Forgejo monthly update - October 2023

A security issue identified earlier this year was fixed for Forgejo v1.21 and backported to Forgejo v1.20. It was non trivial and involved a 90-day embargo as well as a database upgrade. Four release candidates for Forgejo v1.21 were published in the experimental organization. The improvements it contains for Forgejo Actions were documented and are now associated with end to end testing to guard against future regressions.

A service request originating from German schools in need of additional Forgejo features was published. There are currently no known freelance or company providing Forgejo expertise and discussions happened about what to do with such requests. Solutions were also identified for bootstraping a fully Free Software hosting provider including Forgejo.

Development

Refactor of Long-term Authentication

When a user logs into Forgejo, they can click the Remember This Device checkbox and their browser will store a Long-term authentication token provided by the server, in a cookie that will allow them to stay logged in for a number of days as defined by the LOGIN_REMEMBER_DAYS setting.

Given a copy of the Forgejo database, a Long-term authentication token could be constructed for any user and used to impersonate them. Such a token did not expire LOGIN_REMEMBER_DAYS days after it was created and remained valid for as long as users did not change their password.

This security issue does not require brute force and was the most significant discovered this year. A fix was published by the Forgejo security team on 6 October 2023 after a 90-day embargo and was backported to Forgejo v1.20.5-0 the same day.

v1.21 release candidates

The Forgejo v1.21 release candidate cycle is coming to an end, with four releases, published in the experimental organization. They are now used daily on the https://code.forgejo.org and https://next.forgejo.org instances and all the release blockers discovered so far were fixed.

Tests were conducted on a simulation of a Codeberg upgrade to verify the database migration was fast enough, despite some operations that were potentially expensive on large tables.

End-to-end testing for Forgejo v1.20 is part of the setup-forgejo action testsuite. It was extended to include the Forgejo v1.21 release candidates and new tests for the Forgejo Actions features that did not exist in Forgejo v1.20.

Federation

ForgeFlux is working towards providing compliance testing for the forge federation ecosystem using a tool called “ftest”. The tool ran successfully against Forgejo and produced this compliance report proving the correctness of Forgejo’s work-in-progress implementation.

The F3 Forgejo driver is on pause while the gof3 package is undergoing a complete refactor. The API will be roughly the same and allow to copy data from one forge to another.

Forgejo service providers

Forgejo exists under the umbrella of Codeberg which is a non-profit organization. But it can be used by freelancers or for-profit companies to generate an income. Just like there are many service providers using Git which exists under the umbrella of Software Freedom Conservancy.

Professional services

When someone needs a Forgejo instance of their own but does not have the resources to maintain and improve upon it, they should be able to find help, for a fee. For instance the German state of Baden-Württemberg needs additional features to deploy Forgejo in German schools next year. The new development could then be contributed back to Forgejo and be available for all.

Hosting provider

If someone is looking for a hosting provider where they can rent their own Forgejo instance and Forgejo runner without being bothered by upgrades, they currently have nowhere to go.

The easiest solution would be that Forgejo is part of the application portfolio of an existing hosting providers. But none of them is powered by Free Software and the Forgejo instance would be trapped: migrating to another hosting provider would require a significant effort.

There are two fully Free Software stacks providing a turnkey solution to setup a hosting service provider. One of them is unmaintained and the other needs a Forgejo driver.

Documentation

The bulk of the documentation updates relate to the new Forgejo v1.21 features of Forgejo Action in the user and admin sections. They are associated with examples and tests that help understand how they actually work.

A round of updates was also done by harvesting documentation improvements from Codeberg and from Gitea.

Forgejo Actions

Runner 3.0.1

A number of actions (e.g. checkout@v4) now depend on node 20 which was only recently supported by ACT on top of which the Forgejo runner is based. The Forgejo runner 3.0.1 contains that upgrade.

The cascading-pr action

Forgejo is not a mono-repository project. It is made up of several software projects that have their own release cycle in multiple repositories. Synchronizing them is sometimes challenging, as demonstrated by the rather involved test instructions of the Forgejo runner.

To simplify the development workflow a new action was developed. cascading-pr can be used in the workflow of a repository to verify that a proposed change won’t break anything when a dependent software upgrades. For instance, when a pull request is opened in the Forgejo runner, a workflow will also open a pull request in setup-forgejo.

If the CI passes on setup-forgejo, it is an additional confirmation that the proposed change in Forgejo runner does not contain a regression that would break setup-forgejo once released.

Governance and communication

Code contributions to Gitea now require a copyright assignment. It does not impact the most trivial bug fixes because they are not subject to copyright. But it means that it is not enough for a contribution to be released under the MIT license, all copyright headers must also be removed.

This new requirement was discovered when the Forgejo security team contributed the fix for the Long-term Authentication security issue explained above. It contained files with a Copyright Forgejo header in addition to the Copyright Gitea header and was blocked for that reason. The author of the patch agreed under protest to remove their copyright headers for the sake of Gitea admin security.

FOSDEM 2024

Plans are made to organize a Forgejo and Codeberg presence at FOSDEM 2024. If you would like to participate, feel free to reach out in the development chatroom.

Moderation

The moderation team currently has just one person, which is problematic when they are involved in a moderation action. A new member proposed their participation to remedy this.

We Forge

Forgejo is a community of people who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please ask for an update.

A minority of Forgejo contributors earn a living by implementing the roadmap co-created by the Forgejo community, see the sustainability repository for the details.