">https://codeberg.org/jwildeboer</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/Korbs">https://codeberg.org/Korbs</a></li> <li><a href="https://codeberg.org/maltejur">https://codeberg.org/maltejur</a></li> <li><a href="https://codeberg.org/meaz">https://codeberg.org/meaz</a></li> <li><a href="https://codeberg.org/moralpanic">https://codeberg.org/moralpanic</a></li> <li><a href="https://codeberg.org/msrd0">https://codeberg.org/msrd0</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/realaravinth">https://codeberg.org/realaravinth</a></li> <li><a href="https://codeberg.org/rome-user">https://codeberg.org/rome-user</a></li> <li><a href="https://codeberg.org/s3lph">https://codeberg.org/s3lph</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/SteffoSpieler">https://codeberg.org/SteffoSpieler</a></li> <li><a href="https://codeberg.org/stevenroose">https://codeberg.org/stevenroose</a></li> <li><a href="https://codeberg.org/thepaperpilot">https://codeberg.org/thepaperpilot</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/w8emv">https://codeberg.org/w8emv</a></li> <li><a href="https://codeberg.org/wetneb">https://codeberg.org/wetneb</a></li> <li><a href="https://codeberg.org/xtex">https://codeberg.org/xtex</a></li> <li><a href="https://codeberg.org/xy">https://codeberg.org/xy</a></li> <li><a href="https://codeberg.org/xyhhx">https://codeberg.org/xyhhx</a></li> <li><a href="https://codeberg.org/yoctozepto">https://codeberg.org/yoctozepto</a></li> <li><a href="https://codeberg.org/zareck">https://codeberg.org/zareck</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo Security Release 1.20.6-0</title><link>https://forgejo.org/2023-11-release-v1-20-6-0/</link><guid isPermaLink="true">https://forgejo.org/2023-11-release-v1-20-6-0/</guid><description>The Forgejo v1.20.6-0 release contains an additional security fix related to permissions enforcement of API endpoints.</description><pubDate>Tue, 28 Nov 2023 00:00:00 GMT</pubDate><content:encoded><p><a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.20.6-0">Forgejo v1.20.6-0</a> was released 28 November 2023.</p> <p>This release contains <em>a security fix</em> related to permissions enforcement of API endpoints.</p> <h3>Recommended Action</h3> <p>We <em>strongly recommend</em> that all Forgejo installations are upgraded to the latest version as soon as possible.</p> <h3>API and web endpoint vulnerable to manually crafted identifiers</h3> <p>See the <a href="https://forgejo.org/2023-11-release-v1-20-5-1/#api-and-web-endpoint-vulnerable-to-manually-crafted-identifiers">Forgejo v1.20.5-1 blog post</a> for a detailed explanation on this kind of vulnerability.</p> <ul> <li>get the public key of a user</li> <li>get a release or a release attachment</li> <li>get OAuth2 applications (except for the secret)</li> </ul> <p>Fixes were written for the vulnerable endpoints but not thoroughly tested.</p> <h3>Reminder of responsible disclosure</h3> <p><a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.20.5-1">Forgejo v1.20.5-1</a> was released 25 November 2023 after <a href="https://forgejo.org/2023-11-release-v1-20-5-1/#responsible-disclosure-to-gitea">a 30-day embargo</a> that gave enough time to Gogs, Gitea and Forgejo to prepare and publish a patch release on 25 November 2025.</p> <p>The complete list of identified vulnerabilities was communicated by the Forgejo security team to Gitea on 5 November 2023 and the final version of the patch fixing all of them was sent on 24 November 2023, via encrypted email. In addition, two PRs (for <a href="https://github.com/go-gitea/gitea/pull/28211">v1.20</a> and <a href="https://github.com/go-gitea/gitea/pull/28212">v1.21</a>) were sent to Gitea on 25 November 2023 prior to the announcement of the Forgejo release to help fast track a stable point release.</p> <p>On 25 November 2023, shortly after the release, additional vulnerabilities were <a href="https://github.com/go-gitea/gitea/pull/28213">revealed publicly</a> in contradiction with the <a href="https://github.com/go-gitea/gitea/blob/763938e889c233e82a1a046010b9d332abaa833f/SECURITY.md#reporting-a-vulnerability">Gitea</a> and <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING.md">Forgejo</a> security policies as well as the <a href="https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure">general principles of responsible disclosure</a>.</p> <p>This unfortunate incident forced the immediate preparation of this Forgejo patch release. With no advance warning it only allowed for limited testing and there is a non negligible risk of a regression.</p> <p>In such a situation the Forgejo admins and users are suffering the consequences, either because they are left unecessarily exposed to publicly known vulnerabilities or because their instance may run into regressions due to insufficient preparation time and testing.</p> <p>If you discover a new vulnerability, you are <strong>urged to not reveal it publicly</strong> but to <a href="https://forgejo.org/.well-known/security.txt">send an encrypted email</a> to <a href="mailto:security@forgejo.org">security@forgejo.org</a> so this situation does not happen again.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo v1.21 is available</title><link>https://forgejo.org/2023-11-release-v1211-0/</link><guid isPermaLink="true">https://forgejo.org/2023-11-release-v1211-0/</guid><description>Forgejo v1.21 is available and comes with significant improvements to Forgejo Actions and the Forgejo runner. It also brings better user blocking, many documentation improvements, a shortcut button to open new PRs, mail notifications when new users are created and more. As always, make sure to carefully read the breaking changes from the release notes and make a full backup before upgrading.</description><pubDate>Sun, 26 Nov 2023 00:00:00 GMT</pubDate><content:encoded><p><a href="/download/">Forgejo v1.21.1-0</a> is here and you will find the most interesting changes it introduces below. Before upgrading it is <em>strongly recommended</em> to make a full backup as explained in the <a href="/docs/v1.21/admin/upgrade/">upgrade guide</a> and carefully read <em>all breaking changes</em> from the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-21-1-0">release notes</a>. If in doubt, do not hesitate to ask for help <a href="https://floss.social/@forgejo">on the Fediverse</a>, or in the <a href="https://matrix.to/#/#forgejo-chat:matrix.org">chat room</a>.</p> <ul> <li><p><strong><a href="/docs/v1.21/user/actions">Actions</a></strong>: server side, secrets can be managed via the API and the <code>pull_request_target</code> makes it possible to securely run workflows on pull requests, even when they need to access secrets. A major version of the Forgejo runner was <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#320">also published</a> and it is now capable of <a href="/docs/v1.21/admin/actions/#labels-and-runs-on">running actions on Docker, LXC or in a shell</a>.</p> <p></p> </li> <li><p><strong><a href="/docs/v1.21/user/blocking-user">Blocking a user</a></strong>: repository transfers originating from the blocked user are canceled and the blocked user is removed from the list of collaborators on repositories owned by the user doing the blocking. This self-moderation feature introduced in v1.20 is most useful on large Forgejo instances and was since deployed on Codeberg. It has been used a few times by the Forgejo moderation team in cases that did not require admin privileges.</p> <p></p> </li> <li><p><strong><a href="/docs/v1.21">Documentation</a></strong>: new sections were added to the <a href="/docs/v1.21/developer/">developer guide</a> such as the <a href="/docs/v1.21/developer/customization/">user interface customization</a>, which is considered an internal detail and requires intimate knowledge of the codebase to be maintained. Every new feature listed in the release notes was matched with an update in the documentation because it is intended to become an exhaustive reference. The <a href="https://codeberg.org/forgejo/docs/">documentation repository</a> was split out of the website repository and restructured to facilitate the <a href="https://codeberg.org/forgejo/docs/src/branch/next/README.md#contributing">maintenance and contribution workflow</a>.</p> </li> <li><p><strong><a href="/docs/v1.21/user/pull-requests-and-git-flow/#create-a-pull-request">Shortcut to create a PR</a>:</strong> a button is automatically shown if you recently pushed to branch and will open a PR with the default branch as a base.</p> <p></p> </li> <li><p><strong>New user mail notification</strong>: When a Forgejo instance has open registration, it is occasionally subject to spam accounts. With the <code>SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true</code> setting, the Forgejo admin will receive a mail when a new account is created and can immediately act on it, instead of discovering a dozen of spam bots a much later.</p> </li> <li><p><strong>Additional syntax highlighting</strong>: for <a href="https://github.com/alecthomas/chroma/pull/765">Smali</a>, <a href="https://github.com/alecthomas/chroma/pull/772">DHCP</a>, <a href="https://github.com/alecthomas/chroma/pull/776">WebGPU Shading Language</a>, <a href="https://github.com/alecthomas/chroma/commit/4779f9035a3aaea3ec650f0923657c12e12dd35a">AutoHotkey</a>, <a href="https://github.com/alecthomas/chroma/commit/029798b351baa9c3d0dd5ec16e87ab98486d843c">AutoIt</a>, <a href="https://github.com/alecthomas/chroma/commit/e422a6286fdc61393deb09afd270293eb590d023">tal (uxntal)</a>, <a href="https://github.com/alecthomas/chroma/pull/794">ArangoDB Query Language (AQL)</a>, <a href="https://github.com/alecthomas/chroma/pull/796">BIND DNS Zone</a>, <a href="https://github.com/alecthomas/chroma/pull/802">Odin</a>, <a href="https://github.com/alecthomas/chroma/pull/804">Sourcepawn</a>, <a href="https://github.com/alecthomas/chroma/pull/813">CPP</a>, <a href="https://github.com/alecthomas/chroma/pull/815">C</a>.</p> </li> <li><p><strong>Additional language detection</strong>: <a href="https://github.com/atom-haskell/language-haskell">Bluespec BH</a>, <a href="https://github.com/terrastruct/d2-vscode">D2</a>, <a href="https://github.com/golang/vscode-go">Go Workspace</a>, <a href="https://github.com/nishtahir/language-kotlin">Gradle Kotlin DSL</a>, <a href="https://github.com/Alhadis/language-etc">Hosts File</a>, <a href="https://github.com/KrazIvan/LOLCODE-grammar-vscode">LOLCODE</a>, <a href="https://github.com/wooorm/markdown-tm-language">MDX</a>, <a href="https://github.com/BobDotCom/Nasal.tmbundle">Nasal</a>, <a href="https://github.com/hustcer/nu-grammar">Nushell</a>, <a href="https://github.com/kadena-io/pact-atom">Pact</a>, <a href="https://github.com/soutaro/vscode-rbs-syntax">RBS</a>, <a href="https://github.com/textmate/rez.tmbundle">Rez</a>, <a href="https://github.com/textmate/sweave.tmbundle">Sweave</a>, <a href="https://github.com/adamint/tlv-vscode">TL-Verilog</a>, <a href="https://github.com/michidk/typst-grammar">Typst</a>, <a href="https://github.com/broadinstitute/wdl-sublime-syntax-highlighter">WDL</a>, <a href="https://github.com/wgsl-analyzer/wgsl-analyzer">WGSL</a>, <a href="https://github.com/bytecodealliance/vscode-wit">WebAssembly Interface Type</a></p> <p></p> </li> </ul> <p>Read more <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-21-1-0">in the Forgejo v1.21.1-0 release notes</a>.</p> <h3>Forgejo Actions</h3> <p>Forgejo is only as stable and robust as the test infrastructure that verifies it works. Forgejo Actions is not just a feature, it is an integral part of what makes Forgejo whole. With v1.21 this self-sustainable ecosystem grew with more components such as <a href="https://code.forgejo.org/forgejo/end-to-end">end to end testing</a> and upgrade tests running older versions of Forgejo. Each repository is independent but it is not isolated from the others. Developers do not need to manually keep them in sync, they are <a href="https://code.forgejo.org/actions/cascading-pr/#forgejo-dependencies">bound together with tests</a>. As more components are added, these tests will be the cement keeping them together, allowing developers to focus on what matters.</p> <p></p> <p>Server side the most notable improvements are:</p> <ul> <li>The <a href="/docs/v1.21/user/actions/#onpull_request_target"><code>pull_request_target</code> event</a> is implemented and can securely access secrets because it runs using the workflows from the base branch instead of the pull request.</li> <li>The API can now be used to manage secrets for <a href="https://code.forgejo.org/api/swagger/#/user/updateUserSecret">users</a>, <a href="https://code.forgejo.org/api/swagger/#/organization/orgListActionsSecrets">organizations</a> and <a href="https://code.forgejo.org/api/swagger/#/repository/updateRepoSecret">repositories</a>.</li> <li>Registration tokens can <a href="/docs/v1.21/admin/actions/#registration">register multiple runners</a> instead of a single one.</li> <li><a href="/docs/v1.21/user/actions/#variables">Variables can be used in addition to secrets</a> to configure workflows when there is no need for secrecy.</li> <li><a href="/docs/v1.21/user/actions/#onschedule">Recurring actions similar to cron jobs</a> can be defined in the main branch.</li> <li><a href="/docs/v1.21/user/actions/#artifacts">Uploaded artifacts can be automatically cleaned up</a>.</li> <li>When a new commit is pushed to a branch, the workflows triggered by previous commits are <a href="/docs/v1.21/user/actions/#auto-cancelation-of-workflows">automatically canceled</a>.</li> <li>It is now possible to <a href="/docs/v1.21/user/actions/#artifacts">upload multiple artifacts</a> instead of a single one.</li> <li>The labels can be communicated to Forgejo from the runner when they connect <a href="/docs/v1.21/admin/actions/#registration">instead of just during registration</a>.</li> </ul> <p><a href="/docs/v1.21/user/actions">Forgejo Actions</a> is however <strong>not yet production ready</strong>, for the reasons explained in the <a href="/2023-07-release-v1201-0/#forgejo-actions">Forgejo v1.20</a> blog post.</p> <p>Client side, the newer version of the <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#320">Forgejo runner</a> that is responsible for running the workflows now comes in two flavors:</p> <ul> <li><a href="https://code.forgejo.org/forgejo/runner/releases/tag/v3.2.0">binary release</a></li> <li><a href="https://code.forgejo.org/forgejo/-/packages/container/runner/3.2.0">container image</a></li> </ul> <p>It is <a href="https://code.forgejo.org/forgejo/end-to-end">tested</a> with itself to verify a new version does not introduce a trivial regression that would break Forgejo, using an <a href="https://code.forgejo.org/actions/cascading-pr/">action to cascade pull requests between repositories</a>.</p> <p>Read more about Forgejo actions <a href="/docs/v1.21/user/actions/">in the user guide</a> and <a href="/docs/v1.21/admin/actions/">in the administrator guide</a>.</p> <h3>What is unique to Forgejo?</h3> <p>Until recently all Forgejo commits could have been merged into Gitea overnight. But as of October 2023 Gitea <a href="https://codeberg.org/forgejo/discussions/issues/67">requires a copyright assignment</a> in addition to the MIT license. It means that the most significant contributions such as <a href="/docs/v1.21/user/blocking-user">blocking a user</a> will not be merged into Gitea and are unique to Forgejo v1.21 and later.</p> <p>Forgejo continues to include all of Gitea and guarantees a 100% drop-in replacement for Gitea admins. No action is required, it is enough to replace the Gitea binary or the container image with the equivalent Forgejo release and restart.</p> <p>Such an upgrade may be motivated to benefit from security fixes that only exist in Forgejo, such as the <a href="/2023-10-release-v1-20-5-0/#long-term-authentication-token">Long-term authentication</a> vulnerability which is fixed since Forgejo v1.20.5-0 and will also be in Gitea v1.22 early 2024.</p> <h3>Federation</h3> <p>Does <code>Forgejo</code> support federation? Not yet. Was there progress? Yes.</p> <p>The monthly reports <a href="/tag/report/">have details</a> on these progress and the <a href="https://forgefriends.org/blog/2023/06/21/2023-06-state-forge-federation/">State of the Forge Federation: 2023 edition</a> published in June 2023 explains how Forgejo fits in the big picture.</p> <p>Forges have existed for over twenty years and none of them has achieved data portability let alone federation. Forgejo is yet to celebrate the publication of its first release and it will take it a little time to get there.</p> <h3>Get Forgejo v1.21</h3> <p>See the <a href="/download">download page</a> for instructions on how to install Forgejo, and read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-21-1-0">release notes</a> for more information.</p> <h3>Upgrading</h3> <p>Carefully read <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-21-1-0">the breaking changes</a> section of the release notes.</p> <p>The actual upgrade process is as simple as replacing the binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.21.1-0">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.21.1-0">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.21"><code>1.21</code> tag</a> to stay up to date with the latest <code>1.21.x</code> point release automatically.</p> <p>Make sure to check the <a href="/docs/v1.21/admin/upgrade">Forgejo upgrade documentation</a> for recommendations on how to properly backup your instance before the upgrade. It also covers upgrading from Gitea, as far back as version 1.2.0. Forgejo includes all of Gitea v1.21.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in <a href="https://codeberg.org/forgejo/forgejo/issues">the issue tracker</a> for feature requests or bug reports, reach out <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop into <a href="https://matrix.to/#/#forgejo:matrix.org">the Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) and say hi!</p> </content:encoded></item><item><title>Forgejo Security Release 1.20.5-1</title><link>https://forgejo.org/2023-11-release-v1-20-5-1/</link><guid isPermaLink="true">https://forgejo.org/2023-11-release-v1-20-5-1/</guid><description>The Forgejo v1.20.5-1 release contains critical security fixes related to permissions enforcement of API endpoints.</description><pubDate>Sat, 25 Nov 2023 00:00:00 GMT</pubDate><content:encoded><p><a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.20.5-1">Forgejo v1.20.5-1</a> was released 25 November 2023.</p> <p>This release contains <em>critical security fixes</em> related to permissions enforcement of API endpoints.</p> <p>This release also contains bug fixes, as detailed <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-5-1">in the release notes</a>.</p> <h3>Recommended Action</h3> <p>We <em>strongly recommend</em> that all Forgejo installations are upgraded to the latest version as soon as possible.</p> <h3>API and web endpoint vulnerable to manually crafted identifiers</h3> <p>Some API endpoints, such as <a href="https://code.forgejo.org/api/swagger#/issue/issuePostCommentReaction">adding a reaction to a comment</a>, rely on an identifier unique to an object (a comment in this example). There are similar cases for web endpoints which are used by the Forgejo web interface.</p> <p>The permissions required for the user performing the action on the repository are properly enforced. But a check was missing to ensure that the object (a comment in the example) also belongs to the repository the permissions are checked against. Without this check it is possible both to perform destructive actions and to access information in repositories unrelated to the request, including private ones.</p> <p>API and web endpoints have been analysed, and those that were missing such a verification can be exploited by a malicious actor to:</p> <ul> <li>delete releases and tags</li> <li>delete and modify issues or pull requests comments</li> <li>reveal the content of issues or pull requests comments from private repositories</li> <li>perform other non-destructive actions such as creating issues, moving pinned issues, or obtaining deploy public keys</li> </ul> <p>The vulnerable endpoints were fixed and tests written to verify the fix is effective.</p> <h3>docker login and 2FA</h3> <p>When using <code>docker login</code> to authenticate against a Forgejo instance using basic authentication, there needs to be an additional verification if 2FA is activated for the user. That verification was missing for the API endpoint used by <code>docker login</code>, thus bypassing 2FA.</p> <h3>Responsible disclosure to Gitea</h3> <p>On 25 October 2023 the Forgejo security team identified that multiple API and web endpoints were not protected against manually crafted identifiers, and the Gitea security team was notified. A 30-day embargo was requested, after which a patch to the v1.20 point release could be published. Further research from both Gitea and Forgejo teams in the following days revealed more vulnerabilities. Initial fixes and tests verifying they are effective were exchanged, but after their last email on 31 October 2023 the Gitea security team stopped responding. Given the severity of the vulnerability, the Forgejo security team asked again for feedback on 16 November 2023, but did not get any reply. Having exhausted all options for cooperation, the Forgejo security team completed the security fix on its own. The resulting fix which is published in this release was sent to the Gitea security team encrypted in its final version on 24 November 2023. At the time of publication, there was still no response from the Gitea security team.</p> <h3>Responsible disclosure to Gogs</h3> <p>The Gogs developer was notified of the vulnerability on 25 October 2023. There is no encrypted channel and only a terse but unambiguous message was sent. There has been no response.</p> <h3>Forgejo will give advance warning of security releases</h3> <p>Similar to what is done when a Go release contains a security fix, Forgejo will now publish advance warning of security releases. They will not reveal the details of the vulnerability but will allow Forgejo admins to plan ahead and better secure their instance. Anyone can watch to the <a href="https://codeberg.org/forgejo/security-announcements/">dedicated tracker</a> or <a href="https://codeberg.org/forgejo/security-announcements.rss">subscribe to the RSS feed</a>.</p> <h3>Gogs and Gitea upgrades to Forgejo</h3> <p>Gitea admins are reminded that Forgejo is a 100% compatible drop-in replacement for Gitea. It is enough to replace the Gitea binary or the container image with Forgejo and restart. No configuration modification is necessary. They are encouraged to choose that option to get this security fix as soon as possible.</p> <p>In the absence of a security fix for Gogs, it is also possible to try and upgrade Gogs to Forgejo. Note however that such an upgrade will require manual intervention and configuration changes because the upgrade path has not been tested.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo monthly update - October 2023</title><link>https://forgejo.org/2023-10-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-10-monthly-update/</guid><description>A security issue related to Long-term Authentication was fixed for Forgejo v1.21 and backported to Forgejo v1.20.5-0. Four release candidates were published for Forgejo v1.21 and the documentation updated to cover the new functionalities. A service request was published to develop new functionalities for the benefit of German schools. Solutions were also identified for bootstrapping a fully Free Software hosting provider including Forgejo.</description><pubDate>Mon, 23 Oct 2023 00:00:00 GMT</pubDate><content:encoded><p>A security issue identified earlier this year was fixed for Forgejo v1.21 and backported to Forgejo v1.20. It was non trivial and involved a 90-day embargo as well as a database upgrade. Four release candidates for Forgejo v1.21 were published in the <a href="https://codeberg.org/forgejo-experimental/forgejo/releases">experimental organization</a>. The improvements it contains for Forgejo Actions were documented and are now associated with end to end testing to guard against future regressions.</p> <p>A <a href="https://codeberg.org/forgejo/sustainability/issues/28">service request</a> originating from German schools in need of additional Forgejo features was published. There are currently no known freelance or company providing Forgejo expertise and discussions happened about what to do with such requests. Solutions were also identified for bootstraping a fully Free Software hosting provider including Forgejo.</p> <h2>Development</h2> <h3>Refactor of Long-term Authentication</h3> <p>When a user logs into Forgejo, they can click the <strong>Remember This Device</strong> checkbox and their browser will store a <strong>Long-term authentication</strong> token provided by the server, in a cookie that will allow them to stay logged in for a number of days as defined by the <a href="https://forgejo.org/docs/v1.20/admin/config-cheat-sheet/#security-security"><code>LOGIN_REMEMBER_DAYS</code></a> setting.</p> <p>Given a copy of the Forgejo database, a <strong>Long-term authentication</strong> token could be constructed for any user and used to impersonate them. Such a token did not expire <code>LOGIN_REMEMBER_DAYS</code> days after it was created and remained valid for as long as users did not change their password.</p> <p>This security issue does not require brute force and was the most significant discovered this year. A fix was published by the <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#security">Forgejo security team</a> on <a href="https://forgejo.org/2023-10-release-v1-20-5-0/">6 October 2023</a> after a <a href="https://forgejo.org/2023-10-release-v1-20-5-0/#responsible-disclosure-to-gitea">90-day embargo</a> and was backported to <a href="https://forgejo.org/2023-10-release-v1-20-5-0/">Forgejo v1.20.5-0</a> the same day.</p> <h3>v1.21 release candidates</h3> <p>The Forgejo v1.21 release candidate cycle is coming to an end, with <a href="https://codeberg.org/forgejo-experimental/forgejo/releases">four releases</a>, published in the <a href="https://codeberg.org/forgejo-experimental/forgejo/releases">experimental organization</a>. They are now used daily on the <a href="https://code.forgejo.org">https://code.forgejo.org</a> and <a href="https://next.forgejo.org">https://next.forgejo.org</a> instances and all the release blockers discovered so far were fixed.</p> <p>Tests were conducted on a simulation of a Codeberg upgrade to verify the database migration was fast enough, despite some operations that were potentially expensive on large tables.</p> <p>End-to-end testing for Forgejo v1.20 is part of the <a href="https://code.forgejo.org/actions/setup-forgejo">setup-forgejo</a> action testsuite. It was extended to <a href="https://code.forgejo.org/actions/setup-forgejo/src/branch/main/.forgejo/workflows/integration.yml#L14-L17">include the Forgejo v1.21 release candidates</a> and new tests for the Forgejo Actions features that did not exist in Forgejo v1.20.</p> <h3>Federation</h3> <p><a href="https://forgeflux.org/">ForgeFlux</a> is working towards providing compliance testing for the forge federation ecosystem using a tool called <a href="https://docs.forgeflux.org/ftest/introduction">"ftest"</a>. The tool ran successfully against Forgejo and produced <a href="https://docs.forgeflux.org/example/ftest/results/targets/forgejo/results">this compliance report</a> proving the correctness of Forgejo's work-in-progress implementation.</p> <p>The <a href="https://f3.forgefriends.org/">F3</a> Forgejo driver is on pause while the <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3">gof3</a> package is undergoing a <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3/-/merge_requests/90/commits">complete refactor</a>. The API will be roughly the same and allow to copy data from one forge to another.</p> <h2>Forgejo service providers</h2> <p>Forgejo exists under the umbrella of Codeberg which is a non-profit organization. But it can be used by freelancers or for-profit companies to generate an income. Just like there are many service providers using Git which exists under the umbrella of <a href="https://sfconservancy.org/projects/current/">Software Freedom Conservancy</a>.</p> <h3>Professional services</h3> <p>When someone needs a Forgejo instance of their own but does not have the resources to maintain and improve upon it, they should be able to find help, for a fee. For instance the German state of <a href="https://en.wikipedia.org/wiki/Baden-W%C3%BCrttemberg">Baden-Württemberg</a> needs <a href="https://codeberg.org/forgejo/sustainability/issues/28">additional features</a> to deploy Forgejo in German schools next year. The new development could then be contributed back to Forgejo and be available for all.</p> <h3>Hosting provider</h3> <p>If someone is looking for a hosting provider where they can rent their own Forgejo instance and Forgejo runner without being bothered by upgrades, they currently have nowhere to go.</p> <p>The easiest solution would be that Forgejo is part of the application portfolio of an existing hosting providers. But none of them is powered by Free Software and the Forgejo instance would be trapped: migrating to another hosting provider would require a significant effort.</p> <p>There are two fully Free Software stacks providing <a href="https://codeberg.org/forgejo/discussions/issues/72">a turnkey solution to setup a hosting service provider</a>. One of them is unmaintained and <a href="https://fossbilling.org/">the other</a> needs a Forgejo driver.</p> <h2>Documentation</h2> <p>The bulk of the documentation updates relate to the new Forgejo v1.21 features of Forgejo Action in the <a href="https://forgejo.org/docs/v1.21/user/actions/">user</a> and <a href="https://forgejo.org/docs/v1.21/user/actions/">admin</a> sections. They are associated with <a href="https://code.forgejo.org/actions/setup-forgejo/src/branch/main/testdata">examples and tests</a> that help understand how they actually work.</p> <p>A round of updates was also done by harvesting documentation improvements <a href="89c24509f03ea3fe1cbea866180dee8019e7e48f">from Codeberg</a> and <a href="https://codeberg.org/forgejo/docs/commit/0b81e66c45cc6a7a24306a948707e8ee01361876">from Gitea</a>.</p> <h2>Forgejo Actions</h2> <h3>Runner 3.0.1</h3> <p>A number of actions (e.g. <a href="https://code.forgejo.org/actions/checkout/src/tag/v4">checkout@v4</a>) now depend on node 20 which was only recently supported by <a href="https://code.forgejo.org/forgejo/act">ACT</a> on top of which the <a href="https://code.forgejo.org/forgejo/runner">Forgejo runner</a> is based. The <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/RELEASE-NOTES.md#301">Forgejo runner 3.0.1</a> contains that upgrade.</p> <h3>The cascading-pr action</h3> <p>Forgejo is not a mono-repository project. It is made up of several software projects that have their own release cycle in multiple repositories. Synchronizing them is sometimes challenging, as demonstrated by the <a href="https://code.forgejo.org/forgejo/runner/src/tag/v3.0.0/README.md#hacking">rather involved</a> test instructions of the Forgejo runner.</p> <p>To simplify the development workflow a new action was developed. <a href="https://code.forgejo.org/actions/cascading-pr/">cascading-pr</a> can be used in the workflow of a repository to verify that a proposed change won't break anything when a dependent software upgrades. For instance, when a pull request is opened in the Forgejo runner, a <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows/cascade-setup-forgejo.yml">workflow</a> will also <a href="https://code.forgejo.org/actions/setup-forgejo/pulls/68/files">open a pull request</a> in setup-forgejo.</p> <p>If the CI passes on setup-forgejo, it is an additional confirmation that the proposed change in Forgejo runner does not contain a regression that would break setup-forgejo once released.