Login
You're viewing the mstdn.social public feed.

Replies

  • Apr 29, 2026, 2:43 PM
    @jvoisin
    Reposting my reply to your post on .social.

    Forgejo is not ran by a corporation, it's an independent project, they don't make money off this.
    You can publish an advisory saying that you don't recommend people use software, because you found multiple vulnerabilities and believe there might be more, ideally you should also report the issues, but blackmailing the maintainers this way is a dick move.
    💬 1🔄 3⭐ 0
  • Apr 29, 2026, 2:44 PM
    @jvoisin your advisory is offputting. I have security experience and hearing that there is these issues makes me want to contribute to forgejo, but I'm also discouraged from doing that, because of how much of an asshole you're being here. I don't want to give you what you want.
    I probably will contribute anyways, but I beg you, think of the maintainers on the other end. Forgejo is not some big corporation like microsoft, it's a group of unpaid volunteers doing their best. Remember the human.
    💬 0🔄 0⭐ 0
  • 💬 0🔄 0⭐ 7
  • 💬 0🔄 0⭐ 10
  • Apr 29, 2026, 5:18 PM

    @jvoisin carrot disclosure is intended to be the nuclear option. while Forgejo and Gitea before it do have eyebrow-raising code from a security pov, it is also a true community-based FOSS project and going nuclear on them like this is a horrid look.

    💬 3🔄 20⭐ 73
  • 💬 0🔄 0⭐ 4
  • Apr 29, 2026, 5:26 PM

    @ariadne @jvoisin <snark>but I mean the alternative would've been to spend time reporting and maybe the developers wouldn't take you as seriously as you think you should be taken and that might hurt your feelings or require emotional labor to convince someone to look more broadly</snark>

    💬 0🔄 0⭐ 13
  • 💬 1🔄 1⭐ 1
  • 💬 1🔄 0⭐ 0
  • Apr 29, 2026, 11:12 PM

    @sam @ariadne @jvoisin as much as I want forgejo to be the good folks, the optics ain't great: codeberg.org/forgejo/forgejo/p

    You may ASK unpaid security research volunteers to participate in some coordinated disclosure, but you can't demand they surrender their free time beyond the report. The maintainers are NLnet funded, the security researcher is operating on goodwill. The bugs are still sitting unaddressed in the open, although there's a recent commit fixing token expiry.

    💬 3🔄 0⭐ 0
  • Apr 29, 2026, 11:24 PM

    @sam @jvoisin @kpcyrd I will concede their security policy is pretty silly, e.g.

    > If you discover a security vulnerability in Forgejo, you MUST send an encrypted email to security@forgejo.org, combined with all available details. The same applies when a security issue was not properly addressed in Forgejo.

    I must send an *encrypted* email? okay I choose to encrypt with null cipher :)

    in this case I would just continue opening PRs and ignore that person 🙃

    💬 0🔄 0⭐ 1
  • Apr 30, 2026, 6:58 AM

    @kpcyrd @ariadne Although I do not wish to comment on the disclosure, your claim that the maintainers (or rather contributors) are NLnet-funded i) in general and as a whole, ii) continuously (implied) and proportionally to (even a tenth of) the time invested and iii) in the cases where this is true, therefore responsible ("part of their job description") for or worthy (implied)... it's a rationalization built on wrongness.

    Even if you limit it to some that try their best, the whole team is sad.

    💬 0🔄 0⭐ 1
  • Apr 30, 2026, 7:30 AM

    @kpcyrd It's worth keeping in mind that NLnet funds agreed upon project features/milestones upon completion of these features. Security work (unless explicitly funded) and maintenance in general is as much goodwill on the defender side as on the attacker side. (Haven't contributed to forgejo, but have been recipient of an NLnet grant before)

    💬 0🔄 0⭐ 1
  • Apr 29, 2026, 5:39 PM
    @jvoisin Forgejo is our best bet on getting something like GitHub but federated.
    And even without the federation it's really useful for everyone who wants to get away from Microslop.
    It's developed by volunteers and I think a German non-profit.

    And instead of helping to get away from big corporation controlled infrastructure you are sabotaging them...

    At least tell them what you found and see if they fix it before choosing the asshole action.
    💬 0🔄 0⭐ 0
  • Apr 29, 2026, 5:44 PM

    @jvoisin This seems like a pretty dick move without even attempting to engage with Forgejo first. A combination of assumptions based on no evidence and "I don't feel like it" is not a good look. They aren't a large company with money to burn, they depend on people being willing to pitch in or at least provide details before going nuclear.

    💬 0🔄 0⭐ 12
  • Apr 29, 2026, 6:22 PM

    @jvoisin that's bad. We are trying to build stuff together, as a community. What you're doing is basically kicking down the stuff other people have built. I'll be discussing that behaviour when we are considering our next donation to @nos_oignons.

    💬 0🔄 2⭐ 8
  • Apr 29, 2026, 7:00 PM

    @jvoisin what you've done here was below any reasonable standard of professional conduct, and also very strange to me. I'm an accessibility nerd and have recently begun digging into Forgejo's accessibility bugs. They do have a few, which to me was like "oh cool, it will probably be fun to work with them on these". Makes no sense to me as a specialist in solving a particular type of problem to build a brand as someone this publicly hostile to those you deem as having too much of that problem.

    💬 0🔄 0⭐ 6
  • Apr 29, 2026, 7:07 PM

    @jvoisin With Gitea being its half-sibling… does the exploit work there, too?

    💬 0🔄 0⭐ 0
  • Apr 29, 2026, 8:42 PM
    @jvoisin That's an incredibly condescending way to talk about someone else's work, and a horrible attempt to force volunteers to follow your priorities.

    If it's so horrible, to to GitHub.
    💬 0🔄 0⭐ 0
  • 💬 0🔄 0⭐ 0
  • May 1, 2026, 3:57 AM

    @Mae @henry
    Being a FOSS project does not entitle the maintainers to build the narrative up around being a "more secure community gitea" and shrug responsibility off when it comes to vulnerabilities. FOSS maintainers don't owe anyting to their users, but they should take pride and responsibility of their work. If an open-source project willingly enters and COMPETES on the market without funding, the market will still have the same expectations of it as from any other competitor. If this _responsibility_ is now overlooked, then forgejo should take down their forgejo.org/compare-to-gitea/# page comparing themselves against gitea in security.

    💬 0🔄 0⭐ 0