</p> <h2>Governance and communication</h2> <h3>Gitea copyright assignment</h3> <p>Code contributions to Gitea now <a href="https://codeberg.org/forgejo/discussions/issues/67">require a copyright assignment</a>. It does not impact the most trivial bug fixes because they are not subject to copyright. But it means that it is not enough for a contribution to be released under the MIT license, all copyright headers must also be removed.</p> <p>This new requirement was discovered when the Forgejo security team contributed the fix for the Long-term Authentication security issue explained above. It contained files with a <code>Copyright Forgejo</code> header in addition to the <code>Copyright Gitea</code> header and was blocked for that reason. The author of the patch agreed under protest to remove their copyright headers for the sake of Gitea admin security.</p> <h3>FOSDEM 2024</h3> <p>Plans are made to organize a <a href="https://codeberg.org/forgejo/discussions/issues/65">Forgejo and Codeberg presence</a> at <a href="https://fosdem.org/2024/">FOSDEM 2024</a>. If you would like to participate, feel free to reach out in the <a href="https://matrix.to/#/#forgejo-development:matrix.org">development chatroom</a>.</p> <h3>Moderation</h3> <p>The moderation team currently has just one person, which is problematic when they are involved in a moderation action. A new member <a href="https://codeberg.org/forgejo/governance/issues/35">proposed their participation</a> to remedy this.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/BradBot1">https://codeberg.org/BradBot1</a></li> <li><a href="https://codeberg.org/buhtz">https://codeberg.org/buhtz</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/DanielGibson">https://codeberg.org/DanielGibson</a></li> <li><a href="https://codeberg.org/dikey0ficial">https://codeberg.org/dikey0ficial</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/ell1e">https://codeberg.org/ell1e</a></li> <li><a href="https://codeberg.org/fasterthanlime">https://codeberg.org/fasterthanlime</a></li> <li><a href="https://codeberg.org/fluzz">https://codeberg.org/fluzz</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/gmem">https://codeberg.org/gmem</a></li> <li><a href="https://codeberg.org/grisha">https://codeberg.org/grisha</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/hazy">https://codeberg.org/hazy</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/KOLANICH">https://codeberg.org/KOLANICH</a></li> <li><a href="https://codeberg.org/leana8959">https://codeberg.org/leana8959</a></li> <li><a href="https://codeberg.org/lm41">https://codeberg.org/lm41</a></li> <li><a href="https://codeberg.org/magicfelix">https://codeberg.org/magicfelix</a></li> <li><a href="https://codeberg.org/maltejur">https://codeberg.org/maltejur</a></li> <li><a href="https://codeberg.org/Mikaela">https://codeberg.org/Mikaela</a></li> <li><a href="https://codeberg.org/mlncn">https://codeberg.org/mlncn</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/nezbednik">https://codeberg.org/nezbednik</a></li> <li><a href="https://codeberg.org/nyncral">https://codeberg.org/nyncral</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/realaravinth">https://codeberg.org/realaravinth</a></li> <li><a href="https://codeberg.org/rome-user">https://codeberg.org/rome-user</a></li> <li><a href="https://codeberg.org/ryan-distrust.co">https://codeberg.org/ryan-distrust.co</a></li> <li><a href="https://codeberg.org/Sertonix">https://codeberg.org/Sertonix</a></li> <li><a href="https://codeberg.org/smxi">https://codeberg.org/smxi</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/strypey">https://codeberg.org/strypey</a></li> <li><a href="https://codeberg.org/tgy">https://codeberg.org/tgy</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/xfix">https://codeberg.org/xfix</a></li> <li><a href="https://codeberg.org/xy">https://codeberg.org/xy</a></li> <li><a href="https://codeberg.org/zareck">https://codeberg.org/zareck</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo Security Release 1.20.5-0</title><link>https://forgejo.org/2023-10-release-v1-20-5-0/</link><guid isPermaLink="true">https://forgejo.org/2023-10-release-v1-20-5-0/</guid><description>The Forgejo v1.20.5-0 release adds protection to prevent a malicious actor from impersonating Forgejo users by using a copy of the database.</description><pubDate>Fri, 06 Oct 2023 00:00:00 GMT</pubDate><content:encoded><p>Today <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.20.5-0">Forgejo v1.20.5-0</a> was released.</p> <p>This release contains an <em>important security fix</em> that adds protection to prevent a malicious actor from impersonating Forgejo users by using a copy of the database, as described below.</p> <p>This release also contains bug fixes, as detailed <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-5-0">in the release notes</a>.</p> <h3>Recommended Action</h3> <p>We <em>strongly recommend</em> that all Forgejo installations are upgraded to the latest version as soon as possible.</p> <h3>Long term authentication token</h3> <p>When a user logs into Forgejo, they can click the <strong>Remember This Device</strong> checkbox and their browser will store a <strong>Long-term authentication</strong> token provided by the server, in a cookie that will allow them to stay logged in for a number of days as defined by the <a href="https://forgejo.org/docs/v1.20/admin/config-cheat-sheet/#security-security"><code>LOGIN_REMEMBER_DAYS</code></a> setting.</p> <h4>Impersonation</h4> <p>Given a copy of the Forgejo database, a <strong>Long-term authentication</strong> token can be constructed for any user and used to impersonate them. Such a token does not expire <code>LOGIN_REMEMBER_DAYS</code> days after it was created and remains valid for as long as users do not change their password.</p> <p>The construction of such a token does not involve any kind of brute-force or cracking, it only requires the values as stored literally in the database.</p> <h4>Protection</h4> <p>The former implementation was inherently insecure, because it allowed the <strong>Long-term authentication</strong> token to be constructed from the database alone. It is <a href="https://codeberg.org/forgejo/forgejo/commit/51988ef52bc93b63184d28395d10bf3b76914ad0">reworked</a> to require additional information from the user cookie. The idea <a href="https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies">is derived from a 2015 blog post</a> where it is explained in more detail.</p> <h3>Responsible disclosure to Gitea</h3> <p>On 6 July 2023 the <a href="https://forgejo.org/.well-known/security.txt">Forgejo security team</a> notified the Gitea security team that the mechanism responsible for long-term authentication (the 'remember me' cookie) uses a weak construction technique. A possible solution was suggested together with a more detailed explanation. We requested a 90 days embargo, after which a patch to the v1.20 point release could be published.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo v1.21 release candidates</title><link>https://forgejo.org/2023-09-release-v1210-0-rc0/</link><guid isPermaLink="true">https://forgejo.org/2023-09-release-v1210-0-rc0/</guid><description>The first Forgejo v1.21 release candidate is ready for testing. In addition to many improvements to `Forgejo Actions` it also includes an improved issue search, a hint to speed up the creation of newly pushed branches, the ability to archive labels and more.</description><pubDate>Fri, 22 Sep 2023 00:00:00 GMT</pubDate><content:encoded><p>Today the first release candidate for the upcoming Forgejo v1.21 release <a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v1.21.0-0-rc0">was published</a>. It is meant for testing only: <strong>do not upgrade a production instance with it</strong>.</p> <p>Beside a number of improvements to <code>Forgejo Actions</code> (<a href="https://codeberg.org/forgejo/forgejo/commit/35a653d7edbe0d693649604b8309bfc578dd988b">variables</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/0d55f64e6cd3de2e1e5c0ee795605823efb14231">cron</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/19872063a3c14256a1d89b2a104d63e7538a3a28">disabling workflows</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/460a2b0edffe71d9e64633beaa1071fcf4a33369">artifacts cleanup</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/44781f9f5c4ede618660d8cfe42437f0e8dc22a0">auto-cancellation of concurrent jobs</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/f3d293d2bbe0b2eab047bdd403046069cffbc0c4">multiple artifacts</a> and more), the most prominent new features are:</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/commit/6375419468edc95fdfac94aac3b0e10b23743557">Newly pushed branches show in the web UI with a link to create a PR</a>.</li> <li>Improved <a href="https://codeberg.org/forgejo/forgejo/commit/1e76a824bcd71acd59cdfb2c4547806bc34b3d86">issue search</a>.</li> <li>Admins can be notified via <a href="https://codeberg.org/forgejo/forgejo/commit/7d2d9970115c94954dacb45684f9e3c16117ebfe">email when a new user registers</a> to help fight spam bots.</li> <li>Labels that are no longer useful <a href="https://codeberg.org/forgejo/forgejo/commit/cafce3b4b5afb3f254a48e87f1516d7b5dc209b6">can be archived</a>. They can no longer be selected but they remain on existing issues.</li> <li>When a PR contains multiple commits, it is now <a href="https://codeberg.org/forgejo/forgejo/commit/55532061c83d38d33ef48bdc5eeac0f652844e8a">possible review to each commit independently</a>.</li> <li>In addition to the cron jobs defined to cleanup packages, it is now <a href="https://codeberg.org/forgejo/forgejo/commit/0c6ae61229bce9d9ad3d359cee927464968a2dd1">also possible to trigger the cleanup manually</a>.</li> <li>The <code>CODEOWNERS</code> file is interpreted to <a href="https://codeberg.org/forgejo/forgejo/commit/3bdd48016f659c440d6e8bb57386fab7ad7b357b">automatically set reviewers on PRs</a>.</li> <li>To improve performances, branch information is <a href="https://codeberg.org/forgejo/forgejo/commit/6e19484f4d3bf372212f2da462110a1a8c10cbf2">now cached in a database table</a>.</li> </ul> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#draft-1-21-0-0">draft release notes</a> will be completed in the following weeks. Make sure to <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md">check the breaking changes</a> and get your production instance ready for when the v1.21 release is available.</p> <p>There also was progress regarding federation with the <a href="https://codeberg.org/forgejo/forgejo/commits/branch/forgejo-f3">F3 driver and its CLI</a> (an essential building block to synchronize forges with each other) but nothing is ready for experimenting yet.</p> <h3>Try it out</h3> <p>The release candidate is published in <a href="https://codeberg.org/forgejo-experimental">the dedicated "experimental" Forgejo organization</a> and can be downloaded from:</p> <ul> <li>Containers at <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/1.21">https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/1.21</a></li> <li>Binaries at <a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v1.21.0-0-rc0">https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v1.21.0-0-rc0</a></li> </ul> <p>Check out the v1.21 documentation section for detailed <a href="/docs/v1.21/admin/installation">installation instructions</a>.</p> <p>It will be updated based on your feedback until it becomes robust enough to be released.</p> <h3>Help write good release notes</h3> <p>The best release notes are meant to articulate the needs and benefits of new features and the actions recommended for breaking changes so Forgejo admins quickly know if it is of interest to them.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#draft-1-21-0-0">current draft release notes</a> are still incomplete. They will be finished by the time the release is published and you can help make them better.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">the issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">the Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo monthly update - September 2023</title><link>https://forgejo.org/2023-09-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-09-monthly-update/</guid><description>The lifecycle of Forgejo v1.20 is coming to an end and v1.21 is entering the release candidate phase this week. There is every reason to believe this new release will go smoothly, but that should not hide the fact that there is a pressing need for more contributors. The storage settings regressions from v1.20.2-0 required more work but the issue is now resolved.</description><pubDate>Thu, 21 Sep 2023 00:00:00 GMT</pubDate><content:encoded><p>The lifecycle of Forgejo v1.20 is coming to an end and v1.21 is entering the release candidate phase this week. In addition to work on the codebase a lot also happened on the <a href="https://codeberg.org/Forgejo/website">website</a>, the <a href="https://codeberg.org/Forgejo/documentation">documentation</a> and the <a href="https://code.forgejo.org/forgejo/runner">Forgejo runner</a>.</p> <p>Judging from the activity of Forgejo contributors, there is every reason to believe this new release will go smoothly. No-one is overworked or stressed, dependencies are up to date, features are added, the technical debt is kept in check and it looks like it could go on forever. But that should not hide the fact that there are <a href="https://codeberg.org/forgejo/discussions/issues/53">many areas where progress could happen</a> if only there were more contributors.</p> <p>The past month was again dominated by the aftermath of the <a href="https://forgejo.org/2023-08-release-v1-20-3-0">storage settings regressions</a> but this unfortunate episode is, at last, concluded. It was a lesson for everyone involved on how to manage bugs that require action from the Forgejo admins because they cannot be fixed with a new release and an unattended upgrade. The recipe is simple enough but also quite time consuming: understand the problem, write tests to verify the conclusions, clearly explain what happened and provide detailed recovery recommendations.</p> <h2>Development</h2> <h3>Fixing S3 configuration bugs and regressions</h3> <p>The <a href="https://forgejo.org/docs/v1.20/admin/storage/">storage configuration</a> regressions fixed with the <a href="https://forgejo.org/2023-08-release-v1-20-3-0/#fixing-the-risk-of-data-loss-related-to-storage-sections">Forgejo v1.20.3-0</a> release were verified with newly introduced <a href="https://codeberg.org/forgejo/forgejo/src/tag/v1.20.3-0/.forgejo/upgrades/test-upgrade.sh#L268-L271">upgrade tests</a>. They were focused on local storage and assumed S3 configuration was not subject to the same issues.</p> <p>This assumption was not verified with any test and turned out to be wrong. A Forgejo instance setup to use <a href="https://garagehq.deuxfleurs.fr/">garage</a> instead of MinIO faced two simultaneous issues blocking the upgrade: the storage unexpectedly went from being in the filesystem to S3, and the S3 backend failed to initialize. The failure to initialize was a rather simple error in the settings, hidden behind a <a href="https://codeberg.org/forgejo/forgejo/pulls/1365">non human readable</a> error message. With a configuration change, the Forgejo instance was upgraded successfully.</p> <p>To help other Forgejo admins running into these bugs the storage documentation was <a href="https://codeberg.org/forgejo/docs/pulls/100">updated</a> with examples and references. The recommendations in the <a href="https://forgejo.org/2023-08-release-v1-20-3-0/#fixing-the-risk-of-data-loss-related-to-storage-sections">Forgejo v1.20.3-0 blog post</a> were also extensively updated to address both S3 and local storage. They were verified with <a href="https://codeberg.org/forgejo/forgejo/src/commit/a4369782e1cfbbc6f588c0cda5776ee823b0e493/.forgejo/upgrades/test-upgrade.sh#L577-L588">more upgrade tests</a> that do the following for a variety of storage configurations:</p> <ul> <li>start an S3 server</li> <li>start a Forgejo instance at a given version</li> <li>upload objects into all subsystems (avatars, packages, attachments, etc.)</li> <li>verify they are found where they are supposed to be</li> </ul> <p>The upgrade tests are run before each pull request is merged. They can also be extended to identify breaking changes between major Forgejo versions and verify the recommended actions to deal with them are accurate.</p> <h3>Changing the update time of issues via the API</h3> <p>The pull request to allow for setting the update times of issues and comments via the API <a href="https://codeberg.org/forgejo/forgejo/pulls/764">was merged</a>. It is one of the most fragile commits in Forgejo and was made significantly more robust with an extensive set of tests.</p> <p>When upgrading Forgejo dependencies, Forgejo can be impacted in two ways:</p> <ul> <li>the API or the codebase changed and Forgejo won't compile</li> <li>there is no conflict but the <strong>behavior</strong> changed in an incompatible way, and Forgejo tests will fail</li> </ul> <p>The Forgejo codebase is organized in a set of about 100 commits (as of today) and heavily relies on tests during upgrades. It allows maintainers to focus on meaningful problems instead of spending their valuable time manually verifying, over and over, the same features keep working.</p> <h3>User blocking</h3> <p>When a user tries to transfer a repository to a user or organization that has blocked them, <a href="https://codeberg.org/forgejo/forgejo/pulls/1436">that transfer is denied</a>. Pre-existing transfer requests are also denied when the user is blocked. <a href="https://forgejo.org/docs/v1.21/user/blocking-user/">Read more in the moderation section of the documentation</a>.</p> <p>See <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed&amp;labels=120787">all moderation pull requests</a>.</p> <h3>Publishing development versions</h3> <p>A few months ago it was <a href="https://codeberg.org/forgejo/discussions/issues/51">proposed to publish Forgejo development versions</a> on a weekly basis. This has happened in the past month and is what <a href="https://next.forgejo.org">https://next.forgejo.org</a> is running. The version number is something like <code>vX.Y.Z-test</code>, to clearly state it is not to be used for real.</p> <h3>Federation</h3> <p>The <a href="https://f3.forgefriends.org/">F3</a> Forgejo driver entered a new <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed&amp;labels=114735">development phase</a>. It goes like this:</p> <ul> <li><code>forgejo-cli f3 mirror</code> is run for upload or download on an existing repository</li> <li>a bug shows and is fixed either in:<ul> <li>the <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3">gof3 package</a></li> <li>the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo-f3/services/f3/driver">Forgejo driver</a></li> </ul> </li> <li>repeat</li> </ul> <p>It is still experimental.</p> <p>See <a href="https://codeberg.org/forgejo/forgejo/pulls?state=closed&amp;labels=114735">all F3 pull requests</a>.</p> <h3>CURL based Forgejo client</h3> <p><a href="https://code.forgejo.org/forgejo/forgejo-curl">forgejo-curl.sh</a> is a new thin curl wrapper that helps with Forgejo authentication. Beyond that it does not provide anything. It is low maintenance because it only relies on the authentication logic and does not need updating when the REST API (or the web UI endpoints) change.</p> <h2>Website and documentation</h2> <p><a href="https://astro.build/">Astro</a> was <a href="https://codeberg.org/forgejo/website/pulls/362">upgraded to version 3</a>, and further improvements were made to the file layout to further separate content from code.</p> <p>A number of small improvements were made, including a <a href="https://codeberg.org/forgejo/website/pulls/366">switch to system fonts</a> to improve performance and fix a layout issue which sometimes caused scroll anchors to misbehave.</p> <p>The documentation content <a href="https://codeberg.org/forgejo/website/pulls/331">was moved</a> to <a href="https://codeberg.org/forgejo/docs">its own dedicated repository</a> to ease contribution and separate the content from the website code.</p> <p><a href="https://codeberg.org/forgejo/docs#contributing">Detailed instructions</a> are now provided for working locally on the documentation. Tooling is available to preview the results before sending a PR, and to fix linting errors. A Git hook helps to ensure badly-formatted content is not committed, and the Forgejo Actions CI helps to apply checks to the content before PRs are merged, as well as helping to backport changes to older versions of the docs where necessary.</p> <p>Creating previews for documentation PRs without exposing secrets is not a trivial problem. Some CI have a setting to take the risk. But Forgejo Actions does not work that way and that <a href="https://codeberg.org/forgejo/docs/issues/89">requires a different</a> strategy, similar to what is used when publishing Forgejo releases in order to protect the release signing key. It depends on a feature that will only be available in v1.21 and it needs more manual work in the meantime.</p> <h2>Forgejo Actions</h2> <p>The actions supporting the Forgejo runner release process are grouped into a new repository, <a href="https://code.forgejo.org/forgejo/forgejo-build-publish/">forgejo-build-publish</a>. The <a href="https://code.forgejo.org/forgejo/forgejo-build-publish/src/branch/main/build">build phase</a> and the <a href="https://code.forgejo.org/forgejo/forgejo-build-publish/src/branch/main/publish">publishing phase</a>. They are not new actions, they were copy/pasted from the <a href="https://codeberg.org/forgejo/forgejo/src/branch/v1.20/forgejo/.forgejo/actions">Forgejo main repository</a>, generalized to also be usable for the runner and verified with <a href="https://code.forgejo.org/forgejo/forgejo-build-publish/src/branch/main/.forgejo/workflows/build-publish-integration.yml">integration tests</a>.</p> <p>The <a href="https://code.forgejo.org/forgejo/runner/releases/tag/v3.0.0">new version of the Forgejo runner</a> that came out of this new release process has binaries named differently than before and unified with the Forgejo binary naming scheme.</p> <p>The <a href="https://code.forgejo.org/forgejo/-/packages/container/runner/3.0.0">container image</a> already existed but was not supported or thought through. It is now <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows/example-docker-compose.yml">tested</a> and documented with a standalone <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose">docker-compose example</a> that is verified to work.</p> <p>The container image only contains the runner binary and does not run as root. The <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose">docker-compose example</a> shows there is no need for anything else, even when using <code>docker:dind</code>.</p> <h2>Infrastructure</h2> <p>The infrastructure as well as the runner backends rely on <a href="https://linuxcontainers.org/lxc/">LXC system containers</a> and use <a href="https://code.forgejo.org/forgejo/lxc-helpers/">lxc-helpers.sh</a> to implement patterns common to Forgejo. Among other things, it sets the permissions of the container to run docker, nested LXC or libvirt but lacked flexibility to:</p> <ul> <li>Add more permissions to run a kubernetes cluster</li> <li>Restrict permissions for better isolation</li> </ul> <p>The new <a href="https://code.forgejo.org/forgejo/lxc-helpers/#usage"><code>--config</code> option</a> provides a range of pre-defined permissions to remedy that problem. It includes <code>k8s</code> which is <a href="https://code.forgejo.org/forgejo/lxc-helpers/src/branch/main/.forgejo/workflows/test.yml">tested</a> to work when <a href="https://code.forgejo.org/forgejo/lxc-helpers/src/commit/e59af3f4257d6baff880b4cdbcaf9d1de1f28b60/lxc-helpers-lib-test.sh#L153-L171">installing</a> <a href="https://www.rancher.com/products/k3s">k3s</a>.</p> <h2>Governance and communication</h2> <h3>Contributors team</h3> <p>The Forgejo "contributors" team was created informally and liberally to grant permissions to label issue, manage CIs and pull requests etc. To make it official it was formally proposed <a href="https://codeberg.org/forgejo/governance/pulls/32">in the governance repository</a> to be decided according to the <a href="https://codeberg.org/forgejo/governance/src/branch/main/DECISION-MAKING.md">decision making process</a>.</p> <h3>Debconf23</h3> <p>There were discussions about Forgejo at <a href="https://debconf23.debconf.org/">Debconf23</a> and a contributor to FreedomBox was interested in packaging Forgejo for Debian so that it can be distributed with FreedomBox. They could join the <a href="https://codeberg.org/forgejo-contrib/forgejo-deb">forgejo-deb</a> which already provides functional Debian GNU/Linux packages.</p> <h3>Sustainability</h3> <p>A new <a href="https://codeberg.org/forgejo/discussions/issues/53">discussion started</a> on how to absorb the workload from the Forgejo issue tracker. There is no conclusion or action planned and the problem unfortunately remains. However, Codeberg independently <a href="https://codeberg.org/Codeberg/Contributing/issues/37">sent a call for help</a> to get help with handling their scaling issues and it will hopefully attract more contributors to Forgejo.</p> <p>The <a href="https://codeberg.org/forgejo/sustainability/pulls/24">second payment</a> of the <a href="https://codeberg.org/forgejo/sustainability#2023">NLnet grant</a> was received. In total 40% of <a href="https://codeberg.org/forgejo/sustainability/src/branch/main/2022-12-01-nlnet/2023-06-workplan.md">the workplan</a> approved for the grant in June 2023 was implemented.</p> <h3>Moderation</h3> <p>Earlier this year ad-hominem attacks were published in the Forgejo spaces. This goes against the Forgejo Code of Conduct and some of these messages were redacted. The author repeatedly refused to acknowledge this was not an acceptable behavior in Forgejo spaces and recently sent threats to publish more ad-hominem attacks. <a href="https://codeberg.org/forgejo/governance/issues/31">Read more in the moderation report</a>.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/Adrodoc">https://codeberg.org/Adrodoc</a></li> <li><a href="https://codeberg.org/alex19srv">https://codeberg.org/alex19srv</a></li> <li><a href="https://codeberg.org/alrs">https://codeberg.org/alrs</a></li> <li><a href="https://codeberg.org/Andre601">https://codeberg.org/Andre601</a></li> <li><a href="https://codeberg.org/belette">https://codeberg.org/belette</a></li> <li><a href="https://codeberg.org/brainchild">https://codeberg.org/brainchild</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/CSDUMMI">https://codeberg.org/CSDUMMI</a></li> <li><a href="https://codeberg.org/cyborus">https://codeberg.org/cyborus</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/daenney">https://codeberg.org/daenney</a></li> <li><a href="https://codeberg.org/DanielGibson">https://codeberg.org/DanielGibson</a></li> <li><a href="https://codeberg.org/DansLeRuSH">https://codeberg.org/DansLeRuSH</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/firefly-cpp">https://codeberg.org/firefly-cpp</a></li> <li><a href="https://codeberg.org/Fl1tzi">https://codeberg.org/Fl1tzi</a></li> <li><a href="https://codeberg.org/flightkick">https://codeberg.org/flightkick</a></li> <li><a href="https://codeberg.org/fluzz">https://codeberg.org/fluzz</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/GamePlayer-8">https://codeberg.org/GamePlayer-8</a></li> <li><a href="https://codeberg.org/glts">https://codeberg.org/glts</a></li> <li><a href="https://codeberg.org/gmem">https://codeberg.org/gmem</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/jetsung">https://codeberg.org/jetsung</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/mainboarder">https://codeberg.org/mainboarder</a></li> <li><a href="https://codeberg.org/mctaylors">https://codeberg.org/mctaylors</a></li> <li><a href="https://codeberg.org/meyay">https://codeberg.org/meyay</a></li> <li><a href="https://codeberg.org/Mikaela">https://codeberg.org/Mikaela</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/noisytoot">https://codeberg.org/noisytoot</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/RaptaG">https://codeberg.org/RaptaG</a></li> <li><a href="https://codeberg.org/realaravinth">https://codeberg.org/realaravinth</a></li> <li><a href="https://codeberg.org/rome-user">https://codeberg.org/rome-user</a></li> <li><a href="https://codeberg.org/rrahl0">https://codeberg.org/rrahl0</a></li> <li><a href="https://codeberg.org/Schoumi">https://codeberg.org/Schoumi</a></li> <li><a href="https://codeberg.org/thepaperpilot">https://codeberg.org/thepaperpilot</a></li> <li><a href="https://codeberg.org/therealpim">https://codeberg.org/therealpim</a></li> <li><a href="https://codeberg.org/valvin">https://codeberg.org/valvin</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/wh0ami">https://codeberg.org/wh0ami</a></li> <li><a href="https://codeberg.org/Wild-Turtles">https://codeberg.org/Wild-Turtles</a></li> <li><a href="https://codeberg.org/xy">https://codeberg.org/xy</a></li> <li><a href="https://codeberg.org/yeziruo">https://codeberg.org/yeziruo</a></li> <li><a href="https://codeberg.org/yoctozepto">https://codeberg.org/yoctozepto</a></li> <li><a href="https://codeberg.org/zareck">https://codeberg.org/zareck</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo Security Release 1.20.3-0</title><link>https://forgejo.org/2023-08-release-v1-20-3-0/</link><guid isPermaLink="true">https://forgejo.org/2023-08-release-v1-20-3-0/</guid><description>Forgejo v1.20.3-0 stable release update prevents leaking emails via the API and includes a safeguard to avoid data loss in case `[storage*]` sections in the `app.ini` file do not pass sanity checks.</description><pubDate>Mon, 21 Aug 2023 00:00:00 GMT</pubDate><content:encoded><p>Today <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.20.3-0">Forgejo v1.20.3-0</a> was released.</p> <p>This release includes safeguards in case <code>[storage].PATH</code> is set or conflicting storage sections are found in the <code>app.ini</code> file. For instance if both <code>[storage.packages]</code> and <code>[packages]</code> exist, the directory in which the packages are stored may change after the upgrade. Forgejo will refuse to upgrade from <code>v1.20.2-0</code> (or an earlier version) if the sanity checks fail and require manual intervention to avoid data loss, as described below.</p> <p>It also contains a <a href="https://codeberg.org/forgejo/forgejo/commit/4fd8ac0653b95fc204eade4471734b23039bca13">security fix that prevents leaking emails via the API</a>.</p> <p>Technical details of these bug fixes are available <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-3-0">in the release notes</a>.</p> <blockquote> <p><strong>UPDATE:</strong> this blog post was updated early September 2023 for Forgejo instances using S3 for storage. If you have read the previous version, please <a href="https://codeberg.org/forgejo/website/pulls/364/files">take a look at the diff</a>.</p> </blockquote> <h3>Recommended Action</h3> <p>We recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.</p> <h3>Fixing the risk of data loss related to <code>[storage*]</code> sections</h3> <p>A manual action is required to avoid the risk of losing data if:</p> <ul> <li>the <code>app.ini</code> file contains one or more <code>[storage*]</code> sections that are as follows:<ul> <li><code>[storage].PATH</code> is set</li> <li><code>[attachment]</code> and <code>[storage.attachments]</code> exist</li> <li><code>[lfs]</code> and <code>[storage.lfs]</code> exist</li> <li><code>[avatar]</code> and <code>[storage.avatars]</code> exist</li> <li><code>[repo-avatar]</code> and <code>[storage.repo-avatars]</code> exist</li> <li><code>[repo-archive]</code> and <code>[storage.repo-archive]</code> exist</li> <li><code>[packages]</code> and <code>[storage.packages]</code> exist</li> </ul> </li> <li>the <code>app.ini</code> file contains <code>STORAGE_TYPE = minio</code></li> <li>you are currently currently running:<ul> <li>A Forgejo version lower than <code>v1.20.3-0</code></li> <li>A Gitea version lower than <code>v1.21</code></li> </ul> </li> </ul> <p>If this is not the case this chapter does not concern you and can be skipped.</p> <h4>Bug description</h4> <p>The <a href="https://forgejo.org/docs/v1.20/admin/storage/">storage configuration</a> in the <code>app.ini</code> file was <a href="https://codeberg.org/forgejo/forgejo/commit/d6dd6d641b593c54fe1a1041c153111ce81dbc20">refactored in v1.20</a> and bugs were introduced. There were also bugs in the previous implementation and all versions up to <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-2-0">Forgejo v1.20.2-0</a> are impacted.</p> <p>These bugs are best explained through an example. By default the files for each subsystems - Attachments, LFS, Avatars, Repository avatars, Repository archives, Packages - are stored in a dedicated directory. For instance if <code>APP_DATA_PATH</code> is set to <code>/data</code>, the directory layout looks like this:</p> <pre><code>/data/attachments /data/lfs /data/avatars /data/repo-avatars /data/repo-archive /data/packages </code></pre> <p>But if the <code>app.ini</code> file contains the following section and no <a href="https://forgejo.org/docs/v1.20/admin/storage/">other storage related sections</a>:</p> <pre><code>[storage] PATH = /my/storage </code></pre> <p>all subsystems will share <code>/my/storage</code> instead of having their own directory. The attachments will be stored in the <code>/my/storage</code> directory, together with the avatars, the repository archives, etc.</p> <h4>Bug impact</h4> <h5>Subsystems sharing a directory</h5> <p>If <code>[storage].PATH</code> exists in the <code>app.ini</code> file it may cause some subsystems - Attachments, LFS, Avatars, Repository avatars, Repository archives, Packages - to share the same directory.</p> <p>It may not create a problem immediately and can go unnoticed for an extended period of time. But since each subsystem was designed to have a dedicated directory it will eventually:</p> <ul> <li>Create a name clash when one subsystem tries to use the same files as another subsystem</li> <li>Permanently destroy data when one subsystems delete files from another subsystem</li> </ul> <p>One example of permanent data loss is when clicking on <strong>Delete all repositories' archives (ZIP, TAR.GZ, etc..)</strong> in the system administration web page: it will not only delete the archives but also attachments, LFS files etc.</p> <h5>Misplaced data</h5> <p>When two sections related to a subsystem are found in the <code>app.ini</code> file (for instance <code>[packages]</code> and <code>[storage.packages]</code>), the location in which the data is stored may change in an unpredictable way after the upgrade to <code>v1.20.3-0</code>.</p> <p>Prior to Forgejo v1.20, using <code>STORAGE_TYPE = minio</code> in some contexts was ignored and the files were actually found in local storage (for instance the [<a href="https://codeberg.org/forgejo/forgejo/src/commit/267967e81da01279808f527b1aad509a9dbd0c1a/.forgejo/upgrades/misplace-s3-app.ini">repo-archive</a>] section <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo-development/.forgejo/upgrades/test-upgrade.sh#L451-L469">as demonstrated by this test</a>).</p> <p>The Forgejo instance will no longer find the files stored in the previous location and it will <a href="https://github.com/go-gitea/gitea/issues/26864">start populating the new location</a>. As time passes there will be no way to reconcile the content of the two locations that diverged in this way.</p> <h5>Relative paths inconsistencies</h5> <p>When the path to a <code>local</code> storage location does not start with a <code>/</code>, it is interpreted to be relative to another path. Unfortunately the logic changed across versions, as demonstrated by <a href="https://codeberg.org/forgejo/forgejo/src/commit/52ec2f30a4f7ead2acd0fdaa040662c65181fe35/.forgejo/upgrades/test-upgrade.sh#L211-L291">an extensive set of tests</a> going back to <code>Forgejo v1.18.5-0</code>.</p> <p>For instance if <code>app.ini</code> contains <code>[storage.lfs].PATH = somedir</code> it will end up in:</p> <ul> <li><code>APP_DATA_PATH/lfs</code> for <code>Forgejo v1.19.4-0</code></li> <li><code>WORK_PATH/somedir</code> for <code>Forgejo v1.20.2-0</code></li> <li><code>APP_DATA_PATH/somedir</code> for <code>Forgejo v1.20.3-0</code></li> </ul> <h4>Recommended action</h4> <p>Forgejo supports two storage backends: the file system (the default or when <code>STORAGE_TYPE = local</code> is set) and S3 compatible storage (when <code>STORAGE_TYPE = minio</code> is set). To figure out where each subsystem stores its files before the upgrade, <code>grep</code> the Forgejo logs as shown in the following example:</p> <pre><code>$ grep -e 'New.*Storage()' -e 'Initialising.*storage' &lt; forgejo.log :initAttachments() [I] Initialising Attachment storage with type: NewLocalStorage() [I] Creating new Local Storage at /data/gitea/attachments :initAvatars() [I] Initialising Avatar storage with type: NewLocalStorage() [I] Creating new Local Storage at /data/gitea/avatars :initRepoAvatars() [I] Initialising Repository Avatar storage with type: NewLocalStorage() [I] Creating new Local Storage at /data/gitea/repo-avatars :initLFS() [I] Initialising LFS storage with type: minio NewMinioStorage() [I] Creating Minio storage at 127.0.0.1:9000:forgejo with base path lfs/ :initRepoArchives() [I] Initialising Repository Archive storage with type: NewLocalStorage() [I] Creating new Local Storage at /data/gitea/repo-archive :initPackages() [I] Initialising Packages storage with type: NewLocalStorage() [I] Creating new Local Storage at /data/gitea/packages :initActions() [I] Initialising Actions storage with type: minio NewMinioStorage() [I] Creating Minio storage at 127.0.0.1:9000:forgejo with base path actions_log/ :initActions() [I] Initialising ActionsArtifacts storage with type: minio NewMinioStorage() [I] Creating Minio storage at 127.0.0.1:9000:forgejo with base path actions_artifacts/ </code></pre> <blockquote> <p><strong>NOTE:</strong> when a <a href="https://forgejo.org/docs/next/admin/installation/#installation-with-docker">Forgejo container</a> is configured using variables such as <code>-e FORGEJO__storage__PATH=/my/storage</code>, it will create an <code>app.ini</code> file that contains <code>[storage].PATH</code>. Removing this variable will not remove the section from the <code>app.ini</code> file, it has to be done manually.</p> </blockquote> <p>Follow the instructions below to update your <code>app.ini</code> so that the storage locations stay the same. Keep in mind that some manifestations of these bugs are not covered by the sanity checks preventing an upgrade that may have an impact on the storage location. For instance when relative paths are used in the <code>app.ini</code> file or other corner cases that have not been discovered yet.</p> <p>If you have any doubt about the following steps or if you suspect the storage directories are merged together as described above, <a href="https://codeberg.org/forgejo/forgejo/issues">file an issue</a> or reach out to <a href="https://matrix.to/#/#forgejo-chat:matrix.org">the chatroom</a> to get help.</p> <ul> <li><p>Before upgrading to Forgejo v1.20.3-0</p> </li> <li><p>Save the output of <code>grep -e 'New.*Storage()' -e 'Initialising.*storage'</code></p> </li> <li><p>For each <code>local</code> storage, add a section to <code>app.ini</code>, replacing the <code>PATH</code> value with the absolute path of the directory for each subsystem. Check the <a href="https://forgejo.org/docs/v1.20/admin/storage/">table in the documentation</a> to find the correspondance between the name of the subsystem displayed in the logs and the section in the <code>app.ini</code> file. For instance, the subsystem <code>Attachment</code> is associated with the <code>[attachment]</code> section:</p> <pre><code>[attachment] PATH = /my/storage/attachments </code></pre> </li> <li><p>For each <code>minio</code> storage, add the following to <code>app.ini</code>, replacing the <code>MINIO_BASE_PATH</code> value with the base path found in the logs (see the grep example above). Check the <a href="https://forgejo.org/docs/v1.20/admin/storage/">table in the documentation</a> for a correspondance between the name of the subsystem displayed in the logs and the section in the <code>app.ini</code> file. For instance, <code>LFS</code> needs:</p> <pre><code>[lfs] STORAGE_TYPE = minio MINIO_BASE_PATH = mylfs/ MINIO_ENDPOINT = 127.0.0.1:9000 MINIO_ACCESS_KEY_ID = [redacted] MINIO_SECRET_ACCESS_KEY = [redacted] MINIO_BUCKET = forgejo MINIO_LOCATION = us-east-1 </code></pre> </li> <li><p>Remove the <code>[storage]</code> section from <code>app.ini</code></p> </li> <li><p>Remove the <code>[server].LFS_CONTENT_PATH</code> entry from <code>app.ini</code> (it is the default for <code>[lfs].PATH</code>)</p> </li> <li><p>Remove the <code>[picture].AVATAR_UPLOAD_PATH</code> entry from <code>app.ini</code> (it is the default for <code>[avatar].PATH</code>)</p> </li> <li><p>Remove the <code>[picture].REPOSITORY_AVATAR_UPLOAD_PATH</code> entry from <code>app.ini</code> (it is the default for <code>[repo-avatar].PATH</code>)</p> </li> <li><p>Merge the settings found in related sections together as follow:</p> <ul> <li>move the settings found in the <code>[storage.attachments]</code> section into the <code>[attachment]</code> section and remove it (one plural, the other singular)</li> <li>move the settings found in the <code>[storage.lfs]</code> section into the <code>[lfs]</code> section and remove it</li> <li>move the settings found in the <code>[storage.avatars]</code> section into the <code>[avatar]</code> section and remove it (one plural, the other singular)</li> <li>move the settings found in the <code>[storage.repo-avatars]</code> section into the <code>[repo-avatar]</code> section and remove it (one plural, the other singular)</li> <li>move the settings found in the <code>[storage.repo-archive]</code> section into the <code>[repo-archive]</code> section and remove it (both singular)</li> <li>move the settings found in the <code>[storage.packages]</code> section into the <code>[packages]</code> section and remove it (both plural)</li> </ul> </li> <li><p>Upgrade to <code>v1.20.3-0</code> or a later version</p> </li> <li><p>Verify each subsystem uses the expected storage with <code>grep -e 'New.*Storage()' -e 'Initialising.*storage</code></p> </li> </ul> <h4>Bug fix and data recovery</h4> <p>After <a href="https://codeberg.org/forgejo/forgejo/commit/88f6f7579cdaa557333bc86b3e45bf6458d889b6">upgrading to v1.20.3-0</a> the storage settings can be used as <a href="https://forgejo.org/docs/v1.20/admin/storage/">explained in the documentation</a>. But there is unfortunately <strong>no way to automatically repair an existing instance impacted by these bugs during the upgrade</strong>.</p> <p>To address this problem:</p> <ul> <li><code>v1.20.3-0</code> and later will <strong>refuse to upgrade</strong> from <code>v1.20.2-0</code> (or an earlier version) if the sanity checks fail. Upgrading without manual verification would be taking the risk of silently changing the location in which a subsystem expects to find its files. The data would not be lost because it would still exist in the former location, but Forgejo will not find it any more. The new location will start being populated in a way that may be impossible to reconcile with the content of the former location.</li> <li><code>v1.20</code> point releases from <code>v1.20.3-0</code> and later will <strong>refuse to downgrade</strong> to <code>v1.20.1-0</code> or <code>v1.20.2-0</code>. Although it is usually possible to downgrade from a point release to a lower point release, it is forbidden in this case to protect the Forgejo instance from any risk of data loss.</li> </ul> <blockquote> <p><strong>NOTE:</strong> A recovery strategy to separate directories that were previously merged together can be to duplicate the merged data into the target directories. There can still be name clashes and it only works for <code>local</code> storage if the amount of data is not too large.</p> </blockquote> <h3>Get Forgejo v1.20</h3> <p>See the <a href="/download">download page</a> for instructions on how to install Forgejo, and read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-3-0">release notes</a> for more information.</p> <h3>Upgrading</h3> <p>Carefully read <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-3-0">the breaking changes</a> section of the release notes.</p> <p>The actual upgrade process is as simple as replacing the binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.20.3-0">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.20.3-0">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.20"><code>1.20</code> tag</a> to stay up to date with the latest <code>1.20.x</code> point release automatically.</p> <p>Make sure to check the <a href="/docs/v1.20/admin/upgrade">Forgejo upgrade documentation</a> for recommendations on how to properly backup your instance before the upgrade. It also covers upgrading from Gitea, as far back as version 1.2.0. Forgejo includes all of Gitea v1.20.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in <a href="https://codeberg.org/forgejo/forgejo/issues">the issue tracker</a> for feature requests or bug reports, reach out <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop into <a href="https://matrix.to/#/#forgejo:matrix.org">the Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) and say hi!</p> </content:encoded></item><item><title>Forgejo summer update - July & August 2023</title><link>https://forgejo.org/2023-08-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-08-monthly-update/</guid><description>A new major release, Forgejo v1.20, was published. It has some interesting new features and was 100% built with Forgejo Actions. Codeberg was upgraded a few days ago and discovered an unexpected issue. It was fortunately resolved within hours and a fix will be integrated in the next point release. Meanwhile development continued on the code, the website, the documentaion etc. All signs of a healthy project that needs your help to keep going in the long run.</description><pubDate>Thu, 17 Aug 2023 00:00:00 GMT</pubDate><content:encoded><p><a href="https://forgejo.org/2023-07-release-v1201-0/">Publishing Forgejo v1.20</a> was the highlight of these past few weeks and also required more time than the previous major releases. The new features are the most attractive part of the announcement but most of the work went into listing and explaining the breaking changes in <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-1-0">the release notes</a>. They have to be as clear as possible for Forgejo admins asking themselves: does it matter to me? What should I do then? Unfortunately a few issues were missed and one of them caused a downtime when upgrading Codeberg. A robust and durable solution was developed as a followup.</p> <p>Meanwhile the development quietly went on, a project to produce Debian packages entered the Forgejo contrib organization, the website was reorganized internally, new documentation chapters were created, the hardware infrastructure did not cause any trouble and the Codeberg moderation dealt with spam bots efficiently. Are these signs that Forgejo is a healthy project? Definitely. Does this mean someone willing to help would be turned down because there is nothing else to do? Absolutely not! If you are serious about creating a world where Free Software can be developed with Free Software, step in, your help is needed.</p> <h3>Forgejo v1.20</h3> <p><a href="https://forgejo.org/2023-07-release-v1201-0/">Forgejo v1.20</a> was published 24 July 2023 and there are reasons to be happy about the new features described in the blog post. And also by the fact that the entire release process is now based on Forgejo Actions. It is a challenging release for Forgejo admins because there are <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-1-0">many breaking changes</a>. A lot of attention went into ensuring a seamless experience when upgrading from any Gitea version, v1.20 included, and there has been no report of failed upgrades so far.</p> <p>Codeberg was successfully upgraded to Forgejo v1.20.2-0 on 10 August 2023 after a few tests of database upgrades. In the days prior to the upgrade, Forgejo contributors and Codeberg volunteers worked together to figure out the potential issues and prepare the ground. A <a href="https://blog.codeberg.org/the-permissions-for-your-scoped-access-tokens-might-change-on-thursday.html">mail was sent</a> to all users a few days before, warning them to re-create their personal access tokens in order to ensure their scope were not unexpectedly modified. This was the most prominent breaking change since it required all users to be aware of its impact.</p> <p>Shortly after the upgrade all <a href="https://forgejo.org/docs/v1.20/user/packages/">packages</a> became unexpectedly unavailable and the feature was disabled while investigating. It turned out to be a regression caused by conflicting storage settings in the <code>app.ini</code> file and the problem was fixed a few hours later. The lesson was learned and the Forgejo v1.20.3-0 release will include a safeguard against that particular issue. Other bugs (with less impact) were discovered and some of them were fixed right away (<a href="https://codeberg.org/forgejo/forgejo/pulls/1240">profile rendering</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/1241">auth icons ratio</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/1242">dropzone filename hidden</a>, ...).</p> <h3>Development</h3> <p>In addition to the development areas discussed below, it is worth mentioning there has been an unprecedented amount of pull requests proposed and merged to <a href="https://codeberg.org/forgejo/forgejo/pulls?q=&amp;type=all&amp;state=closed&amp;labels=78137&amp;milestone=0&amp;assignee=0&amp;poster=26734">fix bugs</a> or implement features such as <a href="https://codeberg.org/forgejo/forgejo/pulls/1076">OpenStreetMap links in profiles</a>, <a href="https://codeberg.org/forgejo/forgejo/pulls/676">banning dots in usernames</a> or <a href="https://codeberg.org/forgejo/forgejo/pulls/1126">unifying project views</a>. A number of these changes were <a href="https://github.com/go-gitea/gitea/pulls?q=is%3Apr+author%3Aearl-warren+is%3Aclosed">contributed back</a> to Forgejo dependencies to keep the Forgejo codebase size to a minimum.</p> <h4>Federation</h4> <p>A pull request <a href="https://codeberg.org/forgejo/forgejo/pulls/764">started a few months ago</a> to allow for setting the update times of issues and comments via the API is now two tests away from being merged. It matters to federation because mirroring an issue from one forge to another so it can be displayed requires the dates are preserved which is not currently possible.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/services/f3/driver">F3</a> driver for Forgejo <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/cmd/forgejo/f3.go">now relies</a> on the <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3">gof3 CLI</a> instead of implementing its own. It was made possible by a <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3/-/merge_requests/63/diffs">refactor of gof3</a> that uses <a href="https://pkg.go.dev/github.com/urfave/cli/v2">urfave/v2</a> to be compatible with Forgejo. This kind of factorization reduces the redundant work required to maintain independent projects and keeps their combined codebases <a href="https://en.wikipedia.org/wiki/Don%27t_repeat_yourself">DRY</a>.</p> <p>The new <code>forgejo-cli f3 mirror</code> subcommand will do what it suggests: mirrors projects, issues, pull requests, etc. from one forge to the other. The implementation is not complete but <a href="https://codeberg.org/forgejo/forgejo/pulls/1191/files">made progress together with tests</a>.</p> <h4>Storage settings regressions</h4> <p>Around 6 August work started to deal with a difficult problem regarding storage settings (see <a href="https://codeberg.org/forgejo/website/src/commit/fb78c664e841dd97b1cb0de9c13c44c8af1d63c8/src/content/blog/2023-08-release-v1-20-3-0.md">the final draft blog post</a> if you are reading this before it is published). There are multiple cascading issues:</p> <ul> <li>The bug is found in all Forgejo releases</li> <li>Upgrading to a release fixing the bug requires manual intervention</li> <li>Implementing a safeguard has to be done before the database upgrade and after loading the settings but there is no logic to do that</li> <li>The safeguard has to prevent downgrading from a point release but the information about the previously running Forgejo instance is not available</li> <li>Testing the safeguard can only be done reliably with automated upgrade tests which do not exist</li> </ul> <p>A solution for those issues was <a href="https://codeberg.org/forgejo/forgejo/pulls/1225/commits">implemented</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls/1220">backported to v1.20</a>. It was almost done when the Codeberg upgrade to v1.20 happened on 10 August and discovered one manifestation of the bug that was overlooked (conflicting <code>[packages]</code> and <code>[storage.packages]</code> sections). It was an unfortunate oversight but had the benefit of improving the fix to be released in v1.20.3-0.</p> <p>Codeberg hit the issue shortly after <a href="https://codeberg.org/forgejo/forgejo/pulls/1225#issuecomment-1037223">extensive manual upgrade testing</a> was conducted. All of which had to be repeated after fixing the newly found issue. It was a great example of why manual testing is generally a bad idea and eventually more time consuming than writing automated tests. Instead of running the upgrade tests manually again, <a href="https://codeberg.org/forgejo/forgejo/commit/884ca63738cc2e2c7cde31c649e9fa77cd590044">automated upgrade tests were implemented</a>. Although they launch multiple versions of Forgejo a dozen times, they run under five minutes.</p> <h4>Semantic Version</h4> <p>The Forgejo semantic version was used when <a href="https://codeberg.org/forgejo/forgejo/src/commit/197177510980db4d237d4f7979497622a97e1562/services/forgejo/sanity_v1TOv5_0_1Included.go">implementing the storage setting sanity checks</a>. It is not yet used for releases or public facing Forgejo version numbering. But it can be used internally.</p> <h4>Moderation</h4> <p>When a user is blocked and is also a collaborator on a repository that the blocker owns, <a href="https://codeberg.org/forgejo/forgejo/pulls/1151">that collaboration is removed</a>.</p> <h4>Publishing development versions</h4> <p>It was <a href="https://codeberg.org/forgejo/discussions/issues/51">proposed to publish Forgejo development versions</a> on a weekly basis. Although this was done as a byproduct of the weekly Forgejo rebase <a href="https://codeberg.org/forgejo/forgejo/milestones?sort=furthestduedate&amp;state=closed&amp;q=rebase">in August</a>, the discussion is still ongoing. They are only for experimentation and could be used to run <a href="https://next.forgejo.org">https://next.forgejo.org</a> which is meant to help figure out if a bug is happening in the most recent development branch.</p> <h3>Forgejo contrib</h3> <p>The <a href="https://codeberg.org/forgejo-contrib/">forgejo-contrib</a> organization is where projects related to Forgejo can find a home while they are being developed or when the long term maintenance is uncertain.</p> <h4>Debian packages for Forgejo</h4> <p>The <a href="https://codeberg.org/forgejo-contrib/forgejo-deb">Debian packages for Forgejo</a> project moved to <code>forgejo-contrib</code>. The packages <a href="https://code.forgejo.org/forgejo-contrib/-/packages">it provides</a> use the <a href="https://forgejo.org/docs/v1.20/user/packages/debian/">Debian package</a> registry that was introduced in Forgejo v1.20.</p> <h4>Helm chart for forgejo</h4> <p>A <a href="https://codeberg.org/forgejo-contrib/forgejo-helm/pulls/165">pull request was proposed</a> to the <a href="https://codeberg.org/forgejo-contrib/forgejo-helm">Helm chart for forgejo</a> to deploy the <a href="https://code.forgejo.org/forgejo/runner">Forgejo runner</a> alongside Forgejo. The <a href="https://forgejo.org/docs/v1.20/admin/actions/#offline-registration">offline registration</a> implemented in Forgejo and the runner were designed to help that particular use case.</p> <h3>Website and Documentation</h3> <p>The website <a href="https://codeberg.org/forgejo/website/pulls/323">was restructured</a> to use <a href="https://docs.astro.build/en/guides/content-collections/">Astro content collections</a> to better separate content from the source and improve maintainability over the ad-hoc system previously in use. There also were smaller changes such as <a href="https://codeberg.org/forgejo/website/pulls/329">custom 404 pages</a>.</p> <p>Now that v1.20 was published, the <a href="https://codeberg.org/forgejo/docs/src/branch/next">v1.21 documentation</a> was created to receive updates that are not relevant to v1.20 such as the <a href="https://codeberg.org/forgejo/website/pulls/335/files">new moderation features</a>.</p> <p>A <a href="https://codeberg.org/forgejo/website/pulls/292">table of content</a> was added to help navigate large pages and preparations were made to <a href="https://codeberg.org/forgejo/website/pulls/331">move the documentation into a separate repository</a>.</p> <h3>New workflow for stable releases</h3> <p>The Forgejo development branch is <a href="https://forgejo.org/docs/v1.21/developer/workflow/">rebased weekly</a> and that worked out nicely for almost a year. The same was done until last month for stable branches. It also worked well but had one confusing side effect: the tags of the stable versions could not be found in the stable version branch. For instance the <a href="https://codeberg.org/forgejo/forgejo/src/tag/v1.19.0-3">v1.93.3-0 tag</a> is not on a commit found in the <a href="https://codeberg.org/forgejo/forgejo/src/branch/v1.19/forgejo">forgejo/v1.19</a> branch. Although it did not seem to create any actual problems, it is unusual and cause for confusion.</p> <p>Early July a <a href="https://codeberg.org/forgejo/website/pulls/296">proposal was made</a> for a different workflow to address this issue. It has been adopted when the first v1.20 release was published and the <a href="https://codeberg.org/forgejo/forgejo/src/tag/v1.20.1-0">v1.20.1-0</a> and <a href="https://codeberg.org/forgejo/forgejo/src/tag/v1.20.2-0">v1.20.2-0</a> are now both found in the <a href="https://codeberg.org/forgejo/forgejo/src/branch/v1.20/forgejo">forgejo/v1.20</a> branch.</p> <h2>Infrastructure</h2> <p>There <strong>has been no issue</strong> with any of the <a href="https://forgejo.org/docs/v1.20/developer/infrastructure/">hardware in the Forgejo infrastructure</a>. It is worth mentioning resources used daily for the CI and the releases did not cause trouble.</p> <p>This kind of stability is taken for granted when relying on cloud providers but it does not happen magically. Their staff is hard at work to maintain a stable environment over time. Forgejo chose to rely on Free Software only and runs its own hardware. Part of the infrastructure is using an <a href="https://www.openstack.org/">OpenStack</a> provider, similar to AWS but based on a Free Software stack and API. The rest is running on dedicated <a href="https://linuxcontainers.org/lxc/">LXC</a> hypervisors.</p> <p>Being independent from cloud providers running proprietary software means more work for Forgejo community members. But since Free Software is <a href="https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values">one of the core values</a> of Forgejo, it is also a requirement. The promise is to deliver a Free Software codebase but also to ensure it can be developed and released in a Free Software environment. The big question is: can the Forgejo devops team durably maintain a reliable and secure infrastructure? It is too early to tell but over four weeks of uninterrupted and stable service is a very positive sign.</p> <h2>Governance and communication</h2> <h3>Wikidata</h3> <p><a href="https://www.wikidata.org/">Wikidata</a> acts as central storage for the structured data of its Wikimedia sister projects including Wikipedia, Wikivoyage, Wiktionary, Wikisource, and others. Forgejo <a href="https://www.wikidata.org/wiki/Q115962387">has an entry</a> which was thoroughly updated. The Forgejo releases are also listed and <a href="https://www.wikidata.org/w/index.php?title=Q115962387&amp;action=history">updated by Wikidata editors</a> when they are published.</p> <h3>Sustainability</h3> <p>The <a href="https://codeberg.org/forgejo/sustainability#2023">NLnet grant</a> is progressing and some tasks related to the release process were completed. A "Requests for Payment" was <a href="https://codeberg.org/forgejo/sustainability/pulls/22">approved</a> and another <a href="https://codeberg.org/forgejo/sustainability/pulls/24">is pending</a>. The relationship between NLnet and Forgejo is not a contract in the traditional sense and a "Request for Payment" is the equivalent of an invoice, only it is payed to the beneficiary as a charitable donation. In this case the payment will go to Codeberg e.V.</p> <p>Time is as valuable as funding and Forgejo durability heavily depends on how much time volunteers are willing to devote to moderation, sorting bugs, fixing them etc. It is, in fact, arguably the most precious resource any Free Software project has. The time spent by <a href="https://codeberg.org/forgejo/sustainability#2023">one volunteer</a> was added to the sustainability repository to account for that. It is not a requirement and each volunteer decides whether or not they want their time to be accounted for in this way.</p> <h3>Moderation</h3> <p>With the upgrade to Forgejo v1.20, the <a href="https://forgejo.org/docs/v1.20/user/blocking-user/">self-moderation features</a> are available on Codeberg and were used to <a href="https://codeberg.org/forgejo/governance/issues/16">enforce the ban</a> decided on 17 March 2023 for a period of one year.</p> <p>Two spam bots posted a dozen messages that have been sent via email to people watching the Forgejo repositories. The bots were removed by the Codeberg moderation team before the incident was even noticed by the Forgejo moderation team.</p> <p>A <a href="https://codeberg.org/forgejo/governance/issues/29">moderation report was published</a> and reminds Forgejo community members that "nobody can, under any circumstances, unilaterally decide to reveal private information in Forgejo spaces. It does not only go against one of the core values of Forgejo, it also goes against the most basic expectation for privacy of every person entering Forgejo spaces".</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/alex19srv">https://codeberg.org/alex19srv</a></li> <li><a href="https://codeberg.org/Andre601">https://codeberg.org/Andre601</a></li> <li><a href="https://codeberg.org/aral">https://codeberg.org/aral</a></li> <li><a href="https://codeberg.org/Beowulf">https://codeberg.org/Beowulf</a></li> <li><a href="https://codeberg.org/brainchild">https://codeberg.org/brainchild</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/chrysn">https://codeberg.org/chrysn</a></li> <li><a href="https://codeberg.org/commonism">https://codeberg.org/commonism</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/Cyborus">https://codeberg.org/Cyborus</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/DanielGibson">https://codeberg.org/DanielGibson</a></li> <li><a href="https://codeberg.org/diem">https://codeberg.org/diem</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/Eragon">https://codeberg.org/Eragon</a></li> <li><a href="https://codeberg.org/f00">https://codeberg.org/f00</a></li> <li><a href="https://codeberg.org/f0sh">https://codeberg.org/f0sh</a></li> <li><a href="https://codeberg.org/fasterthanlime">https://codeberg.org/fasterthanlime</a></li> <li><a href="https://codeberg.org/Fl1tzi">https://codeberg.org/Fl1tzi</a></li> <li><a href="https://codeberg.org/flamenco687">https://codeberg.org/flamenco687</a></li> <li><a href="https://codeberg.org/fluzz">https://codeberg.org/fluzz</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/fr33domlover">https://codeberg.org/fr33domlover</a></li> <li><a href="https://codeberg.org/g2px1">https://codeberg.org/g2px1</a></li> <li><a href="https://codeberg.org/galambborong">https://codeberg.org/galambborong</a></li> <li><a href="https://codeberg.org/gmem">https://codeberg.org/gmem</a></li> <li><a href="https://codeberg.org/GreenImp">https://codeberg.org/GreenImp</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/jb_wisemo">https://codeberg.org/jb_wisemo</a></li> <li><a href="https://codeberg.org/jklippel">https://codeberg.org/jklippel</a></li> <li><a href="https://codeberg.org/jmshrtn">https://codeberg.org/jmshrtn</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/link2xt">https://codeberg.org/link2xt</a></li> <li><a href="https://codeberg.org/louis9902">https://codeberg.org/louis9902</a></li> <li><a href="https://codeberg.org/lucajunge">https://codeberg.org/lucajunge</a></li> <li><a href="https://codeberg.org/MagicLike">https://codeberg.org/MagicLike</a></li> <li><a href="https://codeberg.org/mainboarder">https://codeberg.org/mainboarder</a></li> <li><a href="https://codeberg.org/melroy89">https://codeberg.org/melroy89</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/neveraskedtoexist">https://codeberg.org/neveraskedtoexist</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/oscarcp">https://codeberg.org/oscarcp</a></li> <li><a href="https://codeberg.org/PatchMixolydic">https://codeberg.org/PatchMixolydic</a></li> <li><a href="https://codeberg.org/pierreprinetti">https://codeberg.org/pierreprinetti</a></li> <li><a href="https://codeberg.org/RaptaG">https://codeberg.org/RaptaG</a></li> <li><a href="https://codeberg.org/rome-user">https://codeberg.org/rome-user</a></li> <li><a href="https://codeberg.org/snematoda">https://codeberg.org/snematoda</a></li> <li><a href="https://codeberg.org/SteffoSpieler">https://codeberg.org/SteffoSpieler</a></li> <li><a href="https://codeberg.org/thatonecalculator">https://codeberg.org/thatonecalculator</a></li> <li><a href="https://codeberg.org/update.freak">https://codeberg.org/update.freak</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/vintprox">https://codeberg.org/vintprox</a></li> <li><a href="https://codeberg.org/vladh">https://codeberg.org/vladh</a></li> <li><a href="https://codeberg.org/wetneb">https://codeberg.org/wetneb</a></li> <li><a href="https://codeberg.org/xy">https://codeberg.org/xy</a></li> <li><a href="https://codeberg.org/yverry">https://codeberg.org/yverry</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo v1.20 is available</title><link>https://forgejo.org/2023-07-release-v1201-0/</link><guid isPermaLink="true">https://forgejo.org/2023-07-release-v1201-0/</guid><description>Forgejo v1.20 is available and comes with an integrated CI, still in alpha stage but robust enough to build this release and verify all Forgejo pull requests. This release also brings customizable user profiles, a simpler Markdown editor, user blocking for self moderation, pinned issues, six more registries and many new API endpoints. As always, make sure to carefully read the breaking changes from the release notes and make a full backup before upgrading.</description><pubDate>Mon, 24 Jul 2023 00:00:00 GMT</pubDate><content:encoded><p><a href="https://forgejo.org/download/">Forgejo v1.20.1-0</a> is here and you will find the most interesting changes it introduces below. Before upgrading it is <strong>strongly recommended</strong> to make a full backup as explained in the <a href="https://forgejo.org/docs/v1.20/admin/upgrade/">upgrade guide</a> and carefully read <strong>all breaking changes</strong> from the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-1-0">release notes</a>. If in doubt, do not hesitate to ask for help <a href="https://floss.social/@forgejo">on the Fediverse</a>, or in the <a href="https://matrix.to/#/#forgejo-chat:matrix.org">chat room</a>.</p> <ul> <li><strong><a href="/docs/v1.20/user/actions">Actions</a></strong>: the internal CI graduated from <strong>experimental</strong> to <strong><a href="https://en.wikipedia.org/wiki/Software_release_life_cycle#Alpha">alpha</a></strong> and is now used by Forgejo to verify pull requests and to create releases, including this one. It comes with a <a href="/docs/v1.20/user/actions">user</a> documentation that includes examples and an extensive <a href="/docs/v1.20/admin/actions">administrator</a> guide to set it up. </li> <li><strong>User profile</strong>: the Forgejo home page for a user <a href="https://codeberg.org/forgejo/forgejo/commit/c090f87a8db5b51e0aa9c7278b38ddc862c048ac">can now be a Markdown file</a> instead of the list of repositories they own. </li> <li><strong>New markdown editor</strong>: the editor used when creating issues, adding comments, etc. is now <a href="https://github.com/github/markdown-toolbar-element">GitHub markdown</a>. </li> <li><strong><a href="/docs/v1.20/user/blocking-user/">Blocking users</a>:</strong> is a new self-moderation tool a user or an organization can use to prevent users from interacting with the repositories they own. </li> <li><strong><a href="https://codeberg.org/forgejo/forgejo/commit/aaa109466350c531b9238a61115b2877daca57d3">Pinned issues</a></strong>: it is now possible to select issues and pull requests to show on top of the list. </li> <li><strong>Registries:</strong> additional registries are now available for <a href="https://forgejo.org/docs/v1.20/user/packages/swift">SWIFT</a>, <a href="https://forgejo.org/docs/v1.20/user/packages/debian">debian</a>, <a href="https://forgejo.org/docs/v1.20/user/packages/rpm">RPM</a>, <a href="https://forgejo.org/docs/v1.20/user/packages/alpine">alpine</a>, <a href="https://forgejo.org/docs/v1.20/user/packages/go">Go</a> and <a href="https://forgejo.org/docs/v1.20/user/packages/cran">CRAN</a>.</li> <li><strong>API endpoints:</strong> new API endpoints are now available for <a href="https://codeberg.org/forgejo/forgejo/commit/d56bb7420184c0c2f451f4bcaa96c9b3b00c393d">email</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/03591f0f95823a0b1dcca969d2a3ed505c7e6d73">renaming a user</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/3cab9c6b0c050bfcb9f2f067e7dc1b0242875254">issue dependencies management</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/6b0df6d8da76d77a9b5c42dcfa78dbfe197fd56d">activity feeds</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/fb37eefa282543fd8ce63c361cd4cf0dfac9943c">license templates</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/36a5d4c2f3b5670e5e921034cd5d25817534a6d4">gitignore templates</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/cf465b472166ccf6d3e001e3043e4bf43e16e6b3">uploading files to an empty repository</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/cd9a13ebb47d32f46b38439a524e3b2e0c619490">creating a branch directly from commit</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/25dc1556cd70b567a4920beb002a0addfbfd6ef2">label templates</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/275d4b7e3f4595206e5c4b1657d4f6d6969d9ce2">changing/creating/deleting multiple files</a>.</li> </ul> <p>Read more <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-1-0">in the Forgejo v1.20.1-0 release notes</a>.</p> <h3>Forgejo Actions</h3> <p>Although <a href="/docs/v1.20/user/actions">Forgejo Actions</a> is <strong>not yet production ready</strong>, it became good enough for Forgejo itself to use in production. It <a href="https://codeberg.org/forgejo/forgejo/actions">verifies pull requests</a> (see also the <a href="https://codeberg.org/forgejo/forgejo/src/commit/60b10cd66051ffd4cbdbae9a4aa63aa0f55b2e8d/.forgejo/workflows/testing.yml">testing workflow</a>), <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/.forgejo/workflows/build-release.yml">builds</a> and <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/.forgejo/workflows/publish-release.yml">publishes</a> releases (this one and the release candidates before it).</p> <p></p> <p>It is still considered <strong><a href="https://en.wikipedia.org/wiki/Software_release_life_cycle#Alpha">alpha</a></strong> stage because:</p> <ul> <li>the <a href="https://code.forgejo.org/forgejo/runner">Forgejo runner</a> is <strong>not secure enough</strong></li> <li>a single <code>Forgejo runner</code> will poll <code>Forgejo</code> every two seconds by default which is not scalable</li> <li>some errors only show in the <code>Forgejo runner</code> logs and not in the <code>Forgejo</code> user interface which is not a good user experience</li> </ul> <p></p> <p>The potential security bugs are a concern and <code>Forgejo</code> took the following precautions to reduce the risks in its own infrastructure.</p> <ul> <li><strong>Do not trust any web application with secrets.</strong> The <code>Forgejo</code> release process needs a GPG private key to sign the binaries before they are <a href="https://codeberg.org/forgejo/forgejo/releases">uploaded</a>. A web application with a large attack surface such as <code>Forgejo</code> or <code>GitLab</code> must not be trusted to keep such a secret safe. Instead a <code>Forgejo</code> instance dedicated to signing the releases was installed behind a VPN.</li> <li><strong>LXC containers confinement.</strong> All <code>Forgejo runners</code> are deployed in <a href="/docs/v1.20/developer/infrastructure/#installing-forgejo-runners">dedicated LXC containers</a> and re-installed from scratch from time to time.</li> </ul> <p>In addition, the <a href="/docs/v1.20/user/actions/#pull-request-actions-are-moderated">required pull request approval</a> prevents unknown users from triggering a task that would include a malicious workflow.</p> <h3>User profile</h3> <p>By default the profile page of a user is the list of repositories they own. It is possible to customize it with a short description that shows to the left, under their avatar. It can now be fully personalized with a markdown file that is displayed instead of the list of repositories.</p> <p></p> <p><a href="/docs/v1.20/user/profile/">Read more user profile customization</a>.</p> <h3>New markdown editor</h3> <p>The web editor used when creating issues, adding comments, etc. <a href="https://codeberg.org/forgejo/forgejo/commit/5cc0801de90d16b4d528e62de11c9b525be5d122">changed</a> from <a href="https://github.com/Ionaru/easy-markdown-editor">EasyMDE</a> to <a href="https://github.com/github/markdown-toolbar-element">GitHub markdown</a>. To help with the transition it is still possible to switch back to using EasyMDE with the double arrow button in the menubar.</p> <p></p> <p>This new markdown editor does not provide any WYSIWIG features. As <a href="https://github.github.com/markdown-toolbar-element/examples/">shown in the demo</a> it is merely a helper for users who are not familiar with <a href="https://en.wikipedia.org/wiki/Markdown">markdown</a>.</p> <p></p> <p>Want to add a list? Click on the list menu item and see that a star is inserted for you. Select a word and click the bold button so it is surrounded by two stars. Nothing fancier. By comparison the <a href="https://github.com/Ionaru/easy-markdown-editor">EasyMDE</a> editor has more features such as showing in bold the word that is surrounded by two stars.</p> <p></p> <p>Unfortunately it is no longer actively maintained and enough has long standing bugs to justify a replacement.</p> <h3>Blocking users</h3> <p>On large Forgejo instances with ten of thousands of users it may be challenging for the moderation team to properly address all requests. The most common one being a malicious user spamming issues with advertisements or unwanted noise. It will be immediately noticed by the repository owner and it may take a while for the moderation team to act.</p> <p>The owner of a repository or an organization can now block a user as soon as they notice an undesirable interaction. When they go to the profile page of the user, a new <strong>Block</strong> button shows on the left.</p> <p></p> <p>After confirmation the user will be added to the list of blocked users.</p> <p></p> <p>From the <strong>Blocked Users</strong> tab in their profile, the user can unblock them when the relationship gets better.</p> <p></p> <p>The user being blocked is not notified and does not see any difference until they try to participate in a repository from which they are blocked. Their action will fail with a message informing them they have been blocked.</p> <p></p> <p><a href="/docs/v1.20/user/blocking-user/">Read more about blocking users</a>.</p> <h3>Pin issues</h3> <p><a href="https://codeberg.org/forgejo/forgejo/commit/aaa109466350c531b9238a61115b2877daca57d3">Issues and pull requests can be pinned</a> and will show on top of the list of issues (or pull requests). They can be re-arranged by dragging them.</p> <p></p> <h3>Theming and custom templates</h3> <p>The themes and templates changed a lot in this release and there is no documentation explaining how and why. The hope is that the users will discover the changes and not be overly confused.</p> <p>This is also a reminder that Forgejo considers themes and templates to be a part of the internals and require an understanding of the source codebase to be modified and adapted after each release. In other words, if a Forgejo admin extracted templates and modified them on a v1.19 instance they will need to read the source code to figure out how they need to be modified to keep working with v1.20.</p> <h3>Federation</h3> <p>Does <code>Forgejo</code> support federation? Not yet. Was there progress? Yes.</p> <p>The monthly report <a href="https://forgejo.org/tag/report/">has details</a> on these progress and the <a href="https://forgefriends.org/blog/2023/06/21/2023-06-state-forge-federation/">State of the Forge Federation: 2023 edition</a> published last month explains how Forgejo fits in the big picture.</p> <p>Forges have existed for twenty years and none of them has achieved data portability let alone federation. Forgejo is yet to celebrate its first birthday and it will take it a little time to get there. One thing is for sure: at this point no other forge is doing concrete work in this direction.</p> <h3>Get Forgejo v1.20</h3> <p>See the <a href="/download">download page</a> for instructions on how to install Forgejo, and read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-1-0">release notes</a> for more information.</p> <h3>Upgrading</h3> <p>Carefully read <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-20-1-0">the breaking changes</a> section of the release notes.</p> <p>The actual upgrade process is as simple as replacing the binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.20.1-0">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.20.1-0">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.20"><code>1.20</code> tag</a> to stay up to date with the latest <code>1.20.x</code> point release automatically.</p> <p>Make sure to check the <a href="/docs/v1.20/admin/upgrade">Forgejo upgrade documentation</a> for recommendations on how to properly backup your instance before the upgrade. It also covers upgrading from Gitea, as far back as version 1.2.0. Forgejo includes all of Gitea v1.20.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo do not hold back, it is also your project. Open an issue in <a href="https://codeberg.org/forgejo/forgejo/issues">the issue tracker</a> for feature requests or bug reports, reach out <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop into <a href="https://matrix.to/#/#forgejo:matrix.org">the Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) and say hi!</p> </content:encoded></item><item><title>Forgejo monthly update - June 2023</title><link>https://forgejo.org/2023-06-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-06-monthly-update/</guid><description>Forgejo v1.20 is around the corner. Release candidates were published and most of the activity went into testing it, updating the documentation and rebuilding the release process. Forgejo Actions is now used for all Forgejo development and releases in a spirit of dogfooding. A hardware failure and a Denial of Service (DoS) attack disrupted the work during a week but did not break anything.</description><pubDate>Fri, 07 Jul 2023 00:00:00 GMT</pubDate><content:encoded><p>Forgejo v1.20 is around the corner: <a href="../2023-06-10-release-v1/">release candidates</a> were published and most of the activity went into testing them, updating the documentation and rebuilding the release process. Although <code>Forgejo Actions</code> is not yet considered production ready, it proved stable enough to be used for all Forgejo development and releases. It did not always go smoothly and there were challenging times when a hardware failure and a Denial of Service (DoS) attack disrupted the work during a week.</p> <p>Forgejo does not do much of anything in terms of communication but <a href="https://de.wikipedia.org/wiki/Forgejo">got its first Wikipedia page</a> and was mentioned in the <a href="https://forgefriends.org/blog/2023/06/21/2023-06-state-forge-federation/">State of the Forge Federation: 2023 edition</a>. There is a great need for contributors who have strong skills that do not involve writing code, even beyond spreading the word about Forgejo, such as writing documentation, organizing video-conferences, etc. <a href="https://codeberg.org/forgejo/sustainability/issues/9#issuecomment-956394">Codeberg allocated funds</a> to Forgejo that could be used to compensate contributors willing to help but who cannot afford to be volunteers.</p> <h3>Development</h3> <h4>Forgejo v1.20</h4> <p>The first <a href="../2023-06-10-release-v1/">release candidates</a> for Forgejo v1.20 were published. The highlights are:</p> <ul> <li>The <a href="/docs/v1.20/user/actions">internal CI/CD</a> known as <code>Forgejo Actions</code> is now used by <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/.forgejo/workflows">Forgejo itself</a> and the <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows">Forgejo Runner</a> for testing pull requests and publishing releases. It is still in beta stage and disabled by default but it is stable and secure enough to be activated on <a href="https://code.forgejo.org">Forgejo's own instance</a>. An extensive <a href="/docs/v1.20/admin/actions">admin</a> and <a href="/docs/v1.20/user/actions">user</a> documentation is available.</li> <li>The User Interface (UI) and User eXperience (UX) changed significantly and will require some adjustment from users who will have to adapt to a different layout. And admins who created their own templates and styles will need to figure out, by reading the sources, how it evolved.</li> <li>New API endpoints were added (activity feeds, renaming users, uploading file, retrieving commits, etc.).</li> </ul> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#draft-1-20-0-0">draft release notes</a> are mostly complete but they still work and contributions would be most welcome.</p> <p>Publishing one of the release candidates was made specially difficult because Codeberg suffered from a hardware failure that was followed by a DoS attack. It took about a week instead of a few hours. A similar situation happened in the early days of Forgejo, when the first release was only half published because the process unexpectedly broke at the wrong time. The release process was refactored on that occasion to be resilient to network and hardware failures. This effort paid off this time around, when the release process had to be restarted no less than a dozen times over three days until it finally succeeded.</p> <h3>Moderation</h3> <p>An <a href="https://codeberg.org/forgejo/forgejo/pulls/827">API was implemented</a> to manage blocked users in organizations and user accounts.</p> <h3>Federation</h3> <p>When artifacts (repositories, issues, etc.) are imported in Forgejo, they are now associated with a user <a href="https://codeberg.org/forgejo/forgejo/pulls/943">that acts as a placeholder if it does not already exists</a>. If that same user authenticate themselves on Forgejo via OAuth at a later time, <a href="https://codeberg.org/forgejo/forgejo/pulls/934">this placeholder will be promoted to a real user</a>.</p> <p>In other words, if a repository that belongs to Jane Doe is federated from GitLab to a Forgejo instance, she will be able to reclaim it as soon as she registers via OAuth2 on the Forgejo instance. The OAuth2 authorization from GitLab is proof enough that she is the legitimate owner of this repository.</p> <h3>Documentation</h3> <p>The Forgejo documentation is a patchwork from various sources (Codeberg, Gitea, etc.) as well as content authored by Forgejo contributors. To improve the documentation for the Forgejo v1.20 release a full pass was done to get relevant updates from these sources. In addition a new section was created with <a href="https://forgejo.org/docs/v1.20/admin/recommendations/">Recommended Settings and Tips</a>.</p> <p>The <code>Forgejo Actions</code> <a href="https://forgejo.org/docs/v1.20/admin/actions/">admin</a> guide is complete and the <a href="https://forgejo.org/docs/v1.20/user/actions/">user</a> guide got better but still requires a significant work to be finished. An effort is made to include <a href="https://code.forgejo.org/actions/setup-forgejo/src/branch/main/testdata">examples</a> that are part of the CI of actively maintained repositories so they can be verified to work.</p> <h3>Forgejo Actions</h3> <p>A <a href="https://code.forgejo.org/forgejo/runner/releases/tag/v2.1.0">new version of the Forgejo runner</a> was published to fix bugs and security issues. Although it is stable and runs for weeks uninterrupted, it is best confined on an isolated machine that is reset on a regular basis for security reasons.</p> <p>There has been no report of security issues when enabling actions in Forgejo v1.19 and <a href="https://codeberg.org/forgejo/discussions/issues/36#issuecomment-935435">Codeberg decided to enable it</a>. That allowed for a simpler release process based on Forgejo Actions for both Forgejo and the <code>Forgejo runner</code> to be <a href="https://codeberg.org/forgejo/website/pulls/230">implemented</a>. It was used to publish all release candidates in the <a href="https://codeberg.org/forgejo-experimental/">experimental</a> organization and helped fine tune it.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/v1.19/forgejo/releases">Woodpecker CI release process</a> was still used to publish the <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.19.4-0">latest v1.19.4-0</a> release. It was retired and <a href="https://codeberg.org/forgejo-contrib/forgejo-ci-woodpecker">moved to its own repository</a> as of Forgejo v1.20.</p> <h2>Governance and communication</h2> <h3>Wikipedia</h3> <p>Earlier than expected, <a href="https://de.wikipedia.org/wiki/Forgejo">Forgejo got its first Wikipedia page</a>. It still needs secondary sources to be inserted to durably establish its notoriety but it has not yet been challenged and those can easily be added.</p> <h3>State of the Forge Federation: 2023 edition</h3> <p>In the <a href="https://forgefriends.org/blog/2023/06/21/2023-06-state-forge-federation/">State of the Forge Federation: 2023 edition</a> published 21 June Forgejo plays a central role.</p> <blockquote> <p>Late 2022 Forgejo, a new forge with a focus on federation was created. Dozens of people contributed to its making and it is now used in production by ten of thousands of users at Codeberg, Disroot, etc. This large and unforeseen undertaking diverted the energy of most contributors set to work on federation features [...]. [...] the foundations on which forge federation is being built have shifted and there is reason to hope it was for the best.</p> </blockquote> <h3>Matrix archive bot</h3> <p>The privacy expectations of people visiting the <a href="https://matrix.to/#/#forgejo:matrix.org">Forgejo chatrooms</a> is not high: they are fully aware they are publicly available and that anyone can visit them.</p> <p>But even in this context the sudden appearance of an archive bot from Matrix.org surprised a number of active participants. The bot was banned while <a href="https://codeberg.org/forgejo/discussions/issues/37">the situation was discussed</a>. A few weeks later <a href="https://codeberg.org/forgejo/discussions/issues/37#issuecomment-953680">Matrix.org shut down this service</a>. Forgejo community members were likely not the only ones to protest.</p> <h3>Governance</h3> <p>There has been some discussions about how teams are useful and why but no significant progress was made on governance otherwise.</p> <h2>Hardware</h2> <p>In addition to the hosting provided by Codeberg, Forgejo needs a very secure hardware to host the cryptographic keys used to sign releases as well as the most sensitive work of the security team. It also occasionally needs to run resource consuming Continuous Integration jobs, for instance when performing end to end testing to verify a release can actually be used in a production environment. Or when hardware emulation is required to verify multi-architecture binaries run as expected.</p> <p>A <a href="https://www.hetzner.com/dedicated-rootserver/ex101">new hardware</a> was acquired and is being configured. It suffered intermittent failures that took significant time to figure out during the first week and was eventually replaced. These investigations were an opportunity to confirm that the stack on which Forgejo hardware is deployed is solid (Debian GNU/Linux and LXC). There was little doubt about it since Codeberg uses the same. But when a machine reboots randomly multiple times per day for not apparent reason and all hardware tests confirm it should not, it is a motivation to doubt about everything.</p> <p>The <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#security">security team</a> now uses resources hosted behind a VPN at <code>octopuce.forgejo.org</code> to work together in a secure environment.</p> <h2>Roadmap</h2> <p>Forgejo is still in the process of <a href="https://codeberg.org/forgejo/discussions/issues/17">defining its roadmap</a>, a concrete strategy to move forward with federation, scaling and robustness.</p> <p>The <a href="https://codeberg.org/forgejo/sustainability/issues/1">NLnet grant</a> that was awarded last month demanded a <a href="https://codeberg.org/forgejo/sustainability/src/branch/main/2022-12-01-nlnet/2023-06-workplan.md">workplan</a>. This provides some clarity about what the beneficiaries are set to accomplish in the following areas:</p> <ul> <li>UI and accessibility improvements</li> <li>DNS-Update-Checker RFC</li> <li>Cleaner Webhook system</li> <li>A new continuous integration agent</li> <li>Tools to produce a source distribution and multi-architecture Forgejo binaries</li> <li>An integrated release pipeline based on Forgejo</li> </ul> <p>It is not a roadmap just yet, but it can help create one.</p> <h2>Funding</h2> <p>During its General Assembly, Codeberg decided to <a href="https://codeberg.org/forgejo/sustainability/issues/9#issuecomment-956394">allocate funds to Forgejo</a> and ideas are welcome to decide how they should be spent.</p> <p>A <a href="https://codeberg.org/forgejo/sustainability/issues/13">funding opportunity was discovered</a> to raise as much as 600K€ with an amount of administrative work well suited for small companies. No application was sent by the deadline (6 July). However there is <a href="https://codeberg.org/forgejo/sustainability/issues/14">another opportunity</a>, with a 31 July deadline.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/alex19srv">https://codeberg.org/alex19srv</a></li> <li><a href="https://codeberg.org/Beowulf">https://codeberg.org/Beowulf</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/circlebuilder">https://codeberg.org/circlebuilder</a></li> <li><a href="https://codeberg.org/cmonty14">https://codeberg.org/cmonty14</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/DanielGibson">https://codeberg.org/DanielGibson</a></li> <li><a href="https://codeberg.org/DansLeRuSH">https://codeberg.org/DansLeRuSH</a></li> <li><a href="https://codeberg.org/Dirk">https://codeberg.org/Dirk</a></li> <li><a href="https://codeberg.org/dumblob">https://codeberg.org/dumblob</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/Fl1tzi">https://codeberg.org/Fl1tzi</a></li> <li><a href="https://codeberg.org/fluzz">https://codeberg.org/fluzz</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/fr33domlover">https://codeberg.org/fr33domlover</a></li> <li><a href="https://codeberg.org/GamePlayer-8">https://codeberg.org/GamePlayer-8</a></li> <li><a href="https://codeberg.org/grosmanal">https://codeberg.org/grosmanal</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/helge">https://codeberg.org/helge</a></li> <li><a href="https://codeberg.org/hrnz">https://codeberg.org/hrnz</a></li> <li><a href="https://codeberg.org/JohnWalkerx">https://codeberg.org/JohnWalkerx</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/linos">https://codeberg.org/linos</a></li> <li><a href="https://codeberg.org/macfanpl">https://codeberg.org/macfanpl</a></li> <li><a href="https://codeberg.org/maralorn">https://codeberg.org/maralorn</a></li> <li><a href="https://codeberg.org/meaz">https://codeberg.org/meaz</a></li> <li><a href="https://codeberg.org/Mikaela">https://codeberg.org/Mikaela</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/Nulo">https://codeberg.org/Nulo</a></li> <li><a href="https://codeberg.org/oewbgoieqwb">https://codeberg.org/oewbgoieqwb</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/RaptaG">https://codeberg.org/RaptaG</a></li> <li><a href="https://codeberg.org/samrland">https://codeberg.org/samrland</a></li> <li><a href="https://codeberg.org/update.freak">https://codeberg.org/update.freak</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/xy">https://codeberg.org/xy</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo v1.20 release candidates</title><link>https://forgejo.org/2023-06-10-release-v1200-0-rc0/</link><guid isPermaLink="true">https://forgejo.org/2023-06-10-release-v1200-0-rc0/</guid><description>The first Forgejo v1.20 release candidate is ready for testing. Discover a more stable and secure internal CI/CD with its documentation, new API features, numerous UI/UX changes and user blocking for self-moderation.</description><pubDate>Sat, 10 Jun 2023 00:00:00 GMT</pubDate><content:encoded><p>Today the first release candidate for the upcoming Forgejo v1.20 release <a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v1.20.0-0-rc0">was published</a> and the <a href="/docs/v1.20">documentation</a> updated. It is meant for testing only: <strong>do not upgrade a production instance with it</strong>.</p> <p>The highlights are:</p> <ul> <li>The <a href="/docs/v1.20/user/actions">internal CI/CD</a> known as <code>Forgejo Actions</code> is now used by Forgejo for <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows">testing and releasing</a> the <a href="https://code.forgejo.org/forgejo/runner/">Forgejo Runner</a>. It is still in its infancy and disabled by default but it is stable and secure enough to be activated on <a href="https://code.forgejo.org">Forgejo's own instance</a>. The documentation was updated to explain how to <a href="/docs/v1.20/admin/actions">install</a> and <a href="/docs/v1.20/user/actions">use</a> it.</li> <li>The User Interface (UI) and User eXperience (UX) changed significantly and will require some adjustment from users and admins who created their own customized templates.</li> <li>New API features and endpoints were added (activity feeds, renaming users, uploading file, retrieving commits, etc.).</li> <li>Essential sub-systems were refactored (the queue system that handles background tasks such as checking pull requests, the logger used to display Forgejo's logs, ...). In theory these changes are transparent to the Forgejo user and admin but the risk of subtle regressions is real: do not hesitate to <a href="https://codeberg.org/forgejo/forgejo/issues">reach out</a> if you suspect anything.</li> </ul> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#draft-1-20-0-0">draft release notes</a> have a categorized list of the most significant changes:</p> <ul> <li><code>[A11Y]</code> accessibility of the web interface.</li> <li><code>[API]</code> REST API.</li> <li><code>[AUTH]</code> authentication.</li> <li><code>[CI]</code> Forgejo's own Continuous Integration.</li> <li><code>[MODERATION]</code> moderation tools.</li> <li><code>[PACKAGES]</code> package registries.</li> <li><code>[REFACTOR]</code> internal refactors.</li> <li><code>[RSS]</code> display and creation of RSS feeds.</li> <li><code>[TEMPLATES]</code> templating system used to create web pages, issues, mails, etc.</li> <li><code>[TIME]</code> time localization and readability.</li> <li><code>[UI / UX]</code> User Interface and User eXperience.</li> <li><code>[WEBHOOK]</code> webhooks and notifications triggered when something happens in Forgejo.</li> <li><code>[WIKI]</code> wiki features.</li> </ul> <p>Make sure to <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#draft-1-20-0-0">check the breaking changes</a> (look for the string <code>BREAKING</code>) and get your production instance ready for when the v1.20 release is available.</p> <p>There was progress regarding federation with the integration of the <a href="https://codeberg.org/forgejo/forgejo/commits/branch/forgejo-f3">F3 driver</a> in the codebase (an essential building block to synchronize forges with each other) but nothing is ready for experimenting yet.</p> <h3>Try it out</h3> <p>The release candidate is published in <a href="https://codeberg.org/forgejo-experimental">the dedicated "experimental" Forgejo organization</a> and can be downloaded from:</p> <ul> <li>Containers at <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/1.20">https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/1.20</a></li> <li>Binaries at <a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v1.20.0-0-rc0">https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v1.20.0-0-rc0</a></li> </ul> <p>Checkout the v1.20 documentation section for detailed <a href="/docs/v1.20/admin/installation">installation instructions</a>.</p> <p>It will be updated based on your feedback until it becomes robust enough to be released.</p> <h3>Help write good release notes</h3> <p>The best release notes are meant to articulate the needs and benefits of new features and the actions recommended for breaking changes so Forgejo admins quickly know if it is of interest to them.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#draft-1-20-0-0">current draft release notes</a> are still incomplete. They will be finished by the time the release is published and you can help make them better.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">the issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">the Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo monthly update - May 2023</title><link>https://forgejo.org/2023-05-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-05-monthly-update/</guid><description>NLnet awarded a grant to Forgejo to develop its release process and additional features, starting June 2023. User blocking was implemented to protect repositories you own from unwanted interactions, an essential self-service moderation tool. An extended installation section was added to the documentation as well as a user and admin documentation for Forgejo Actions.</description><pubDate>Wed, 07 Jun 2023 00:00:00 GMT</pubDate><content:encoded><p>Forgejo was <a href="https://nlnet.nl/project/Forgejo/">awarded grant</a> from <a href="https://nlnet.nl/">https://nlnet.nl/</a> which will allow Codeberg e.V. and community members to get funding for improving the Forgejo release process and develop additional features, starting June 2023. It complements the on-going grant dedicated to federation: the features it will provide can only be deployed if releases are published and tested to work in a secure environment.</p> <p>The Codeberg moderation team is facing daily challenges that are a heavy burden. A new feature was implemented to allow <a href="/docs/v1.20/user/blocking-user">users to block someone</a> in the repositories they own, allowing them to mitigate some of the most common problems. This not only helps relieve the pressure on the moderation team of any public Forgejo instance, it also is an essential building block for federation because it creates more opportunities for unwanted attention.</p> <h2>Development</h2> <p>Forgejo depends on Gitea and over a hundred other Go packages. But Gitea is not provided or designed as a package and that creates unique challenges when upgrading, which is done on a weekly basis. Forgejo developed <a href="/docs/v1.20/developer/WORKFLOW">workflows</a> since its inception to reduce the workload.</p> <p>Every automated test reduces the scrutiny required from Forgejo contributors when upgrading Gitea. This is specially challenging when dealing with the authentication system because it has almost no test coverage. A mechanism to allow for <a href="https://codeberg.org/forgejo/forgejo/pulls/8030">dependency injection</a> in integration tests was added as well as a simple OAuth2 test to demonstrate how to use it.</p> <p>When upgrading Forgejo, database migrations are applied using a set of files and a sequential numbering to ensure their consistency. Forgejo specific database modifications <a href="https://codeberg.org/forgejo/discussions/issues/32">cannot conveniently be inserted in that sequence</a>. Instead, <a href="https://codeberg.org/forgejo/forgejo/pulls/795">a separate migration directory</a> was created and manages a set of tables prefixed with <code>forgejo_</code>. It was used in the implementation of the user blocking feature.</p> <h3>User moderation feature</h3> <p>Moderation features now <a href="/docs/v1.20/developer/WORKFLOW#moderation">have their dedicated feature branch</a>. It will contain tools that fall in two categories: self-service to help users in the simpler cases and helpers for a dedicated moderation team with admin privileges who take care of the entire Forgejo instance.</p> <p>The first to <a href="https://codeberg.org/forgejo/forgejo/pulls/540">land</a> was <a href="/docs/v1.20/user/blocking-user">user blocking</a> and <a href="https://codeberg.org/forgejo/forgejo/pulls/802">organization level blocking</a> is in progress. Blocking another user is desirable if they are acting maliciously or are spamming your repository.</p> <h3>Documentation</h3> <p>A new section was added to the documentation with a very detailed explanation of how to <a href="/docs/v1.20/admin/installation#installation-from-binary">install and setup Forgejo using a binary</a>. And also minimal install instructions for <a href="/docs/v1.20/admin/installation#installation-with-docker">container images</a>.</p> <p>Two other sections were also added for the <a href="/docs/v1.20/admin/actions">admin</a> and <a href="/docs/v1.20/user/actions">user</a> documentation of Forgejo Actions. It is still work in progress but provides the basics to <a href="/docs/v1.20/user/actions#quick-start">get started</a> and replaces the <a href="/2023-02-27-forgejo-actions">older blog post</a>.</p> <h3>Forgejo Actions</h3> <p>A CI configuration for Forgejo was <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/.forgejo/workflows">created based on Forgejo Actions</a>. Although it has been tested to work, the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/.woodpecker">Woodpecker CI</a> is still used to validate pull requests. It will be run in parallel as soon as <a href="https://codeberg.org/forgejo/discussions/issues/36">Codeberg enables Forgejo Actions</a>.</p> <p>Forgejo extensively uses <a href="https://linuxcontainers.org/lxc/">LXC</a> in the Forgejo runner. A set of shell scripts <a href="https://code.forgejo.org/forgejo/lxc-helpers/">named lxc-helpers</a> were developed, <a href="https://code.forgejo.org/forgejo/lxc-helpers/actions?workflow=&amp;state=closed">tested</a> (with Forgejo Actions) and documented in a separate repository. They are now used in various other contexts (the <a href="https://code.forgejo.org/actions/setup-forgejo">setup-forgejo</a> action or the <a href="https://lab.enough.community/main/infrastructure/-/tree/master/playbooks/forgejo">Ansible playbooks</a> used to deploy Forgejo hardware).</p> <p>The <a href="https://code.forgejo.org/forgejo/runner">Forgejo runner</a> saw <a href="https://code.forgejo.org/forgejo/runner/releases">more releases</a> and is turning more secure (releases are now GPG signed), stable and configurable.</p> <h3>Simpler and more secure release process</h3> <p>The release process was <a href="https://codeberg.org/forgejo/website/pulls/230">revisited</a>, taking the opportunity of the <a href="https://code.forgejo.org/forgejo/runner">brand new Forgejo runner</a> to do so. In a nutshell it is a set of <a href="/docs/v1.20/user/actions">Forgejo Actions</a> workflows that behave differently depending on the variables/secrets that are available. The repository is automatically mirrored in different organizations (experimental, integration, release) that have different variables/secrets to perform their expected role.</p> <p>Here is how it goes for the Forgejo runner:</p> <ul> <li>when in the <code>forgejo-integration</code> organization, <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows/build-release.yml">build the release</a></li> <li>when in the <code>forgejo-release</code> organization, safely hosted behind a VPN, use the GPG release key &amp; secrets to sign and copy the release that was created in the <code>forgejo-integration</code> organization to <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows/publish-binary.yml">publish the binary release</a> and <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows/publish-container-image.yml">the container image</a></li> </ul> <h2>Hardware</h2> <p>The <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#devops">devops team</a> completed the deployment of the new hardware at <code>octopuce.forgejo.org</code>. It is now in production and part of the <a href="https://codeberg.org/forgejo/website/pulls/230">new release process</a> that was used to produce the latest releases of the <a href="https://code.forgejo.org/forgejo/runner/releases">Forgejo runner</a>. It provides a VPN for the release team to secure the last step which involves a workflow to sign the binaries.</p> <h2>Funding</h2> <p>The NLnet grant application focused on producing quality Forgejo releases that are essential for federation to happen was <a href="https://codeberg.org/forgejo/sustainability/issues/1#issuecomment-921831">granted</a>. It will provide funding to Codeberg e.V., <a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a>, <a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a> and <a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a> for their work starting in June 2023. It complements the on-going grant that provides funding for developing moderation features.</p> <p>The general assembly of Codeberg e.V. renewed its support to Forgejo and decided to allocate funding in 2023 to further Forgejo.</p> <h2>Reconciliation and Moderation</h2> <p>The <code>archive@matrix.org</code> bot entered the Forgejo chatrooms and started operating. Some Forgejo community members did not approve and asked the <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#moderation">moderation team</a> to ban it. A <a href="https://codeberg.org/forgejo/discussions/issues/37">discussion began</a> and will be concluded by a decision to accept or reject this bot.</p> <p>A few months ago a chatroom was created and is dedicated to the reconciliation of Forgejo community members. Making peace after a dispute is not easy but it happened and sets an example that will hopefully inspire more reconciliations. Until that happens the moderation team offers to act as a buffer between community members so they can contribute to Forgejo, working side by side without being forced into stressful interactions.</p> <h2>Licensing</h2> <p>Following the decision that <a href="https://codeberg.org/forgejo/governance/pulls/20">Forgejo will accept copylefted contributions</a>, a blog post was <a href="/2023-06-copyleft">published to explain</a> the reasoning. The next step is an agreement to <a href="https://codeberg.org/forgejo/governance/pulls/24">accept contributions compatible with GPLv3-or-later</a>.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/buhtz">https://codeberg.org/buhtz</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/circlebuilder">https://codeberg.org/circlebuilder</a></li> <li><a href="https://codeberg.org/CleoMenezesJr">https://codeberg.org/CleoMenezesJr</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/DanielGibson">https://codeberg.org/DanielGibson</a></li> <li><a href="https://codeberg.org/eagle_idea">https://codeberg.org/eagle_idea</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/editfund-founder">https://codeberg.org/editfund-founder</a></li> <li><a href="https://codeberg.org/ekaitz-zarraga">https://codeberg.org/ekaitz-zarraga</a></li> <li><a href="https://codeberg.org/fluzz">https://codeberg.org/fluzz</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/fr33domlover">https://codeberg.org/fr33domlover</a></li> <li><a href="https://codeberg.org/GamePlayer-8">https://codeberg.org/GamePlayer-8</a></li> <li><a href="https://codeberg.org/greenpete">https://codeberg.org/greenpete</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/gwymor">https://codeberg.org/gwymor</a></li> <li><a href="https://codeberg.org/JakobDev">https://codeberg.org/JakobDev</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/kryptonian">https://codeberg.org/kryptonian</a></li> <li><a href="https://codeberg.org/macfanpl">https://codeberg.org/macfanpl</a></li> <li><a href="https://codeberg.org/matiaslavik">https://codeberg.org/matiaslavik</a></li> <li><a href="https://codeberg.org/Mikaela">https://codeberg.org/Mikaela</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/paintgoblin">https://codeberg.org/paintgoblin</a></li> <li><a href="https://codeberg.org/prcek">https://codeberg.org/prcek</a></li> <li><a href="https://codeberg.org/Sevichecc">https://codeberg.org/Sevichecc</a></li> <li><a href="https://codeberg.org/testserver22">https://codeberg.org/testserver22</a></li> <li><a href="https://codeberg.org/tgy">https://codeberg.org/tgy</a></li> <li><a href="https://codeberg.org/thatonecalculator">https://codeberg.org/thatonecalculator</a></li> <li><a href="https://codeberg.org/timmwille">https://codeberg.org/timmwille</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/wxiaoguang">https://codeberg.org/wxiaoguang</a></li> <li><a href="https://codeberg.org/xy">https://codeberg.org/xy</a></li> <li><a href="https://codeberg.org/zander">https://codeberg.org/zander</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo welcomes copyleft contributions</title><link>https://forgejo.org/2023-06-copyleft/</link><guid isPermaLink="true">https://forgejo.org/2023-06-copyleft/</guid><description>The world of Free Software includes copylefted software and Git is one of the most widely known example. Distributing Forgejo under a permissive license means that all copyleft authors and software are excluded from participating in its development. The community made a decision to change that status quo and welcome copyleft contributions, just like Git.</description><pubDate>Tue, 06 Jun 2023 00:00:00 GMT</pubDate><content:encoded><p>Developers who choose to publish their work under a copyleft license are excluded from participating in software that is published under a permissive license. That is at the opposite of the <a href="https://codeberg.org/forgejo/governance/src/branch/main/MISSION.md#values">core values</a> of the Forgejo project and <a href="https://codeberg.org/forgejo/governance/pulls/20">it was decided to also accept copylefted</a> contributions. Will this change anything for Forgejo users? Not a thing since they already use and install one of the most successful copyleft software alongside Forgejo: Git. Will this change anything for Forgejo developers? Not a thing since they can keep contributing under the license of their choice. <strong>Just like Git, Forgejo will be copyleft.</strong></p> <h2>Forgejo users already welcome copyleft</h2> <p>Forgejo is a <a href="https://en.wikipedia.org/wiki/Forge_(software)">software forge</a>, an online development environment, based on <a href="https://en.wikipedia.org/wiki/Git">Git</a>. <strong>Both Forgejo and Git must be installed together</strong>, either as individual binaries or bundled into the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.19-rootless">official container images</a>. The license of Git is <a href="https://git-scm.com/about/free-and-open-source">GNU GPLv2</a> which is a <a href="https://www.gnu.org/licenses/copyleft.html">copyleft license</a>. Although the Forgejo codebase includes basic support for <a href="https://github.com/go-git/go-git">go-git</a>, a Go package distributed under a permissive license that can be used in place of Git, it is not supported or packaged because it is <a href="https://github.com/go-git/go-git/blob/master/COMPATIBILITY.md">not fully compatible</a> and could corrupt Git repositories.</p> <p>There are legal obligations attached to copyleft software which are, in a nutshell, to offer the source code with the binary under the same license. For instance, if an employee was to distribute a Git binary to someone else, the organization they work for can be required to also provide the <a href="https://sfconservancy.org/copyleft-compliance/glossary.html">complete and corresponding source</a>. And if they fail to do so, they may loose all their rights under the license, at least until the copyright holders agree to grant them back. For this reason some organizations exclude copyelfted software entirely. However, <strong>when they use Git, it means the legal counsel has no objection to copylefted software.</strong></p> <h2>What will change in Forgejo?</h2> <p>The license of Forgejo will change to be copyleft when a copylefted work is merged. The most likely candidate is, for instance, when a Go package is discovered that provides an interesting functionality.</p> <p>Before it happens a decision will be made by the community to choose a copyleft license, in accordance to the <a href="https://codeberg.org/forgejo/governance/src/branch/main/DECISION-MAKING.md">Forgejo decision making process</a>. The chosen license will apply to Forgejo as a whole (binary and sources) but each file within the codebase will retain its own license. This is nothing new as Forgejo <a href="https://code.forgejo.org/assets/js/licenses.txt">already includes various licenses</a> and contributors are expected to agree to the <a href="/docs/v1.20/developer/DCO">Developer Certificate of Origin</a>.</p> <p>Developers who feel strongly about exclusively publishing their work under a permissive license can keep doing so when working on Forgejo. By the terms of this permissive license, they accept that their work can be sublicensed and redistributed under a proprietary license. And they also accept that it can be sublicensed and redistributed as part of Forgejo, under a copyleft license.</p> </content:encoded></item><item><title>Forgejo monthly update - April 2023</title><link>https://forgejo.org/2023-04-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-04-monthly-update/</guid><description>Codeberg upgraded to Forgejo v1.19 and, as can be expected from the largest instance in existence, hit a performance issue which was dealt with quickly. The security of Forgejo actions and the release process was a focus with solutions being found that involve LXC and a VPN. Federation is taking a step forward with the F3 driver entering the Forgejo development branch.</description><pubDate>Sat, 20 May 2023 00:00:00 GMT</pubDate><content:encoded><p>Codeberg upgraded to Forgejo v1.19 and, as can be expected from the largest instance in existence, <a href="https://codeberg.org/forgejo/forgejo/issues/680">hit a performance issue</a> which was dealt with quickly.</p> <p>The security of Forgejo actions and the release process was a strong focus. It is critical for Forgejo actions to be used in production safely: a random Codeberg user must be able to rely on the CI by submitting a pull request without putting the underlying infrastructure at risk. A solution based on <a href="https://linuxcontainers.org/lxc/">LXC</a> is implemented. To improve the security of the release pipeline, the devops team is deploying a Forgejo instance and runner on a dedicated hardware behind a VPN to sign the binaries.</p> <p>There also are noteworthy activities in the <a href="https://codeberg.org/forgejo-contrib/delightful-forgejo">wider Forgejo community</a> not covered in this update.</p> <h3>Forgejo v1.19 point releases</h3> <p>Three point releases were published (<a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-19-1-0">1.19.1-0</a>, <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-19-2-0">1.19.2-0</a> and <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-19-3-0">1.19.3-0</a>).</p> <p>Codeberg.org waited until Forgejo v1.19 proved to be stable enough to upgrade. It did not go smoothly because of a <a href="https://codeberg.org/forgejo/forgejo/issues/680">performance issue</a>. However, a diagnostic and a workaround were found and applied within 24h. This problem impacts all Forgejo v1.19 instances but was only noticed in Codeberg.org because of its scale. It will be properly fixed in the next point release.</p> <p>To make them easier to digest for the Forgejo administrators and users, the release notes now have detailed explanations of the most prominent changes. This is specially useful for security fixes to better understand their impact and evaluate the urgency of the update on a case by case basis.</p> <p>The <a href="/docs/v1.19/user/semver">Forgejo semantic version</a> is included in the release notes as a reminder that it can be used for scripting to automatically identify a release that includes a breaking change and avoid unexpected downtime.</p> <h3>A step towards federation</h3> <p>For federation to happen, Forgejo instances must be able to mirror each other. It is different from being able to migrate a project from one instance to another. The <a href="https://forum.forgefriends.org/t/about-the-friendly-forge-format-f3/681">F3</a> reference <a href="https://lab.forgefriends.org/friendlyforgeformat/gof3">implementation</a>, which is still in development stage, will allow for mirroring a single issue as well as an entire project.</p> <p>A <a href="https://codeberg.org/forgejo/forgejo/commits/branch/forgejo-f3">F3 driver</a> was developed for Forgejo and merged into the development branch. It is not ready for experimenting but it passes some integration tests and will be part of the weekly round of rebase together with the other Forgejo feature branches.</p> <h3>Forgejo actions progress</h3> <p>As an experimental feature, <a href="/2023-02-27-forgejo-actions">Forgejo actions</a> keeps improving. The <a href="https://codeberg.org/forgejo/runner">Forgejo runner</a> saw a few more releases, <a href="https://codeberg.org/forgejo/runner/src/branch/main/.forgejo/workflows/release.yml">using itself</a> in a nicely recursive way.</p> <p>It is developed on <a href="https://code.forgejo.org/">code.forgejo.org</a> which runs Forgejo v1.19 and includes a CLI that allows it to obtain a registration token: <code>forgejo actions generate-runner-token</code>. It was not documented or advertised which led to confusion when it was changed to match the Gitea implementation that came later. It is fine when a feature is experimental. But it was a reminder that care must be taken when introducing new features in Forgejo so they do not conflict with Gitea and other dependencies.</p> <p><a href="https://linuxcontainers.org/lxc/">LXC</a> is confirmed to be a good option for job isolation. The runner is based on <a href="https://github.com/nektos/act/">ACT</a> which is designed to run jobs on a local machine and assumes its user is trusted. When running a job from a pull request authored by less trusted users, their ability to use docker as a mean to access files from the host becomes problematic. One option is to spawn a <a href="https://hub.docker.com/_/docker/tags?page=1&amp;name=dind">dind</a> on every job. Another is to run the job in LXC.</p> <h3>Hardware infrastructure</h3> <p>The <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#devops">devops team</a> was <a href="https://codeberg.org/forgejo/governance/pulls/21">appointed</a> in accordance to the <a href="https://codeberg.org/forgejo-contrib/governance/src/branch/main/DECISION-MAKING.md">decision making process</a>. It is responsible for the day to day operations of <a href="https://code.forgejo.org">https://code.forgejo.org</a>, <a href="https://next.forgejo.org">https://next.forgejo.org</a> and <a href="https://forgejo-ci.codeberg.org">https://forgejo-ci.codeberg.org</a>.</p> <p>A new hardware at <code>octopuce.forgejo.org</code> is being deployed and provides a VPN for the release team to secure the last step which involves a pipeline to sign the binaries. It reduces the <a href="https://en.wikipedia.org/wiki/Attack_surface">attack surface</a> compared to using a public facing Forgejo instance to do the same. It will first be used for releasing the Forgejo runner and, when stabilized, Forgejo itself.</p> <h2>Grant applications</h2> <p>The NLnet grant application focused on producing quality Forgejo releases that are essential for federation to happen was <a href="https://codeberg.org/forgejo/sustainability/issues/1#issuecomment-911709">accepted to the next step</a>. This is the last one and it will few weeks before the final decision is known.</p> <h2>Moderation team</h2> <p>The <a href="https://codeberg.org/forgejo/governance/src/branch/main/TEAMS.md#moderation">moderation team</a> now has <a href="https://codeberg.org/forgejo/governance/pulls/23">one member</a>. All moderation actions are <a href="https://codeberg.org/forgejo/governance/src/branch/main/MODERATION-PROCESS.md">bound to the moderation process</a> for transparency and audit by the Forgejo community.</p> <h2>Licensing</h2> <p>It was decided on principle that <a href="https://codeberg.org/forgejo/governance/pulls/20">Forgejo would accept copylefted contributions</a>. Before it happens a decision will need be made on the choice of a license. Until then the licensing terms of Forgejo are not modified.</p> <h2>We Forge</h2> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/bat">https://codeberg.org/bat</a></li> <li><a href="https://codeberg.org/borega">https://codeberg.org/borega</a></li> <li><a href="https://codeberg.org/braydofficial">https://codeberg.org/braydofficial</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/carlokok">https://codeberg.org/carlokok</a></li> <li><a href="https://codeberg.org/circlebuilder">https://codeberg.org/circlebuilder</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/DanielGibson">https://codeberg.org/DanielGibson</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/fluzz">https://codeberg.org/fluzz</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/fr33domlover">https://codeberg.org/fr33domlover</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/kuhnchris">https://codeberg.org/kuhnchris</a></li> <li><a href="https://codeberg.org/LordMZTE">https://codeberg.org/LordMZTE</a></li> <li><a href="https://codeberg.org/Lvceo">https://codeberg.org/Lvceo</a></li> <li><a href="https://codeberg.org/msrd0">https://codeberg.org/msrd0</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/NextFire">https://codeberg.org/NextFire</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/silverwind">https://codeberg.org/silverwind</a></li> <li><a href="https://codeberg.org/soas">https://codeberg.org/soas</a></li> <li><a href="https://codeberg.org/spooky-overwrite">https://codeberg.org/spooky-overwrite</a></li> <li><a href="https://codeberg.org/Valenoern">https://codeberg.org/Valenoern</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/WRMSR">https://codeberg.org/WRMSR</a></li> <li><a href="https://codeberg.org/wxiaoguang">https://codeberg.org/wxiaoguang</a></li> <li><a href="https://codeberg.org/xtex">https://codeberg.org/xtex</a></li> <li><a href="https://codeberg.org/xy">https://codeberg.org/xy</a></li> <li><a href="https://codeberg.org/zander">https://codeberg.org/zander</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo monthly update - March 2023</title><link>https://forgejo.org/2023-03-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-03-monthly-update/</guid><description>Forgejo v1.19, the first major upgrade, was published by the release team. Although still experimental, Forgejo Actions is now used daily to develop and maintain the runner. The `setup-forgejo` action was created to spawn a Forgejo instance for the duration of a test.</description><pubDate>Mon, 10 Apr 2023 00:00:00 GMT</pubDate><content:encoded><p><a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.19.0-2">Forgejo v1.19</a> was published. It is the first major upgrade and was a critical milestone to verify the development strategy of the soft fork actually works. The release team was <a href="https://codeberg.org/forgejo/governance/issues?q=application%20to%20release%20team&amp;type=all&amp;sort=&amp;state=closed&amp;labels=&amp;milestone=0&amp;assignee=0&amp;poster=0">legitimized by the community</a> in accordance to the <a href="https://codeberg.org/forgejo-contrib/governance/src/branch/main/DECISION-MAKING.md">decision making process</a>, as promised when Forgejo was created.</p> <p>Forgejo Actions, the experimental integrated CI, now runs on the new Forgejo infrastructure which includes two instance. One <a href="https://next.forgejo.org">for experimenting and debugging</a> and another dedicated to <a href="https://code.forgejo.org">Forgejo development</a>. In a spirit of dogfooding, the <a href="https://code.forgejo.org/forgejo/runner">Forgejo runner</a> that spawns CI jobs is now <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows/release.yml">released using Forgejo Actions</a>. A new action, <a href="https://code.forgejo.org/actions/setup-forgejo">setup-forgejo</a> was also created to conveniently spawn a Forgejo instance for the duration of a test.</p> <p>There also are noteworthy activities in the <a href="https://codeberg.org/forgejo-contrib/delightful-forgejo">wider Forgejo community</a> not covered in this update.</p> <h3>Forgejo v1.19 release</h3> <p>On 21 March 2023 <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.19.0-2">Forgejo v1.19</a> was <a href="/2023-03-release-v1">released</a>. It was challenging to figure out how <a href="/docs/v1.19">the new documentation</a> and additional binaries required for <a href="/2023-02-27-forgejo-actions">Forgejo Actions</a> fit in.</p> <ul> <li>The documentation is versioned and maintained in a directory that has the same name as the Forgejo release</li> <li>The <a href="https://code.forgejo.org/forgejo/runner">Forgejo runner</a> is released independently and tested to be compatibility with existing Forgejo releases</li> </ul> <p>Forgejo v1.19 includes all of Gitea v1.19 and the upgrade went smoothly. If Gitea was a Go package with a documented API it would be as easy as upgrading one of the <a href="https://codeberg.org/forgejo/forgejo/src/commit/4c132e77ea2cba9a1161f4cfc18b82b9e2e1b35f/go.mod">other Forgejo dependencies</a>. But it is not and that's where the difficulty of a soft fork resides.</p> <p>The Forgejo strategy, since its inception, is to rebase <a href="https://codeberg.org/forgejo/forgejo/milestones?state=closed&amp;q=rebase">on top of Gitea weekly</a>. The Forgejo commit series are kept to a minimum (for instance by <a href="https://codeberg.org/forgejo/forgejo/pulls/590">squashing related commits</a>) and conflicts, if any, are resolved (for instance <a href="https://codeberg.org/forgejo/forgejo/pulls/552">changing from less to css</a> required reworking the commit implementing the Forgejo themes). It turns out to be sustainable and the associated maintenance work stays the same over time. Considering that hundreds of commits have been merged in Forgejo over the past four months, there were many opportunities for a rebase to go wrong and get stuck because of conflicts. The absence of problems during the Forgejo v1.19 release is a sign that this strategy is working.</p> <p>When Forgejo started, people stepped up to create the releases. There was no decision making process at the time and no clear way for the community to agree that they could be trusted with this role. They were part of <a href="https://codeberg.org/forgejo/forgejo/src/commit/f46d4279c7b562648bbc17afedfe044b774185ac/CONTRIBUTING/GOVERNANCE.md#interim-forgejo-governance">an interim governance</a> and pledged to resign as soon as a governance was in place. They fulfilled this promise 2 March 2023 by <a href="https://codeberg.org/forgejo/governance/issues?q=application%20to%20release%20team&amp;type=all&amp;sort=&amp;state=closed&amp;labels=&amp;milestone=0&amp;assignee=0&amp;poster=0">applying</a> to become legitimate members of the Forgejo release team in accordance to the <a href="https://codeberg.org/forgejo-contrib/governance/src/branch/main/DECISION-MAKING.md">decision making process</a>. They got an agreement a few weeks later and there now is a Forgejo release team agreed upon by the Forgejo community.</p> <h3>A dedicated Forgejo infrastructure</h3> <h4>next.forgejo.org</h4> <p>A volatile Forgejo v1.19 instance dedicated to trying new features and demonstrate bugs is now running at <a href="https://next.forgejo.org">https://next.forgejo.org</a>. It is <a href="/">linked from the website</a> and in the <a href="https://codeberg.org/forgejo/forgejo/issues/new?template=.gitea%2fISSUE_TEMPLATE%2fbug-report.md">bug report template</a>.</p> <h4>code.forgejo.org</h4> <p>The experimental integrated CI that comes with Forgejo v1.19 is not just a new feature, it also depends on:</p> <ul> <li>a new binary, <a href="https://code.forgejo.org/forgejo/runner">Forgejo runner</a>, that is responsible for running the CI jobs</li> <li>a repository of <a href="https://code.forgejo.org/actions">reusable Free Software Actions</a></li> </ul> <p>They both need to be tested and it would be convenient if Forgejo Actions was enabled on Codeberg. There would be no need for Codeberg to provide a runner: it can be run and connected independently, using a token specific to a given repository. Forgejo would spawn a runner and it would work without requiring any resource from Codeberg. However, there are at least two reasons for waiting until Forgejo v1.20 or v1.21 before enabling this feature on Codeberg, even without providing runners to Codeberg users:</p> <ul> <li>it is still experimental and fragile</li> <li>it may have security issues</li> </ul> <p>To solve that problem an instance of Forgejo was installed at <a href="https://code.forgejo.org">https://code.forgejo.org</a>. It has a registration open to Codeberg users and is dedicated to Forgejo related development. It has Actions enabled and provides a runner to selected repositories.</p> <h4>The devops team</h4> <p>These machines need devops and <a href="https://codeberg.org/forgejo/governance/issues?type=all&amp;state=open&amp;labels=&amp;milestone=0&amp;assignee=0&amp;poster=0&amp;q=devops+team">applications to the devops team</a> are in progress. Their role is, in a nutshell, to keep all machines Forgejo depends on in a healthy state. That includes the <a href="https://codeberg.org/forgejo/sustainability#hardware">new machine</a> made available to the Forgejo project, which could be used to host code.forgejo.org.</p> <h3>Dogfooding Forgejo Actions</h3> <p>Forgejo provides some essential Actions in a <a href="https://code.forgejo.org/actions">dedicated organization</a>. As one can expect of any function in Go or Python, Actions are not immune to typos, regressions or subtle misbehavior, just like the software they are designed to test. Testing is even more important in a distributed environment where each Action is maintained by different groups of people and have their own lifecycle.</p> <p>The CI of the <a href="https://code.forgejo.org/forgejo/runner/">Forgejo Runner</a> itself relies on workflows that use actions for:</p> <ul> <li>Running <a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows/test.yml">unit tests</a></li> <li><a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows/release.yml">Publishing</a> its own <a href="https://code.forgejo.org/forgejo/runner/releases">releases</a></li> <li><a href="https://code.forgejo.org/forgejo/runner/src/branch/main/.forgejo/workflows/release.yml">Integration testing</a> to verify it performs as intended with a live Forgejo instance</li> </ul> <p>The Forgejo Runner integration tests <a href="https://codeberg.org/forgejo/runner/src/commit/bcd6096e5b0fb701eca85a391c0dafb0f606fc85/.forgejo/workflows/integration.yml#L16-L21">uses</a> a new <a href="https://code.forgejo.org/actions/setup-forgejo">setup-forgejo action</a>. It runs a Forgejo instance for the duration of the test, very much like a MySQL or PostgreSQL service. It can conveniently be used by software that depends on Forgejo, for instance to test interactions with the Forgejo API instead of relying on mocks.</p> <p>The <code>setup-forgejo</code> action uses itself, recursively, for <a href="https://code.forgejo.org/actions/setup-forgejo/src/branch/main/.forgejo/workflows/integration.yml">integration testing</a> with two levels of nesting:</p> <ul> <li>Forgejo 0: <a href="https://code.forgejo.org">https://code.forgejo.org</a> is a Forgejo instance that hosts <a href="https://code.forgejo.org/actions/setup-forgejo">setup-forgejo</a>.</li> <li>Forgejo 1: when a pull request is proposed <code>setup-forgejo</code>, the CI job creates a brand new Forgejo instance with a runner to experiment with the proposed change.</li> <li>Forgejo 2: The <a href="https://code.forgejo.org/actions/setup-forgejo/src/branch/main/testdata/sanity-checks/.forgejo/workflows/test.yml">experiment</a> consists of running <code>setup-forgejo</code> and verify the Forgejo instance it creates actually works as expected.</li> </ul> <p>This is <a href="https://code.forgejo.org/forgejo/act/commit/bc24ebba1bceacf5c2d890caef9ad824ad9d2f80">made possible</a> by enabling <a href="https://linuxcontainers.org/">LXC</a> system containers in the runner. With the additional benefit of allowing <code>systemd</code> to run, installing <code>docker</code> instead of <code>dind</code> etc.</p> <h3>The Forgejo Community is healing</h3> <p>In February 2023 someone new (who wasn't a contributor that the project is relying on) joined the chat and issue tracker, spoke repeatedly in ways that was hurtful/painful to Forgejo community members, and did not seem to have capacity to speak more sensitively, despite offers for support and repeated requests. It was eventually decided to <a href="https://codeberg.org/forgejo/governance/issues/8">remove this person from the project</a> during a year. But the tension they created did not dissipate instantly. In March 2023 it distracted community members from productive and important work on governance, strategy and development. Some community members went silent, others were on edge and <a href="https://codeberg.org/forgejo/governance/issues/16">more moderation actions were taken</a>.</p> <p>It is in the nature of inclusive communities to be subject to that sort of trouble in their infancy, when they are still fragile. Some can be destroyed for good, others may choose to be less inclusive to better protect the members of their inner circles. Something different is happening in Forgejo. Late March it went back to be the quiet and productive space it once was. Community members who were silent during the troubles came back. A <a href="https://codeberg.org/forgejo/governance/pulls/17/files">moderation process</a> was proposed and was field tested. It is a little early to be sure but it appears the community is healing and is now better protected from negative influence, without sacrificing on inclusiveness.</p> <h3>Grant applications</h3> <p>As a followup to questions sent by NLnet on <a href="https://codeberg.org/forgejo/sustainability/issues/1">a grant application</a> to create a Forgejo distribution, potential beneficiaries worked on a <a href="https://codeberg.org/forgejo/sustainability/issues/1#issuecomment-855819">detailed project plan</a>. It was sent late March and it will take a few weeks before a reply is received to determine if it is allowed to proceed to the next step.</p> <p>Another <a href="https://codeberg.org/forgejo/sustainability/issues/4#issuecomment-840994">grant application focused on improving Forgejo UI/UX</a> was declined.</p> <h3>We Forge</h3> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/aral">https://codeberg.org/aral</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/circlebuilder">https://codeberg.org/circlebuilder</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/cweiske">https://codeberg.org/cweiske</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/delvh">https://codeberg.org/delvh</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/Eragon">https://codeberg.org/Eragon</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/fr33domlover">https://codeberg.org/fr33domlover</a></li> <li><a href="https://codeberg.org/fsologureng">https://codeberg.org/fsologureng</a></li> <li><a href="https://codeberg.org/GamePlayer-8">https://codeberg.org/GamePlayer-8</a></li> <li><a href="https://codeberg.org/Gusted">https://codeberg.org/Gusted</a></li> <li><a href="https://codeberg.org/jan_x7">https://codeberg.org/jan_x7</a></li> <li><a href="https://codeberg.org/jerger">https://codeberg.org/jerger</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/KOLANICH">https://codeberg.org/KOLANICH</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/NextFire">https://codeberg.org/NextFire</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/redwerkz">https://codeberg.org/redwerkz</a></li> <li><a href="https://codeberg.org/Ryuno-Ki">https://codeberg.org/Ryuno-Ki</a></li> <li><a href="https://codeberg.org/SHuRiKeN">https://codeberg.org/SHuRiKeN</a></li> <li><a href="https://codeberg.org/tallship">https://codeberg.org/tallship</a></li> <li><a href="https://codeberg.org/TheEvilSkeleton">https://codeberg.org/TheEvilSkeleton</a></li> <li><a href="https://codeberg.org/trymeout">https://codeberg.org/trymeout</a></li> <li><a href="https://codeberg.org/uda">https://codeberg.org/uda</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/wxiaoguang">https://codeberg.org/wxiaoguang</a></li> <li><a href="https://codeberg.org/xtex">https://codeberg.org/xtex</a></li> <li><a href="https://codeberg.org/xy">https://codeberg.org/xy</a></li> <li><a href="https://codeberg.org/zander">https://codeberg.org/zander</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo v1.19 is available</title><link>https://forgejo.org/2023-03-release-v1190-2/</link><guid isPermaLink="true">https://forgejo.org/2023-03-release-v1190-2/</guid><description>Forgejo v1.19 is available and comes with an extensive documentation, an experimental CI, incoming emails, scoped access tokens, registries for Cargo, Chef & Conda and more.</description><pubDate>Tue, 21 Mar 2023 00:00:00 GMT</pubDate><content:encoded><p><a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.19.0-2">Forgejo v1.19.0-2</a> was released. It comes with an extensive <a href="/docs/v1.19/user">user guide</a>, derived for the most part from the <a href="https://docs.codeberg.org/">Codeberg documentation</a>. The new <a href="/docs/v1.19/admin">admin guide</a> covers upgrades and configuration of Forgejo instances.</p> <p>The most prominent new features are:</p> <ul> <li><strong><a href="/2023-02-27-forgejo-actions">Actions</a></strong>: an experimental CI/CD, although not ready for real world usage, is present and <a href="/2023-02-27-forgejo-actions">can be used to run a demo</a>.</li> <li><strong><a href="/docs/v1.19/admin/incoming-email">Incoming emails</a></strong>: you can now set up Forgejo to receive incoming emails. When enabled, it is possible to reply to an email notification from Forgejo and (i) add a comment to an issue or a pull request, (ii) unsubscribe to notifications.</li> <li><strong><a href="/docs/v1.19/user/oauth2-provider#scoped-tokens">Scoped access tokens</a></strong>: Forgejo access token, used with the <a href="/docs/v1.19/user/api-usage">API</a>, can now have a "scope" that limits what it can access.</li> <li><strong><a href="/docs/v1.19/user/packages">Package registries</a></strong> now support <a href="/docs/v1.19/user/packages/cargo">Cargo</a>, <a href="/docs/v1.19/user/packages/conda">Conda</a> and <a href="/docs/v1.19/user/packages/chef">Chef</a>.</li> </ul> <p>Read more <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-19-0-2">in the Forgejo v1.19.0-2 release notes</a></p> <h3>Get Forgejo v1.19</h3> <p>See the <a href="/download">download page</a> for instructions on how to install Forgejo, and read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-19-0-2">release notes</a> for more information.</p> <h3>Upgrading</h3> <p>Carefully read <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-19-0-2">the breaking changes</a> section of the release notes.</p> <p>The actual upgrade process is as simple as replacing the binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.19.0-2">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.19.0-2">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.19"><code>1.19</code> tag</a> to stay up to date with the latest <code>1.19.x</code> point release automatically.</p> <p>Make sure to check the <a href="/docs/v1.19/admin/upgrade">Forgejo upgrade documentation</a> for recommendations on how to properly backup your instance before the upgrade. It also covers upgrading from Gitea, as far back as version 1.2.0. Forgejo includes all of Gitea v1.19, with improvements.</p> <p>The Forgejo instances <a href="/2023-02-12-tags">built from an incorrect tag</a> can safely be upgraded.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports, find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop into <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) and say hi!</p> </content:encoded></item><item><title>Forgejo gets an integrated CI named Actions</title><link>https://forgejo.org/2023-02-27-forgejo-actions/</link><guid isPermaLink="true">https://forgejo.org/2023-02-27-forgejo-actions/</guid><description>With the release of Forgejo v1.19 comes an experimental integrated CI similar to GitHub. It aims at being easier to configure than an external CI and is controled via the Forgejo web interface.</description><pubDate>Mon, 27 Feb 2023 00:00:00 GMT</pubDate><content:encoded><p>Prior to Forgejo v1.19 running CI jobs required a third party software such as Woodpecker CI. It has its own web interface, relies on webhooks to be notified something changed in a repository and relies on the Forgejo API to figure out user permissions or access to private repositories. When it is finished, the error or success is also sent back to Forgejo via the API, with a link the user needs to click to get more details. It works well enough and Forgejo has been using Woodpecker CI from day one, for <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/.woodpecker">testing pull requests</a> or <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/releases">publishing releases</a>.</p> <p>With v1.19 comes an experimental CI (not ready for production just yet) integrated in Forgejo. The CI jobs are configured with a syntax that is similar to GitHub Actions:</p> <pre><code># .forgejo/workflows/demo.yaml name: Demo run-name: ${{ github.actor }} is testing on: [push] jobs: Explore-CI: runs-on: ubuntu-latest steps: - run: echo "The job was automatically triggered by a ${{ github.event_name }} event." - run: echo "This job is now running on a ${{ runner.os }} server." - run: echo "The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}." - name: Check out repository code uses: actions/checkout@v3 - run: echo "The ${{ github.repository }} repository has been cloned to the runner." - run: echo "The workflow is now ready to test your code on the runner." - name: List files in the repository run: | ls ${{ github.workspace }} - run: echo "This job's status is ${{ job.status }}." </code></pre> <p>And the results are displayed in the Forgejo web interface:</p> <p></p> <h3>Try it out</h3> <p><em>WARNING: The following procedure was effective for setting up a test instance when early versions of the Forgejo runner were under development, but the details are now outdated. Precompiled <a href="https://code.forgejo.org/forgejo/runner/releases">runner binaries</a> are available and you should refer to the <a href="https://forgejo.org/docs/latest/admin/actions/">Forgejo Actions administrator documentation</a> for runner setup instructions.</em></p> <ul> <li>Create a Forgejo v1.19 instance with the user root password admin1234<pre><code>docker run --name forgejo -e FORGEJO__security__INSTALL_LOCK=true -e FORGEJO__actions__ENABLED=true -d codeberg.org/forgejo-experimental/forgejo:1.19 docker exec --user 1000 forgejo forgejo admin user create --admin --username root --password admin1234 --email root@example.com </code></pre> </li> <li>Get the IP of the Forgejo instance (172.17.0.2 in the following)<pre><code>docker exec --user 1000 forgejo ip a </code></pre> </li> <li>Login at <a href="http://172.17.0.2:3000/">http://172.17.0.2:3000/</a> with user root password admin1234</li> <li>Create a test project and activate actions in the settings </li> <li>Get the runner token from the runner tab in the <code>Site administration</code> (<code>mytoken</code> in the following) </li> <li>Register and start the runner<pre><code>git clone https://codeberg.org/forgejo/runner cd runner git checkout v1.1.0 make build ./forgejo-runner register --name myrunner --no-interactive --instance http://172.17.0.2:3000 --token mytoken ./forgejo-runner daemon </code></pre> </li> <li>Add the <code>.forgejo/workflows/demo.yaml</code> file above to the test repository, via the web interface</li> <li>Go to the <code>Actions</code> tab of the project and watch it run to completion </li> </ul> <h3>How does it work?</h3> <p>The <code>forgejo-runner</code> creates a docker container and runs the job inside it. It can be shell commands (e.g. <code>ls ${{ github.workspace }}</code>) or <code>actions</code> (e.g. <code>uses: actions/checkout@v3</code>). The actions are references to repositories that are cloned and executed. For instance <code>actions/checkout</code> will clone <a href="https://codeberg.org/actions/checkout">https://codeberg.org/actions/checkout</a>.</p> <p>The container image used to run the container is specified by <code>runs-on: ubuntu-latest</code> but it may not contain all the tools required to complete the job. Reason why some actions are allowed to create a new container based on other images. In the end a single job may involve running multiple containers and they are all terminated when the job completes.</p> <h3>Limitations</h3> <p>The implementation is very new and has many limitations which makes it unfit for production.</p> <ul> <li>There is no support to run services such as a Postgres database</li> <li>The container running the job is not systemd capable</li> <li>There is no guarantee of compatibility with GitHub Actions, although the syntax of the files and the terminology is similar</li> </ul> <h3>Under the hood</h3> <p>The <a href="https://codeberg.org/forgejo/runner">Forgejo runner</a> is a new addition to the Forgejo dependencies (git &amp; ssh) and is not yet packaged, it must be built from sources as explained above. It is a thin layer on top of <a href="https://github.com/nektos/act">ACT</a> which implements the core of the logic to interpret and run the jobs. A <a href="https://codeberg.org/forgejo/act">soft fork of ACT</a> is used and contains commits that are not yet submitted or accepted upstream.</p> </content:encoded></item><item><title>Forgejo v1.19 release candidates</title><link>https://forgejo.org/2023-02-27-release-v1190-0-rc0/</link><guid isPermaLink="true">https://forgejo.org/2023-02-27-release-v1190-0-rc0/</guid><description>The first Forgejo v1.19 release candidate is ready for testing. Checkout the release notes for a preview of the new features.</description><pubDate>Mon, 27 Feb 2023 00:00:00 GMT</pubDate><content:encoded><p>Today <a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v1.19.0-0-rc0">Forgejo v1.19.0-0-rc0</a> was released. It is meant for testing only: do not upgrade a production instance with it.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#draft-1-19-0-0">draft release notes</a> contain a summary of the new features. The highlights are:</p> <ul> <li><a href="https://codeberg.org/forgejo/forgejo/commit/fc037b4b825f0501a1489e10d7c822435d825cb7">Incoming emails</a></li> <li><a href="https://codeberg.org/forgejo/forgejo/commit/6221a6fd5">Scoped labels</a></li> <li>Package registries now support for <a href="https://codeberg.org/forgejo/forgejo/commit/df789d962">Cargo</a>, <a href="https://codeberg.org/forgejo/forgejo/commit/6ba9ff7b4">Conda</a> and <a href="https://codeberg.org/forgejo/forgejo/commit/d987ac6bf">Chef</a>. They also have new <a href="https://codeberg.org/forgejo/forgejo/commit/32db62515">cleanup rules</a> and <a href="https://codeberg.org/forgejo/forgejo/commit/20674dd05">quota limits</a>.</li> <li>Any webhook can now <a href="https://codeberg.org/forgejo/forgejo/commit/b6e81357bd6fb80f8ba94c513f89a210beb05313">specify an <code>Authorization</code> header</a> to be sent along every request.</li> </ul> <p>The <a href="/2023-02-27-forgejo-actions">Actions experimental CI/CD</a>, although not ready for real world usage, is also present and <a href="/2023-02-27-forgejo-actions">can be used to run a demo</a>.</p> <p>Make sure to <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#draft-1-19-0-0">check the breaking changes</a> and get your production instance ready for when the v1.19 release is available.</p> <h3>Try it out</h3> <p>The release candidate is published in <a href="https://codeberg.org/forgejo-experimental">the dedicated "experimental" Forgejo organization</a> and can be downloaded from:</p> <ul> <li>Containers at <a href="https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/1.19">https://codeberg.org/forgejo-experimental/-/packages/container/forgejo/1.19</a></li> <li>Binaries at <a href="https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v1.19.0-0-rc0">https://codeberg.org/forgejo-experimental/forgejo/releases/tag/v1.19.0-0-rc0</a></li> </ul> <p>They will be updated based on your feedback until they become robust enough to be released.</p> <h3>Help write good release notes</h3> <p>The best release notes are meant to articulate the needs and benefits of new features and the actions recommended for breaking changes so Forgejo admins quickly know if it is of interest to them.</p> <p>The <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#draft-1-19-0-0">current draft release notes</a> contain a complete inventory but the descriptions are still incomplete. They will be finished by the time the release is published and you can help make them better.</p> <p>Please submit your own descriptions and comments in <a href="https://codeberg.org/forgejo/forgejo/issues/new/choose?milestone=3489">our issue tracker</a>.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo Security Release 1.18.5-0</title><link>https://forgejo.org/2023-02-23-release-v1185-0/</link><guid isPermaLink="true">https://forgejo.org/2023-02-23-release-v1185-0/</guid><description>The Forgejo v1.18.5-0 release sets the resistance to brute force protection to match industry standards.</description><pubDate>Thu, 23 Feb 2023 00:00:00 GMT</pubDate><content:encoded><p>Today <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.5-0">Forgejo v1.18.5-0</a> was released.</p> <p>This release contains an <strong>important security fix</strong> for Forgejo to raise the protection against brute force attack on hashed passwords stored in the database to match industry standards, as described below.</p> <p>This release also contains bug fixes, as detailed <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-18-5-0">in the release notes</a>.</p> <h3>Recommended Action</h3> <p>We <strong>strongly recommend</strong> that all Forgejo installations are upgraded to the latest version as soon as possible.</p> <p>If <code>PASSWORD_HASH_ALGO</code> is explicitly set in app.in, comment it out so that the stronger algorithm is used instead.</p> <p>All password hashes stored with another algorithm will be updated to the new algorithm on the next usage of this password (e.g. a user provides the password to the Forgejo server when they login). It does not require manual intervention.</p> <h3>High CPU usage after the upgrade</h3> <p>The default password hashing in Forgejo now takes 32 times more CPU time. If the CPU usage is too high after the upgrade, the easiest workaround is to revert to the previous hash algorithm by adding the following in <code>app.ini</code>:</p> <pre><code>[security] PASSWORD_HASH_ALGO = pbkdf2_v1 </code></pre> <p>The real solution is to reduce the use of passwords in <code>git</code> commands or API calls and switch back to the default hash algorithm for better protection.</p> <h3>Reducing the performance impact</h3> <p>Codeberg hosts ~60,000 projects for ~50,000 users and provided real world data to evaluate the performance impact of using a hash algorithm that requires 32 times more CPU than before.</p> <p>Password hashing happens when users login, sign up or reset their passwords. Even on a busy instance such as Codeberg it does not happen frequently enough to cause performance problems.</p> <p>It is also possible that passwords are used in other contexts:</p> <ul> <li>git commands, e.g. <code>git clone https://user:password@forgejo.example.com/owner/repo/</code></li> <li>API calls, e.g. <code>curl https://user:password@forgejo.example.com/api/v1/version</code></li> </ul> <p>They can be replaced by alternative authentication methods:</p> <ul> <li>git commands can use SSH keys, e.g. <code>git clone git@forgejo.example.com:owner/repo</code></li> <li>API calls can use access tokens, e.g. <code>curl -H 'Authorization: token xyz' https://forgejo.example.com/api/v1/version</code></li> </ul> <p>It will be faster for the user because the hashing adds a delay. And it will significantly reduce the CPU usage on the Forgejo server.</p> <h3>Understanding password hashes</h3> <h4>Brute force attacks</h4> <p>The user provided passwords are hashed before they are stored so they are not readable in case a copy of the database is leaked. The hash value stored in the database cannot be translated into the original password. But there exists large databases of common passwords and a program can patiently try to hash them one after the other, hoping to find a match. If the hash algorithm is fast, this brute force attack may succeed quickly. If the hash algorithm is expensive to run, it may take so long and use so much resources that it is not worth a try.</p> <p>In other words, if a malicious person gets a copy of a Forgejo database, the complexity of the hash algorithm is the only thing preventing them from brute forcing it.</p> <h4>Industry standards</h4> <p>The industry adapt the <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">recommendations for the hash algorithms</a> as new hardware provide more processing power and make it easier to brute force. The default algorithm for Forgejo is <code>PBKDF2-HMAC-SHA256</code> and the <a href="https://web.archive.org/web/20221223105926/https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">OWASP recommendations in December 2022</a> were:</p> <blockquote> <p>use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.</p> </blockquote> <p>This security upgrade sets the iterations (work factor) to 320,000 and will be revised on a regular basis. Although the default for Forgejo is <code>PBKDF2</code> and the upgrade consists of modifying its parameters, other algorithms such as <code>argon2id</code> may be preferred in the future.</p> <h4>Access tokens</h4> <p>In order for a brute force attack on a password hash to succeed, there must be a match in a database of common passwords. Since the access tokens are randomly generated by the Forgejo server, they are highly unlikely to be in such databases. That makes them, by nature, very resistant to brute force attacks.</p> <h3>Responsible disclosure to Gitea</h3> <p>On 8 February 2023 the <a href="https://forgejo.org/.well-known/security.txt">Forgejo security team</a> notified the Gitea security team that the default hash algorithm was significantly weaker than the industry standard, explained the associated risks and provided a patch to upgrade the hash algorithm to 320,000 iterations. An embargo was then negotiated until 16 February 2023, after which the v1.18 point release could be prepared.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo Security Release 1.18.3-2</title><link>https://forgejo.org/2023-02-17-release-v1-18-3-2/</link><guid isPermaLink="true">https://forgejo.org/2023-02-17-release-v1-18-3-2/</guid><description>Forgejo v1.18.3-2 stable release update fixes CVE-2023-22490 and CVE-2023-23946 and bug fixes</description><pubDate>Fri, 17 Feb 2023 00:00:00 GMT</pubDate><content:encoded><p>Today <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.3-2">Forgejo v1.18.3-2</a> was released.</p> <p>This release contains a security fix for Forgejo container images, as described below. When Forgejo runs from a binary, recommendations to upgrade the <code>git</code> version installed alongside it are also provided.</p> <p>This release also contains bug fixes as detailed <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-18-3-2">in the release notes</a>.</p> <h3>Recommended Action</h3> <p>We recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.</p> <ul> <li>When using a Forgejo binary: upgrade the <code>git</code> package to a version greater or equal to v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7 or v2.30.8</li> <li>When using a Forgejo container image: <code>docker pull codeberg.org/forgejo/forgejo:1.18.3-2</code></li> </ul> <h3>Security issues in Git</h3> <p>Git <a href="https://github.blog/2023-02-14-git-security-vulnerabilities-announced-3/">recently announced</a> new versions to address two CVEs (<a href="https://cve.circl.lu/cve/CVE-2023-22490">CVE-2023-22490</a>, <a href="https://cve.circl.lu/cve/CVE-2023-23946">CVE-2023-23946</a>). On 14 February 2023, Git published the maintenance release v2.39.2, together with releases for older maintenance tracks v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8.</p> <p>The <a href="/.well-known/security.txt">Forgejo security team</a> analyzed both CVE and concluded that they <strong>cannot be exploited via Forgejo</strong>. It is however recommended to upgrade <code>git</code> as a precaution.</p> <h3>Fixing Git when using a Forgejo binary</h3> <p>When installed as a binary <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.3-2">downloaded from the Forjego releases</a> repository, it is the responsibility of the Forgejo admin to install <code>git</code> independently. Upgrading to a patched <code>git</code> package (with a version greater or equal to v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7 or v2.30.8) is therefore enough to fix the problem, even if Forgejo is not upgraded.</p> <h3>Fixing Git when using a Forgejo container image</h3> <p>When installed as an image <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/versions">downloaded from the Forgejo registry</a>, the container includes both the Forgejo binary and the <code>git</code> binary, as obtained from <a href="https://pkgs.alpinelinux.org/packages?name=git&amp;branch=v3.16">Alpine 3.16</a>. <code>Forgejo 1.18.3-1</code> contains a vulnerable <code>git</code> binary:</p> <pre><code>$ docker run --rm codeberg.org/forgejo/forgejo:1.18.3-1 git --version git version 2.36.4 </code></pre> <p>The <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/versions">Forgejo 1.18.3-2 images</a> were built shortly after the patched <code>git</code> binary was upgraded in <code>Alpine 3.16</code> and is not vulnerable:</p> <pre><code>$ docker run --rm codeberg.org/forgejo/forgejo:1.18.3-2 git --version git version 2.36.5 </code></pre> <p>In this case it is necessary to upgrade Forgejo to <code>1.18.3-2</code> to get the fixed <code>git</code> binary. The <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18-rootless">rootless</a> variant of Forgejo also includes the <code>git</code> binary and can be upgraded in the same way.</p> <h3>Forgejo installation instructions</h3> <p>See the <a href="/download">download page</a> for instructions for installation instructions. If you are upgrading from <code>Forgejo 1.18.3-1</code> (or <code>Gitea 1.18</code>) no manual action is required. If you're on <code>Gitea v1.17.x</code> or older please read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-18-0-1">release notes</a> carefully, and in particular check out the <a href="https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/#breaking-changes">breaking changes</a> section of Gitea's blog post.</p> <p>The actual upgrade process is as simple as replacing the Gitea binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.3-2">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18.3-2">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18"><code>1.18</code></a> tag to stay up to date with the latest <code>1.18.x</code> point release automatically.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Source tree tags v1.18.1-0, v1.18.2-0, v1.18.2-1, v1.18.3-0 and v1.18.3-1 were fixed</title><link>https://forgejo.org/2023-02-12-tags/</link><guid isPermaLink="true">https://forgejo.org/2023-02-12-tags/</guid><description>A Forgejo binary built from sources by checking out one of the tags before 11 February 2023 will be running the development branch v1.19 instead of the expected v1.18 branch. Some packages, such as the official Arch Linux package, are also built from the tags and therefore contain Forgejo v1.19 instead of Forgejo v1.18.</description><pubDate>Mon, 13 Feb 2023 00:00:00 GMT</pubDate><content:encoded><p>TL;DR: Skip this blog if you run a Forgejo instance using the binaries or container images downloaded from <a href="https://codeberg.org/forgejo">https://codeberg.org/forgejo</a></p> <h2>The symptoms</h2> <p>A Forgejo instance is:</p> <ul> <li>unexpectedly running v1.19 despite the version string indicating v1.18</li> <li>refusing to start after upgrading the package (Arch, etc.) to version &gt;= v1.18.3-1</li> </ul> <h2>The problem before 11 February 2023</h2> <ul> <li>The v1.18.1-0, v1.18.2-0, v1.18.2-1, v1.18.3-0 and v1.18.3-1 <strong>binaries and container images are v1.18 as advertised</strong></li> <li>The v1.18.1-0, v1.18.2-0, v1.18.2-1, v1.18.3-0 and v1.18.3-1 <strong>tags did not match and were actually set on the development branch</strong></li> </ul> <p>Because of a bug in the release process, the tag of each release was actually set to the tip of the Forgejo development branch at the time of the release. Because Forgejo is a soft-fork, it matched the latest Gitea development branch and had all the Forgejo improvements on top of it. But the Forgejo binaries and container images were created using the v1.18 stable branch.</p> <h2>The problem is fixed on 11 February 2023</h2> <p>The problem <a href="https://codeberg.org/forgejo/forgejo/issues/344">was fixed 11 February 2023 ~7am UTC</a> by force pushing the v1.18.1-0, v1.18.2-0, v1.18.2-1, v1.18.3-0 and v1.18.3-1 tags and nothing else. The binaries and container images were good and remain the same.</p> <h2>The consequences</h2> <p>A Forgejo binary built from sources by checking out one of the tags before 11 February 2023 will be running the development branch v1.19 instead of the expected v1.18 branch. Some packages, such as the official Arch Linux package, are also built from the tags and therefore contain Forgejo v1.19 instead of Forgejo v1.18.</p> <p>The version displayed at the bottom left of the home page will incorrectly be <code>v1.18*</code> instead of <code>v1.19*</code> because it is created at build time using the name of the tag. But there is one difference in the home page that allows you to distinguish them, on the large logo in the center:</p> <ul> <li>On <code>v1.19</code> there is an <code>alt="logo"</code> attribute</li> <li>On <code>v1.18</code> there is no such attribute</li> </ul> <p>A v1.19 Forgejo instance cannot be downgraded to v1.18. It will refuse to start because there is no safe downgrade path.</p> <h2>Recommended actions</h2> <h3>Forgejo admins: wait for v1.19</h3> <p>If your current instance unexpectedly runs v1.19, the recommendation is to not upgrade and wait.</p> <p>Forgejo v1.19 will be released in a few months and the easiest workaround for a Forgejo admin running an instance built from source or installed from a package built from source is to wait until then before upgrading.</p> <h4>Forgejo instances installed from Arch package &lt; v1.18.3.1-1</h4> <p>For those running Arch Linux (or a derivative such as Manjaro or Arch Linux ARM), our current recommendation is to add <code>forgejo</code> to the <code>IgnorePkg</code> list in <code>/etc/pacman.conf</code> until v1.19 is released.</p> <p>For those who have already upgraded, we recommended downgrading your package to <code>v1.18.3.0-1</code> as this is the latest version that exhibited this issue. You may be able to find the package for this version in your <a href="https://wiki.archlinux.org/title/downgrading_packages#Using_the_pacman_cache">pacman cache</a>. If the file is not in your pacman cache, it can be downloaded from the <a href="https://archive.archlinux.org/packages/f/forgejo/">Arch Linux archive</a>.</p> <p>Alternatively, the <a href="https://aur.archlinux.org/packages/downgrade"><code>downgrade</code> utility from the AUR</a> can help with installing an older version and adding Forgejo to <code>IgnorePkg</code>. This tool automates the process above with one command.</p> <p>When Forgejo v1.19.0-0 is released, you should remove <code>forgejo</code> from <code>IgnorePkg</code> in <code>/etc/pacman.conf</code> and take the upgrade.</p> <p>If you installed the package after <code>v1.18.3.1-1</code> was released, your installation is not affected by this issue.</p> <h3>Package authors: (re)build v1.18.3-1</h3> <p>If a package was built using one of the tags above, build (or rebuild if the build happened before 11 February 2023) based on the current tag v1.18.3-1 with hash <code>4e5be58493</code> so that future installations are not affected by the problem.</p> <p>It also means the existing installations will not be able to upgrade. Forgejo will refuse to start because they were really running v1.19 before upgrading. The package should be labeled as such with link to this blog post in the changelog to explain why it happens.</p> <h2>Get in touch, you will get help</h2> <p>If none of the recommended actions work for you, please get in touch at <a href="mailto:contact@forgejo.org">contact@forgejo.org</a> or in the <a href="https://matrix.to/#/#forgejo-development:matrix.org">development chatrooom</a> to get help. This was a bug and you deserve all the help you can get. Getting in touch will also help us improve this blog post if needed.</p> </content:encoded></item><item><title>Forgejo monthly update - January 2023</title><link>https://forgejo.org/2023-01-31-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2023-01-31-monthly-update/</guid><description>The first Forgejo releases were published and proved to be secure and reliable for day to day operations. The Forgejo community blossomed and is working on defining its own governance. A wide range of skills contributed to the improvement of Forgejo itself but mostly to the larger Free Software ecosystem it depends on.</description><pubDate>Tue, 31 Jan 2023 00:00:00 GMT</pubDate><content:encoded><p><a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-18-0-1">Forgejo 1.18.0-1</a>, the first release, was published 29 December 2022, followed by patch releases which included security fixes. There were no reports of failed installations or upgrades. The <a href="/2022-12-15-hello-forgejo">15 December 2022</a> announcement made a promise and a lot of work went into fulfilling it. A release is more than uploading a file and hoping for the best, users deserve reliable distribution channels and it requires dedicated people and proper tooling. <strong>Forgejo proved to be a product that users can rely on for their day to day operations</strong>, from large instances such as <a href="https://codeberg.org">Codeberg</a> to personal ones running on low-end hardware.</p> <p>What goes into each Forgejo release is a snapshot taken from an constantly evolving patchwork of Free Software components carefully assembled together. It is based on <code>Gitea</code>, which is itself built on <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/go.mod">one hundred packages</a>, and when digging deeper it amounts to <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/go.sum">almost a thousand</a>. But wait, there's more: container images include <code>git</code>, <code>ssh</code> and rely on <code>Docker</code>. The CI runs on Woodpecker with <code>LXC</code> and Debian GNU/Linux. This is why adding a feature or fixing a bug in Forgejo often means contributing to one of its many dependencies. This is the healthy way to grow the global Free Software ecosystem. For instance, an <code>LXC</code> backend was contributed to Woodpecker to improve the Forgejo release process. If a proprietary CI was used, such a contribution would not be possible and progress would be blocked. Another example is the accessibility improvements that were contributed to <code>Gitea</code>.</p> <p>The Forgejo community is made of people who are citizens of the larger Free Software ecosystem. They may identify themselves as members of the Forgejo community because they like that it furthers the interest of the general public. Or because they enjoy participating in a democratically led community. Or when they write a piece of code somewhere in the thousands of Forgejo dependencies. It is not an elite community, it is not an affinity group; it is an inclusive and fluid group of people who share values and visions. It is engaged in work to define its governance, make sensible decisions and preserve a safe space in accordance to its <a href="https://codeberg.org/forgejo/code-of-conduct">Code of Conduct</a>.</p> <h3>Forgejo 1.18</h3> <p>From a technical point of view, Forgejo is a <a href="/download">drop-in replacement for <code>Gitea</code></a>: it can be used without any modification by simply replacing the <code>Gitea</code> binary (or container image). On 29 December 2022 Forgejo v1.18.0-0 was released and had just a little glitch: the version number started with a <strong>w</strong> instead of a <strong>v</strong>. The same day <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.0-1">Forgejo v1.18.0-1</a> was published to fix that mistake.</p> <p>This typo was the tip of the iceberg: the release process had to be redesigned. Back then, it took more than one hour for the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING/RELEASE.md">Forgejo release process</a> to complete. Furthermore it could be interrupted when a release was partially published, throwing the rest away. Unfortunately, that happened while releasing v1.18.0-0 and a clever workaround to resume with a version starting with a <strong>w</strong> created an artifact. That could have been problematic, or at the very least raise an eyebrow from Forgejo admins.</p> <p>In the following weeks, a two-phase process was created wherein the releases are first built in the <a href="https://codeberg.org/forgejo-integration">Forgejo integration organization</a> and published there as drafts, to be thrown away if anything goes wrong. This is the most time-consuming step and also the one that is most likely to fail because something was overlooked by the Forgejo developers or because of an unexpected environmental failure. The second phase is copying the release to its final destination; although it is not atomic, the window of opportunity for a half published release is significantly smaller.</p> <h3>Security releases</h3> <p>The <a href="/.well-known/security.txt">security team</a> was quickly put to the test and had to prepare two Forgejo releases (<a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.1-0">Forgejo v1.18.1-0, 18 January</a> and <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.2-1">Forgejo v1.18.2-1, 22 January</a>). The problems were explained in plain English for Forgejo admins to quickly understand their impact and assess the urgency of an upgrade. Handling security issues responsibly is a heavy burden and while the process in place proved to work effectively on those two occasions, it will require a continuous effort for as long as Forgejo exists.</p> <p>Although it did not put Forgejo users at risk, there were problems during the making of these security releases, as can be expected for any newly formed team. The expectations were not clearly laid out, the <code>security@forgejo.org</code> mail was a redirection that revealed the recipients under some circumstances, unencrypted messages were exchanged, security issues were not always reported responsibly and embargo requests were overlooked. Although it worked out fine in the end and all these issues were properly addressed, it speaks to the challenges of bootstrapping a security team.</p> <h3>Accessibility</h3> <p>Accessibility in Forgejo needs a lot of work and it was difficult to figure out where to start. The <a href="https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md#accessibility">accessibility team</a> works in multiple issue trackers (<a href="https://codeberg.org/forgejo/meta/issues?labels=81029">meta</a>, <a href="https://codeberg.org/forgejo/forgejo/issues?q=&amp;type=all&amp;state=open&amp;labels=81214&amp;milestone=0&amp;assignee=0&amp;poster=0">forgejo</a>, <a href="https://codeberg.org/forgejo/user-research/pulls?q=&amp;type=all&amp;sort=&amp;state=closed&amp;labels=92050&amp;milestone=0&amp;assignee=0&amp;poster=0">user research</a>, etc). The discussions started in a dedicated Matrix room, which turned out to not be very accessible, so <a href="https://floss.social/tags/forgejoaccessibility">a Fediverse hashtag <code>#ForgejoAccessibility</code></a> was created as an alternative to experiment with.</p> <p>Despite the shortcomings of the current Forgejo UI framework, <a href="https://github.com/go-gitea/gitea/pulls/fsologureng">concrete</a> <a href="https://github.com/go-gitea/gitea/pulls/Menelion">changes</a> were made to the codebase to get things moving. The challenge is to guard them against regressions <a href="https://codeberg.org/forgejo/forgejo/issues/284">because there are no automated tests</a>. Since the community impacted is small, the chance that accessibility improvements are broken is high.</p> <h3>Federation</h3> <p><a href="/2023-01-10-answering-forgejo-federation-questions/">Federation development</a> has been progressing slowly. Most of the time was spent on refactoring <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo-federation">the current code</a>, working on the <a href="https://forgefed.org">ForgeFed</a> vocabulary and the <a href="https://forum.forgefriends.org/t/about-the-friendly-forge-format-f3/681">F3</a> schemas.</p> <h3>Forgejo CI</h3> <p>Since it started out on Woodpecker instances provided by individuals due to performance issues with the database integration tests on <a href="https://ci.codeberg.org">Codeberg-CI</a>, the work on centralizing / unifying the CI has been ongoing. Codeberg solved part of the problem by <a href="https://forgejo-ci.codeberg.org">dedicating hardware resources to Forgejo</a>: using a RAM disk to workaround the slow HDD performances, it runs fast without thrashing short-lived SSDs, reducing ecologically problematic ewaste. The Forgejo <a href="https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md#devops">devOps team</a> weren't used to working with LXC containers (which is what Codeberg is built upon), so there was (and still is) a learning curve to work on.</p> <p>To allow for better safeguarding of the CI against malicious PRs and to better protect the secrets (signing keys, upload credentials) used to actually release Forgejo, <a href="https://forgejo-ci.codeberg.org">forgejo-ci.codeberg.org</a> has no secrets at all. This was also necessary due to some hardware limitations: there is not enough disk space to build a Forgejo release. Another Woodpecker CI instance is used instead and its access is restricted to better protect the release signing keys.</p> <h3>End-to-end testing</h3> <p>The key to a robust release process is the ability to run tests verifying that it works as expected. Not just unit tests that are routinely run by the Forgejo CI or integration tests included in the codebase. End-to-end tests deploy the release itself and are required to run scenarios that resemble what users would do. The alternative is to ask human beings to run these tests manually, but it is error prone and gets boring very quickly.</p> <p>The Forgejo release is published in the <a href="https://codeberg.org/forgejo-experimental">Forgejo experimental organization</a> and then used to <a href="https://codeberg.org/Codeberg-Infrastructure/scripted-configuration/src/branch/main/.woodpecker.yml">run tests</a> that do something along these lines:</p> <ul> <li>Deploy Woodpecker</li> <li>Deploy Forgejo</li> <li>Create a user and repository in Forgejo</li> <li>Submit a job to Woodpecker by pushing to the repository</li> <li>Verify the outcome of the job is as expected</li> </ul> <p>Because Forgejo is small, it takes around two minutes for this test to complete. It is now run against every release, and while verification by human beings is still needed, they can focus on what matters instead of trivial mistakes.</p> <h3>Contributions to Woodpecker</h3> <p>Running end-to-end tests is technically challenging, there's a reason it is still not common practice. Although it would be possible to use Docker, it's a stretch (see <a href="https://github.com/woodpecker-ci/woodpecker/pull/1543/files#diff-129523b702d10d3da7d9245312d535609bffee1458a3f3f82d82fb5d314c6df8">this example</a>). The ideal situation is when the test can begin on a freshly provisioned operating system that will be disposed of when the test completes, cleaning up all the left overs even in the event of a catastrophic failure.</p> <p>An <a href="https://github.com/woodpecker-ci/woodpecker/pull/1565">LXC backend</a> was developed for Woodpecker to provide such an environment. Woodpecker container images are <a href="https://codeberg.org/forgejo-contrib/-/packages/container/woodpecker-forgejo-server/versions">published</a> for internal use by Forgejo, but are not supported.</p> <p>It is common practice to use a patched version of some software while waiting for pull requests to be accepted. The risk is to forget to do the work to get the changes accepted upstream, accumulating the associated technical debt. The patched version of Woodpecker is published in a <a href="https://codeberg.org/forgejo-contrib/woodpecker-forgejo/commits/branch/main">dedicated repository</a> as a reminder and each commit is labelled with the corresponding upstream pull request.</p> <h3>Forgejo contrib</h3> <p>Over the past few months, people who rely on Forgejo came to expect a certain quality of work as well as long term maintenance. When someone has a great idea and lots of energy, they may not be willing to match those expectations right away. Sharing a clever hack, bootstrapping documentation, creating a list of resources related to Forgejo and temporarily distributing Woodpecker container images are but a few examples.</p> <p>The <a href="https://codeberg.org/forgejo-contrib">Forgejo contrib organization</a> was created as a space where projects related to Forgejo can exist without being subject to high expectations. It is fine to create a repository that will be abandoned a few weeks later. It is fine to engage in a project that is not agreed upon by other Forgejo community members. The only requirement (and it's a serious one) is to behave in a way that does not go against the <a href="https://codeberg.org/forgejo/code-of-conduct">Code of Conduct</a>.</p> <p><a href="https://codeberg.org/forgejo-contrib/delightful-forgejo">A curated list of delightful Forgejo-related projects and resources</a> was created there and quickly became a useful reference. If you're working on a Forgejo-related project, <a href="https://codeberg.org/forgejo-contrib/delightful-forgejo/pulls">feel free to submit it for inclusion on the list</a>.</p> <h3>Well-Being &amp; Code of Conduct</h3> <p>Forgejo created a <a href="https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md#well-being">Well-Being team</a> and adopted a <a href="https://codeberg.org/forgejo/code-of-conduct">Code of Conduct</a> from day one because tensions are bound to happen in such an inclusive environment. And with over three hundred people in the chat room, it happened a few times in the past weeks. When someone uses coarse language and engages in a heated discussion, it has a chilling effect and silently drives people away. To help prevent that, the <a href="https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md#well-being">Well-Being team</a> does its best to intervene in a gentle way before it escalates to a point where the Code of Conduct would have to be enforced. There were only two instances where a reminder of the Code of Conduct had to be mentioned: there is zero tolerance for calling another community member names or making derogatory comments towards an ethnic community.</p> <p>Obviously it would be better if no such comments had been made at all, but it is hoped that the actions taken will alleviate any fears that any intolerance would be permitted. Hopefully any affected individuals will be encouraged to continue to participate in discussions as endeavors are made to ensure this is a safe space for all community members.</p> <h3>Governance</h3> <h4>Decision process</h4> <p>As expected, the process to <a href="https://codeberg.org/forgejo/meta/issues/19">define the governance</a> is taking its time. The need for a decision-making progress emerged during the last two meetings on <a href="https://codeberg.org/forgejo/meta/src/branch/readme/2022-12-23-videoconference-governance.mp3">23 December</a> and 27 January (<a href="https://codeberg.org/forgejo/meta/src/branch/readme/2023-01-27-videoconference-governance-part1.mp3">part 1</a> and <a href="https://codeberg.org/forgejo/meta/src/branch/readme/2023-01-27-videoconference-governance-part2.mp3">part 2</a>) and was partially <a href="https://codeberg.org/forgejo/meta/src/branch/readme/DECISION-MAKING.md">formalized</a>. The general idea is that a decision leads to an agreement that is documented so that Forgejo community members can conveniently refer to it when needed. The <a href="https://codeberg.org/forgejo/meta/src/branch/readme/AGREEMENTS.md">list of agreements</a> has just one item at the moment related to branding (name, logo, etc).</p> <h4>The first decisions</h4> <p>Meanwhile, this ongoing governance work inspired community members to move forward, and a few discussions that may lead to decisions are ongoing. Topics include very concrete aspects of development such as the <a href="https://codeberg.org/forgejo/meta/issues/124">criteria in order to define how a PR should be approved</a> which was followed by a <a href="https://codeberg.org/forgejo/meta/pulls/129/files">pull request to document the agreement</a>. Additionally, there are very high level and much longer discussions such as <a href="https://codeberg.org/forgejo/meta/issues/86">licensing Forgejo under copyleft</a>. It's still blurry but something is emerging. It boils down to:</p> <ol> <li>Discussing</li> <li>Proposing an agreement</li> <li>Documenting the agreement</li> </ol> <h4>Agreements for team members</h4> <p>As time passes, the need to replace the <a href="https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md">teams that have been in place</a> since Forgejo started becomes more pressing. For instance, given how critical their work is, members of the security team must be agreed upon by the community. It was suggested during the last governance meeting that the procedure goes as follows:</p> <ul> <li><strong>Discussion</strong>: people willing to participate in the security team send a formal and public application (see <a href="https://codeberg.org/forgejo/meta/issues/123">this application for the release team for an example</a>)</li> <li><strong>Proposing an agreement</strong>: if the discussion about the applicant seems to meet the approval of the Forgejo community, a pull request to modify the <a href="https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md#security">security team</a> is proposed</li> <li><strong>Documenting the agreement</strong>: if the pull request is approved, it is merged and the agreement is published in the <a href="https://codeberg.org/forgejo/meta/">meta repository</a>.</li> </ul> <h3>We Forge</h3> <p>Forgejo is a <strong>community of people</strong> who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please <a href="https://codeberg.org/forgejo/website/issues/new">ask for an update</a>.</p> <ul> <li><a href="https://codeberg.org/Amolith">https://codeberg.org/Amolith</a></li> <li><a href="https://codeberg.org/Andre601">https://codeberg.org/Andre601</a></li> <li><a href="https://codeberg.org/AnselmF">https://codeberg.org/AnselmF</a></li> <li><a href="https://codeberg.org/aral">https://codeberg.org/aral</a></li> <li><a href="https://codeberg.org/azmeuk">https://codeberg.org/azmeuk</a></li> <li><a href="https://codeberg.org/bartavi">https://codeberg.org/bartavi</a></li> <li><a href="https://codeberg.org/bitbat">https://codeberg.org/bitbat</a></li> <li><a href="https://codeberg.org/braydofficial">https://codeberg.org/braydofficial</a></li> <li><a href="https://codeberg.org/caesar">https://codeberg.org/caesar</a></li> <li><a href="https://codeberg.org/chizutan5">https://codeberg.org/chizutan5</a></li> <li><a href="https://codeberg.org/circlebuilder">https://codeberg.org/circlebuilder</a></li> <li><a href="https://codeberg.org/copyrights">https://codeberg.org/copyrights</a></li> <li><a href="https://codeberg.org/crystal">https://codeberg.org/crystal</a></li> <li><a href="https://codeberg.org/dachary">https://codeberg.org/dachary</a></li> <li><a href="https://codeberg.org/Daeraxa">https://codeberg.org/Daeraxa</a></li> <li><a href="https://codeberg.org/das-g">https://codeberg.org/das-g</a></li> <li><a href="https://codeberg.org/dataCobra">https://codeberg.org/dataCobra</a></li> <li><a href="https://codeberg.org/DiamonC">https://codeberg.org/DiamonC</a></li> <li><a href="https://codeberg.org/duxsco">https://codeberg.org/duxsco</a></li> <li><a href="https://codeberg.org/earl-warren">https://codeberg.org/earl-warren</a></li> <li><a href="https://codeberg.org/earthjasonlin">https://codeberg.org/earthjasonlin</a></li> <li><a href="https://codeberg.org/erkinalp">https://codeberg.org/erkinalp</a></li> <li><a href="https://codeberg.org/f0x">https://codeberg.org/f0x</a></li> <li><a href="https://codeberg.org/faust">https://codeberg.org/faust</a></li> <li><a href="https://codeberg.org/fnetX">https://codeberg.org/fnetX</a></li> <li><a href="https://codeberg.org/fr33domlover">https://codeberg.org/fr33domlover</a></li> <li><a href="https://codeberg.org/fsologureng">https://codeberg.org/fsologureng</a></li> <li><a href="https://codeberg.org/gapodo">https://codeberg.org/gapodo</a></li> <li><a href="https://codeberg.org/h3xx">https://codeberg.org/h3xx</a></li> <li><a href="https://codeberg.org/Infinidoge">https://codeberg.org/Infinidoge</a></li> <li><a href="https://codeberg.org/jamie">https://codeberg.org/jamie</a></li> <li><a href="https://codeberg.org/johanneskastl">https://codeberg.org/johanneskastl</a></li> <li><a href="https://codeberg.org/KaKi87">https://codeberg.org/KaKi87</a></li> <li><a href="https://codeberg.org/kytta">https://codeberg.org/kytta</a></li> <li><a href="https://codeberg.org/MagicLike">https://codeberg.org/MagicLike</a></li> <li><a href="https://codeberg.org/MB175">https://codeberg.org/MB175</a></li> <li><a href="https://codeberg.org/Mikaela">https://codeberg.org/Mikaela</a></li> <li><a href="https://codeberg.org/Mylloon">https://codeberg.org/Mylloon</a></li> <li><a href="https://codeberg.org/n0toose">https://codeberg.org/n0toose</a></li> <li><a href="https://codeberg.org/ocdtrekkie">https://codeberg.org/ocdtrekkie</a></li> <li><a href="https://codeberg.org/oliverpool">https://codeberg.org/oliverpool</a></li> <li><a href="https://codeberg.org/om">https://codeberg.org/om</a></li> <li><a href="https://codeberg.org/polettix">https://codeberg.org/polettix</a></li> <li><a href="https://codeberg.org/redwerkz">https://codeberg.org/redwerkz</a></li> <li><a href="https://codeberg.org/rudolphfroger">https://codeberg.org/rudolphfroger</a></li> <li><a href="https://codeberg.org/Ryuno-Ki">https://codeberg.org/Ryuno-Ki</a></li> <li><a href="https://codeberg.org/SamWhited">https://codeberg.org/SamWhited</a></li> <li><a href="https://codeberg.org/steko">https://codeberg.org/steko</a></li> <li><a href="https://codeberg.org/tallship">https://codeberg.org/tallship</a></li> <li><a href="https://codeberg.org/thatonecalculator">https://codeberg.org/thatonecalculator</a></li> <li><a href="https://codeberg.org/TheEvilSkeleton">https://codeberg.org/TheEvilSkeleton</a></li> <li><a href="https://codeberg.org/till">https://codeberg.org/till</a></li> <li><a href="https://codeberg.org/tuxracer">https://codeberg.org/tuxracer</a></li> <li><a href="https://codeberg.org/tyman">https://codeberg.org/tyman</a></li> <li><a href="https://codeberg.org/viceice">https://codeberg.org/viceice</a></li> <li><a href="https://codeberg.org/vwbusguy">https://codeberg.org/vwbusguy</a></li> <li><a href="https://codeberg.org/xy">https://codeberg.org/xy</a></li> <li><a href="https://codeberg.org/zander">https://codeberg.org/zander</a></li> </ul> <p>A <strong>minority of Forgejo contributors earn a living</strong> by implementing the roadmap co-created by the Forgejo community, see <a href="https://codeberg.org/forgejo/sustainability">the sustainability repository</a> for the details.</p> </content:encoded></item><item><title>Forgejo Security Release 1.18.2-1</title><link>https://forgejo.org/2023-01-22-release-v1-18-2-1/</link><guid isPermaLink="true">https://forgejo.org/2023-01-22-release-v1-18-2-1/</guid><description>Forgejo v1.18.2-1 stable release update fixes a bug that made it possible to reveal hidden user email addresses.</description><pubDate>Mon, 23 Jan 2023 00:00:00 GMT</pubDate><content:encoded><p>Today <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.2-1">Forgejo v1.18.2-1</a> was released.</p> <p>This stable release <strong>includes a security fix</strong>. It was possible to reveal a user's email address, which is problematic because users can choose to hide their email address from everyone. This was possible because the notification email for a repository transfer request to an organization included every user's email address in the owner team. This has been fixed by sending individual emails instead and the code was refactored to prevent it from happening again.</p> <h3>Recommended Action</h3> <p>We <strong>strongly recommend</strong> that all installations are upgraded to the latest version as soon as possible.</p> <h3>Forgejo installation instructions</h3> <p>See the <a href="/download">download page</a> for instructions for installation instructions. If you are upgrading from <code>Forgejo 1.18.X-N</code> (or <code>Gitea 1.18</code>) no manual action is required. If you're on <code>Gitea v1.17.X</code> or older please read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-18-0-1">release notes</a> carefully, and in particular check out the <a href="https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/#breaking-changes">breaking changes</a> section of Gitea's blog post.</p> <p>The actual upgrade process is as simple as replacing the Gitea binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.2-1">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18.2-1">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18"><code>1.18</code></a> tag to stay up to date with the latest <code>1.18.x</code> point release automatically.</p> <h3>Codeberg is not vulnerable</h3> <p>The <a href="/.well-known/security.txt">Forgejo security team</a> is a joint effort with <a href="https://codeberg.org">Codeberg</a> which already runs a Forgejo version that includes the security fix.</p> <h3>Responsible disclosure to Gitea</h3> <p>On 21 January 2023, as soon as the <a href="/.well-known/security.txt">Forgejo security team</a> confirmed the vulnerability, the detailed conclusions were communicated to the Gitea security team. The corresponding bug fix was published <a href="https://github.com/go-gitea/gitea/pull/22569">22 January 2023</a>.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Forgejo Critical Security Release 1.18.1-0</title><link>https://forgejo.org/2023-01-18-release-v1-18-1-0/</link><guid isPermaLink="true">https://forgejo.org/2023-01-18-release-v1-18-1-0/</guid><description>Forgejo v1.18.1-0 stable release update fixes CVE-2022-41903 and CVE-2022-23521, includes a robust release process and branding improvements.</description><pubDate>Wed, 18 Jan 2023 00:00:00 GMT</pubDate><content:encoded><p>Today <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.1-0">Forgejo v1.18.1-0</a> was released.</p> <p>This release contains an <strong>important security fix</strong> for Forgejo container images, as described below. When Forgejo runs from a binary, recommendations to upgrade the <code>git</code> version installed alongside it are also provided.</p> <p>This release also contains branding improvements (webhooks, headers, etc.) and includes a more robust release process, as detailed <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-18-1-0">in the release notes</a>.</p> <h3>Recommended Action</h3> <p>We <strong>strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.</p> <ul> <li>When using a Forgejo binary: upgrade the <code>git</code> package to a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, or v2.30.7</li> <li>When using a Forgejo container image: <code>docker pull codeberg.org/forgejo/forgejo:1.18.1-0</code></li> </ul> <h3>Critical security issues in Git</h3> <p>Git <a href="https://github.blog/2023-01-17-git-security-vulnerabilities-announced-2/">recently announced</a> new versions to address two CVEs (<a href="https://cve.circl.lu/cve/CVE-2022-23521">CVE-2022-23521</a>, <a href="https://cve.circl.lu/cve/CVE-2022-41903">CVE-2022-41903</a>). On 17 January 2023, Git published the maintenance release v2.39.1, together with releases for older maintenance tracks v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7. All major GNU/Linux distributions also provide updated packages via their security update channels.</p> <p>The <a href="/.well-known/security.txt">Forgejo security team</a> analyzed both CVE and confirmed that Forgejo can be used as an intermediary by an attacker to reach a vulnerable <code>git</code> version. The Forgejo codebase itself is not at fault and has no way to mitigate the problem: the only solution is to upgrade the <code>git</code> binary.</p> <h3>Fixing Git when using a Forgejo binary</h3> <p>When installed as a binary <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.1-0">downloaded from the Forjego releases</a> repository, it is the responsibility of the Forgejo admin to install <code>git</code> independently. Upgrading to a patched <code>git</code> package (with a version greater or equal to v2.39.1, v2.38.3, v2.37.5, v2.36.4, v2.35.6, v2.34.6, v2.33.6, v2.32.5, v2.31.6, and v2.30.7) is therefore enough to fix the problem, even if Forgejo is not upgraded. Note that some distributions (such as Ubuntu) may backport security fixes to older <code>git</code> versions instead of upgrading, and it is worth looking at the changelog for confirmation. If a package is older than 17 January 2023, it will NOT contain the security fix because it was only made public on that date.</p> <h3>Fixing Git when using a Forgejo container image</h3> <p>When installed as an image <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/versions">downloaded from the Forgejo registry</a>, the container includes both the Forgejo binary and the <code>git</code> binary, as obtained from <a href="https://pkgs.alpinelinux.org/packages?name=git&amp;branch=v3.16">Alpine 3.16</a>. <code>Forgejo 1.18.0-1</code> contains a vulnerable <code>git</code> binary:</p> <pre><code>$ docker run --rm codeberg.org/forgejo/forgejo:1.18.0-1 git --version git version 2.36.3 </code></pre> <p>The <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/versions">Forgejo 1.18.1-0 images</a> were built shortly after the patched <code>git</code> binary was upgraded in <code>Alpine 3.16</code> and is not vulnerable:</p> <pre><code>$ docker run --rm codeberg.org/forgejo/forgejo:1.18.1-0 git --version git version 2.36.4 </code></pre> <p>In this case it is necessary to upgrade Forgejo to <code>1.18.1-0</code> to get the fixed <code>git</code> binary. The <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18-rootless">rootless</a> variant of Forgejo also includes the <code>git</code> binary and can be upgraded in the same way.</p> <h3>Forgejo installation instructions</h3> <p>See the <a href="/download">download page</a> for instructions for installation instructions. If you are upgrading from <code>Forgejo 1.18.0-1</code> (or <code>Gitea 1.18</code>) no manual action is required. If you're on <code>Gitea v1.17.x</code> or older please read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-18-0-1">release notes</a> carefully, and in particular check out the <a href="https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/#breaking-changes">breaking changes</a> section of Gitea's blog post.</p> <p>The actual upgrade process is as simple as replacing the Gitea binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.1-0">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18.1-0">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18"><code>1.18</code></a> tag to stay up to date with the latest <code>1.18.x</code> point release automatically.</p> <h3>Codeberg is not vulnerable</h3> <p>The <a href="/.well-known/security.txt">Forgejo security team</a> is a joint effort with <a href="https://codeberg.org">Codeberg</a> which already runs a <code>git</code> version that is not vulnerable.</p> <h3>Responsible disclosure to Gitea</h3> <p>As soon as the <a href="/.well-known/security.txt">Forgejo security team</a> confirmed the vulnerability, the conclusions were communicated to the Gitea security team. Forgejo recommended a rebuild of the Gitea container images for <code>1.18.1</code>, that were created shortly before the proper Alpine package version was available.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports. You can also find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop by <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) to say hi!</p> </content:encoded></item><item><title>Answering Forgejo federation questions</title><link>https://forgejo.org/2023-01-10-answering-forgejo-federation-questions/</link><guid isPermaLink="true">https://forgejo.org/2023-01-10-answering-forgejo-federation-questions/</guid><description>This post answers some commonly asked questions about Forgejo federation.</description><pubDate>Tue, 10 Jan 2023 00:00:00 GMT</pubDate><content:encoded><h3>What is federation?</h3> <p>Federation is about creating open protocols so that different servers can communicate with each other. Once Forgejo gains federation support via the <a href="https://forgefed.org/">ForgeFed</a> protocol, you'll be able to do things like create issues for projects on other Forgejo instances without creating an account on that instance. But federation doesn't just solve the problem of having to create many Forgejo accounts. The power of federation comes from building an interoperable ecosystem, since any other code collaboration site or development tool can also add ForgeFed support. Just look at GitHub: it's the epicenter of a giant ecosystem of apps and integrations and tools that cements GitHub's position. It's a textbook example of a walled garden. We want to create something similar, but in an open ecosystem where everything speaks the ForgeFed protocol, so you're never locked-in by which forge or code collaboration software that you use.</p> <h3>Is Forgejo federation development being worked on right now?</h3> <p>Yes. You can find an up-to-date task list <a href="https://codeberg.org/forgejo/forgejo/issues/59">here</a>.</p> <h3>When will federation be released?</h3> <p>Forgejo federation will be merged into mainline Forgejo through two (or more) pull requests. The first pull request, which will be submitted later this month, includes backend support for some basic federation features like following remote users, opening issues on remote repositories, and blocking instances. A second pull request will include a UI for federation, more moderation features, and backend support for federating all of Forgejo's features, such as adding remote users as repository collaborators. Federation will most likely be included in Forgejo 1.19, which will be released in a few months.</p> <h3>Will Gitea also gain federation?</h3> <p>Most likely yes. We want as many forges as possible to be federated, so we will contribute the federation code upstream to Gitea.</p> <h3>What's F3 and how does it relate to federation?</h3> <p>A lot of difficult and seemingly unrelated problems like migrating projects, federated pull requests, and mirroring issues actually have the same solution. A project's code is stored using Git and can be easily migrated, but the issues, pull requests, and project metadata are stored in the database. If only we had a common format for representing all the various components of a project and code to serve and store project components using this format... then mirroring issues would be as easy as fetching remote issues in this format and storing them on our instance. I know, <a href="https://xkcd.com/927/">let's make our own format</a>!</p> <p>And that's why <a href="https://forum.forgefriends.org/t/about-the-friendly-forge-format-f3/681">F3</a> was created. It's a JSON format closely based on how projects are internally stored in Forgejo's database. Although it has a similar semantics, it is different from the <a href="https://forgefed.org/vocabulary.html">ForgeFed vocabulary</a>. Since the rest of Forgejo federation uses ForgeFed, we're working on unifying F3 and the ForgeFed vocabulary so they can use the same codebase.</p> <h3>Further reading</h3> <p>If you think this post was helpful, you should read <a href="https://a.exozy.me/posts/forge-federation-myths/">Forge Federation Myths</a>. Note that it predates Forgejo, so you might want to mentally substitute <code>s/Gitea/Forgejo/g</code> while reading it.</p> </content:encoded></item><item><title>Forgejo v1.18 stable is released</title><link>https://forgejo.org/2022-12-29-release-v1-18-0/</link><guid isPermaLink="true">https://forgejo.org/2022-12-29-release-v1-18-0/</guid><description>The first stable release of Forgejo was published, based on Gitea v1.18.0.</description><pubDate>Thu, 29 Dec 2022 00:00:00 GMT</pubDate><content:encoded><p>Today <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.0-1">Forgejo v1.18.0-1</a> was released. This is the first stable release of Forgejo, and is based on <a href="https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/">Gitea v1.18.0</a> which was also released today.</p> <h3>Get Forgejo v1.18</h3> <p>See the <a href="/download">download page</a> for instructions on how to install Forgejo, and read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-18-0-1">release notes</a> for more information on what's new.</p> <h4>Upgrading from Gitea</h4> <p>This is the moment you have been waiting for. This stable release offers an upgrade and a transition path from Gitea to Forgejo. If you're on <code>v1.17.x</code> or older please read the <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#1-18-0-1">release notes</a> carefully, and in particular check out the <a href="https://blog.gitea.io/2022/12/gitea-1.18.0-is-released/#breaking-changes">breaking changes</a> section of Gitea's blog post.</p> <p>The actual upgrade process is as simple as replacing the Gitea binary or container image with the corresponding <a href="https://codeberg.org/forgejo/forgejo/releases/tag/v1.18.0-1">Forgejo binary</a> or <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18.0-1">container image</a>. If you're using the container images, you can use the <a href="https://codeberg.org/forgejo/-/packages/container/forgejo/1.18"><code>1.18</code> tag</a> to stay up to date with the latest <code>1.18.x</code> point release automatically.</p> <h3>Contribute to Forgejo</h3> <p>If you have any feedback or suggestions for Forgejo, we'd love to hear from you! Open an issue on <a href="https://codeberg.org/forgejo/forgejo/issues">our issue tracker</a> for feature requests or bug reports, find us <a href="https://floss.social/@forgejo">on the Fediverse</a>, or drop into <a href="https://matrix.to/#/#forgejo:matrix.org">our Matrix space</a> (<a href="https://matrix.to/#/#forgejo-chat:matrix.org">main chat room</a>) and say hi!</p> </content:encoded></item><item><title>First forgejo monthly update - December 2022</title><link>https://forgejo.org/2022-12-26-monthly-update/</link><guid isPermaLink="true">https://forgejo.org/2022-12-26-monthly-update/</guid><description>Forgejo was announced 15 December 2022, here is how it happened.</description><pubDate>Mon, 26 Dec 2022 00:00:00 GMT</pubDate><content:encoded><p>Forgejo was <a href="/2022-12-15-hello-forgejo">announced in December 2022</a> and this report explains how it happened. It is the creation of a collective of people from diverse backgrounds united towards a common goal: enabling Free Software contributors with Free Software tools. The software forge it provides can be downloaded and used right away and it has a unique non-technical feature: the community that drives its roadmap can be trusted to put the interest of the general public first. Forging Free Software is not just about writing code, it is a <a href="https://coding.social/">social construct</a> that involves everyone in a continuous loop.</p> <p>This first monthly report is meant to provide a high-level update of what happened in Forgejo, for people who want to follow its progress from a distance. Fact checking is made easy with links to the issue trackers or chat rooms where the action happened: everything in Forgejo since its inception has been 100% transparent. Video conferences are also <a href="https://codeberg.org/forgejo/meta/issues/36">organized monthly</a> for Forgejo community members to ask questions.</p> <h3>Bootstrap</h3> <p>After <a href="https://gitea-open-letter.coding.social/#gitea-ltd-confirms-its-takeover-of-the-gitea-project">Gitea Ltd confirmed the takeover of the Gitea project</a> on 30 October 2022, a group of people proposed that <a href="https://docs.codeberg.org/getting-started/what-is-codeberg/#what-is-codeberg-e.v.%3F">Codeberg e.V.</a> should become the custodian of a fork of Gitea. The proposal was <a href="https://codeberg.org/forgejo/meta/issues/3#issuecomment-688648">accepted 16 November 2022</a>:</p> <ul> <li>Codeberg e.V. is in control of the domains and the trademarks (if any)</li> <li>Forgejo contributors are a self-governed group of people (a "gremium" in the Codeberg e.V. parlance)</li> <li>The Codeberg e.V. general assembly reviews if Forgejo is aligned with its mission on a yearly basis, based on the monthly reports Forgejo publishes</li> </ul> <p>The essential conditions for a fork to succeed were met and Forgejo was able to be bootstrapped in a sustainable way:</p> <ul> <li>A well-known and trusted organization agreed to support and use Forgejo</li> <li>A group of people with the right skills and stamina committed to provide a long-term effort</li> <li>The strategy to create a soft fork was a good match for the Forgejo contributors workforce</li> </ul> <p>It took another month for the bootstrap to complete and Forgejo was <a href="/2022-12-15-hello-forgejo">announced 15 December 2022</a>.</p> <h3>Development and Distribution</h3> <p>From a technical point of view, Forgejo is a <a href="/download">drop-in replacement for Gitea</a>: it can be used without any modification by simply replacing the Gitea binary (or container image).</p> <p>The first technical work that was done was to replace the Drone (which is not Free Software) release pipeline used by Gitea with a pipeline based on <a href="https://woodpecker-ci.org/">Woodpecker CI</a>. It produced a release candidate <a href="/releases">for Forgejo 1.18.0-rc1-1</a> and is ready for the 1.18 release that will include:</p> <ul> <li>binaries for GNU/Linux amd64, arm64 and armv6 (which can also be used on armv7)</li> <li>container images for amd64 and arm64, either running as root or rootless</li> </ul> <p>It will include some <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING/WORKFLOW.md#branding">Forgejo branding changes</a> and default settings to <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING/WORKFLOW.md#privacy">enhance privacy</a>. And more importantly, it provides a non-technical feature: trust in a sustainable non-profit community to further the interest of the general public.</p> <p>The forge federation features is a focus of Forgejo. Although it is not ready to be released with version 1.18, active development started to <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING/WORKFLOW.md#federation-https-codeberg-org-forgejo-forgejo-issues-labels-79349">support ActivityPub and F3</a>.</p> <h3>User Centric Roadmap</h3> <p>Already within a few days <a href="https://codeberg.org/forgejo/forgejo/issues?labels=78139">dozens of ideas for improving Forgejo</a> were submitted. They express the needs and preferences of Free Software contributors with regards to how they forge their software. This raw material is input to the roadmap and will lead Forgejo on a path that is unique and different than what corporate forges like Github and Gitlab have to offer. Forgejo will place the community firmly in control of project direction.</p> <p>How can Forgejo go from an unsorted pile of ideas to an exciting roadmap? What innovations will inspire contributors? And how do these ideas transform into concrete features that will be implemented, instead of lingering as open issues on the backlog? To address people's needs and be most beneficial for the commons and public interest, Forgejo will follow a structured method of <a href="https://jdittrich.github.io/userNeedResearchBook/">User Research</a>, align with <a href="https://coding.social/">Social Coding Movement</a>, and contribute back insights about Free Software development to evolve the movement's best-practices.</p> <p>A <a href="https://codeberg.org/forgejo/user-research">repository was created</a> to bootstrap that effort. It requires a kind of skill that is rare but Forgejo is in a lucky position and <a href="https://codeberg.org/forgejo/meta/issues/20">benefits from mentoring</a> and <a href="https://lab.forgefriends.org/fedeproxy/ux/-/wikis/2021-06-user-research-report">past examples related to forge federation</a>. Some Forgejo contributors also intend to participate in the <a href="https://discourse.opensourcedesign.net/t/fosdem-2023/3093">OSD devroom</a> early 2023 during <a href="https://fosdem.org/2023/">FOSDEM</a>.</p> <p>The <a href="https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md#accessibility">Forgejo accessibility team was created</a> and just <a href="https://codeberg.org/forgejo/user-research/src/branch/master/accessibility">began User Research</a> to figure out what matters most to people who struggle with Forgejo because of its accessibility shortcomings.</p> <h3>Governance</h3> <p>The Forgejo <a href="https://codeberg.org/forgejo/meta/issues/41">domains</a> are owned by <a href="https://codeberg.org/Codeberg/org/src/branch/main/en/bylaws.md">Codeberg e.V.</a>. Forgejo is therefore ultimately under the control of Codeberg e.V. and its governance. However, although Codeberg e.V. is committed to use and host Forgejo, it is expected that Forgejo defines its own governance.</p> <p>The process to <a href="https://codeberg.org/forgejo/meta/issues/19">define the governance</a> is in progress and expected to take weeks if not months. The first two meetings happened (<a href="https://codeberg.org/forgejo/meta/issues/19#issuecomment-694460">24 November</a> and <a href="https://codeberg.org/forgejo/meta/issues/19#issuecomment-711201">10 December</a>). Discussions followed to <a href="https://codeberg.org/forgejo/meta/issues/19#issuecomment-722095">define how decisions are proposed and enacted</a>.</p> <p>While the governance is being defined, there was a need to establish an interim Forgejo governance for safeguarding credentials, enforcing the Code of Conduct and ensuring security vulnerabilities are handled responsibly for the Forgejo releases. All people with a role in the interim Forgejo governance pledge to resign as soon as the Forgejo governance is in place. The people and teams that are part of the interim governance are <a href="https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md">listed publicly</a>.</p> <h3>Branding</h3> <p>The support for theming in Gitea is brittle and rebranding is a challenge.</p> <p>The easy part was the choice of the Forgejo name, which started <a href="https://codeberg.org/forgejo/meta/issues/1">6 November</a> and took ten days, with multiple rounds of discussion. The forgejo.org domain was <a href="https://codeberg.org/forgejo/meta/issues/35">then acquired</a> and <a href="https://codeberg.org/forgejo/meta/issues/41#issuecomment-726673">Codeberg e.V. has control over the registrar account</a>. A logo was then <a href="https://codeberg.org/forgejo/meta/issues/23#issuecomment-693408">created</a> as well as <a href="https://codeberg.org/forgejo/meta/issues/56">a mascot</a>.</p> <p>The more substantial work then started in <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING/WORKFLOW.md#branding">a dedicated branch</a>. The rebranding touches many areas and needs to be done in such a way that it is transparent for people upgrading from Gitea. It involves filenames, environment variables, configuration settings, web templates, ... Not only is it tedious, it is also subject to conflicts when rebasing on top of Gitea.</p> <h3>Localization</h3> <p>The Gitea codebase is internationalized in a way that follows the expected standards. But the localization (i.e. the translations in various languages) relies on a proprietary service that has the translation community locked in. Since Forgejo is committed to exclusively use Free Software dependencies and services, it has to use an alternative.</p> <p>Fortunately, <a href="https://weblate.org/">Weblate</a> is a quality self-hostable translation platform and an instance <a href="https://translate.codeberg.org/">is provided by Codeberg</a>. Initial work started in a <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING/WORKFLOW.md#internationalization-https-codeberg-org-forgejo-forgejo-issues-labels-82637">dedicated branch</a>, for the technical part.</p> <p>The most difficult part will be to bootstrap a community of translator working on Weblate instead of the proprietary platform that Gitea depends on. Ideas on how to achieve that in an incremental way are <a href="https://codeberg.org/forgejo/meta/issues/72">most welcome</a>.</p> <h3>Communication and Code of Conduct</h3> <p>As a new project Forgejo had to create new communication channels:</p> <ul> <li>a static website at <a href="https://forgejo.org">https://forgejo.org</a> built by a CI pipeline from <a href="https://codeberg.org/Forgejo/website">a repository</a> for collaborative editing.</li> <li>a social account at <a href="https://floss.social/@forgejo">https://floss.social/@forgejo</a> where content is either published after a consensus is reached from the Forgejo community or signed by the author trusted with access to the account.</li> <li>a <a href="https://matrix.to/#/#forgejo:matrix.org">Matrix space</a> where the main room welcomes Forgejo users to answer any question they may have and development rooms where technical discussions happen between people actively working.</li> <li>all other communications happen on the forge itself, in a spirit of dogfooding. For instance, although it may be more convenient to use a forum such as Discourse for informal discussions or a task manager to organize the work, the issue tracker is used instead.</li> </ul> <p>All communication happens in public, transparently, so a newcomer can immediately get up to speed by reading the backlog. A <a href="https://codeberg.org/forgejo/code-of-conduct">Code of Conduct</a> was adopted <a href="https://codeberg.org/forgejo/meta/issues/13">very early on</a> and applies to all spaces under the responsibility of the Forgejo community. It is essential to create an inclusive environment where everyone can feel safe and a <a href="https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING/COC.md">Well Being</a> team is here to help if needed.</p> <p>A particular effort was made when drafting the <a href="/2022-12-15-hello-forgejo">Forgejo announcement</a> and the <a href="https://blog.codeberg.org/codeberg-launches-forgejo.html">Codeberg blog post</a> to explain that Forgejo is meant to reunite the community. It does not compete with Gitea, it builds upon it.</p> <h3>Sustainability</h3> <p>The ideal Free Software project is sustainable because it involves many independent individuals who have the means to work for the interest of the general public, in the long run. It is unhealthy when it relies heavily on overworked volunteers who eventually burn out. It is also unhealthy when it is exclusively under the control of a single for-profit organization that works for the benefit of its shareholders.</p> <p>Forgejo is set to create a healthy balance that involves:</p> <ul> <li>A majority of independent volunteers who are in control of Forgejo via a governance that empowers them. They are representatives of the general public and ultimately the only ones who legitimate to make decisions.</li> <li>A minority of people who earn a living by implementing a roadmap co-created by the Forgejo community.</li> </ul> <p>As of today there are just a handful of <a href="https://codeberg.org/forgejo/sustainability">people paid for their work</a> and an order of magnitude more who volunteer. A grant application was <a href="https://codeberg.org/forgejo/sustainability/issues/1">submitted December 1st</a> while <a href="https://forum.forgefriends.org/t/nlnet-grant-application-for-federation-in-gitea-deadline-august-1st-2022/823">another is ongoing</a> and already funds some of the work towards forge federation.</p> <p>It is unclear if Forgejo will manage to be sustainable while so many other Free Software projects struggle. But maybe it will because it does something unique: being transparent about its funding. Not translucent: transparent.</p> </content:encoded></item><item><title>Beyond coding. We forge.</title><link>https://forgejo.org/2022-12-15-hello-forgejo/</link><guid isPermaLink="true">https://forgejo.org/2022-12-15-hello-forgejo/</guid><description>After many days of hard work and preparation, we are proud to announce that the Forgejo project is now live.</description><pubDate>Thu, 15 Dec 2022 00:00:00 GMT</pubDate><content:encoded><p>After many days of hard work and preparation by a team of former Gitea maintainers and enthusiasts from the FOSS community, we are proud to announce that the Forgejo project is now live.</p> <p><strong>Forgejo</strong> (<a href="/static/forgejo.mp4">/forˈd͡ʒe.jo/</a> – inspired by <i>forĝejo</i>, the Esperanto word for forge) is a community-driven Free Software project that develops a code forge platform similar to GitHub, and that is a drop-in replacement for Gitea. We started Forgejo in reaction to control of Gitea being taken away from the community by the newly-formed for-profit company Gitea Ltd without prior community consultation, and after an <a href="https://gitea-open-letter.coding.social/">Open Letter</a> to the Gitea project owners remained unanswered. The Forgejo project has two major objectives that drive our development and road map:</p> <ol> <li>The community is in control, and ensures we develop to address community needs.</li> <li>We will help liberate software development from the shackles of proprietary tools.</li> </ol> <h3>We are people in control of our future</h3> <p>The first objective relates to how we are organized as a project. It is crucial for Forgejo to guarantee that our product will remain Free Software forever, under the guidance of an open and inclusive community. Forgejo will provide a healthy project governance, so that it can truly focus on the needs of all those people that use our software on a daily basis.</p> <p>To this end we are very proud that Codeberg e.V. has decided to become our project’s custodian. Codeberg e.V. is a non-profit organization with a stellar reputation, that is dedicated to the success of the Free Software movement. They provide software development services to FOSS projects at Codeberg.org. They are rapidly growing and hosting more than 50,000 code repositories for about 40,000 people. Not only will Codeberg take care of the Forgejo domain names and trademarks, but the organization will use Forgejo as the basis for their own services, instead of Gitea.</p> <p>Forgejo's code base is of course hosted on Codeberg, and by using Woodpecker CI instead of Drone and Matrix instead of Discord, we exclusively rely on Free Software tools.</p> <h3>We will help liberate software development</h3> <p>Our second objective relates to the product that we deliver. Free Software projects are in general heavily focused on coding. But development of quality software also involves work in many other areas. For the long-term sustainability of any Free Software, project many aspects must be taken into account. Successful software products involve collaboration between many people with different skill sets.</p> <p>Forgejo's vision is to make software development accessible to everyone – bringing true inclusion and diversity to a field traditionally dominated by technical-skilled people, and where many of the tools used are proprietary services with companies dictating who has access, and who does not.</p> <p>Our vision offers our community a very exciting path forward. For our development road map we will consider the entirety of the Free Software Development Lifecycle (FSDL) and gradually unlock it to the world. We intend to be part of a growing ecosystem of collaborating Free Software projects that dedicate to this same vision. We see <a href="https://forgefriends.org/blog/2022/06/30/2022-06-state-forge-federation/">forge federation</a> as a means to open up the development process, and it is here that we will innovate.</p> <h3>Join our adventure</h3> <p>Help make coding social. Join us in our quest, be part of our adventure. Forgejo is not just a code forge. We go beyond coding. <strong>Together we forge Free Software!</strong></p> <p><em>Stay tuned to our blog. The coming period we will provide you with many updates about our project organization.</em></p> </content:encoded></item></channel></rss>