Forgejo monthly update - August 2024

The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in the chatroom or participate in the ongoing discussions.

It was decided more than a year ago and finally happened: Forgejo changed its license from MIT to GNU GPL v3+ and accepts contributions with a simple Developer Certificate of Origin. It is an additional guarantee that it will not drift away from Free Software and become Open Core like GitLab or Gitea.

Last month, the v8.0 release date was postponed multiple times because bugs were discovered at the last minute. This rather time consuming effort was rewarded by a smooth upgrade of Codeberg and other instances. The absence of problems allowed Forgejo contributors to focus on features and structural improvements: ActivityPub federation, storage quotas, security policy, and more.

Forgejo is now copyleft

The impact of the license change has been carefully considered with regard to the variety of usages of Forgejo. Someone might have chosen to avoid copyleft software, for example because it is discouraged in a company. However, Forgejo depends on Git, one of the most successful copyleft software. Both Forgejo and Git must be used together, either as individual binaries or bundled into the official container images. The license of Git is GNU GPL v2, another version of the same copyleft license.

The majority of Forgejo’s codebase is still MIT-licensed, but it is expected that an increasing number of files will switch to GNU GPL v3+ over time. With the notable exception of the API swagger file that is and will stay MIT to clarify that the intent of the Forgejo authors is that it is used for interoperability with no restriction. It is not an original work and enforcing copyright on that file would probably be difficult anyway.

The discussions on how to improve Forgejo’s licensing are still very lively and will eventually lead to decisions that will improve its legal protection, in the interest of the general public.

Federation

Federation is getting useful. There is now more than preliminary background work, and the first exciting things could be tried out by users. The work is not near the goal yet.

Building upon the foundations released with Forgejo v8.0, a pull request for federated user activity following saw significant progress. The core idea is that any activity (where activity is defined as anything that ends up in the Forgejo user activity) is wrapped in an ap.Note, and sent to followers in the ActivityPub sense. Similarly, the inbox of local users now accepts such Notes. Additionally, there’s now a “Feeds” tab on the user profile page, which displays the received notes.

go-git support is removed from the codebase

Forgejo used to have 2 Git backends: the normal git and go-git which is a Git implementation in pure Go. This had 2 benefits:

You don’t need git installed.
It is a little bit faster than Git on Windows.

Supporting go-git would mean holding Forgejo back. Every Git Feature that Forgejo wants to use also needs to be implemented in go-git. For example: setting git notes in the Web UI is currently not possible in go-git. In addition go-git may lead to data loss and repository corruption (one example). It is not widely used and does not have extensive testing (see the latest example of such corruption).

For these reasons, go-git was removed from the codebase. It only affects users who built Forgejo manually using TAGS=gogit, which no longer has any effect. This removal only happened in the development branch and not in the existing stable Forgejo branches, up to v8.0/forgejo included.

Noteworthy pull requests

Space usage quotas for users and organizations.
A release asset can be a URL instead of a file.
Add a cron task to cleanup dangling container images with version sha256:*.
Remove support for Couchbase as a session provider; it instead will now fallback to the file provider. The rationale for removing Couchbase support is that it’s not free software, https://www.couchbase.com/blog/couchbase-adopts-bsl-license/, and therefore cannot be tested in Forgejo and neither should be supported.
Allow push mirrors to use a SSH key as the authentication method for the mirroring action instead of using user:password authentication. The SSH keypair is created by Forgejo and the destination repository must be configured with the public key to allow for push over SSH.
Forgejo Actions logs are compressed by default. It can be disabled by setting [actions].LOG_COMPRESSION=none.

OCI mirror

Forgejo maintains a mirror of container images that are commonly used in the CI and the release process. The primary motivation is to not be subject to rate limiting when using the Docker hub as well as saving bandwidth.

There still were two problems that led to a rate limiting incident disrupting the CI during a few hours:

A number of references to container images were not using the mirror - they were replaced
The mirror itself was rate limited because it used skopeo copy - it was replaced with skopeo sync

Release notes automation

In addition to the preview shown in each pull request, the Forgejo milestones for all upcoming releases are updated daily with the draft release notes compiled from all the pull requests.

Design and User Interface

Semantic HTML often was a discussion topic, and a pull request was merged to demonstrate how forms could look like with less classes and less weird divs all over the place. They bring consistency out of the box (you only need to change some CSS properties, no need to keep your templates in sync). It was followed by a refactor of some forms to improve semantic HTML, usability, accessibility, and reduce the JavaScript footprint.

A discussion started to improve the testing infrastructure. The “reasonable effort” for the tests is eaten up by just figuring out how to get test data populated. Contributors asked to write tests, should not follow a paper chase. It led to pull requests to move CreateDeclarativeRepo to more accessible location and improve diffs generated by Forgejo to make testing more convenient.

Helm chart

The Forgejo helm chart had many minor and patch updates, in both v7 and v8. Helm chart v7.0.5 and v8.1.1 were released which contain Forgejo security fixes.

Each version is tested against a kubernetes cluster to verify it works. It was using kind but it turned out to be difficult to debug when the number of transient errors increased. K3S is used instead and proved to be more stable.

Forgejo v8.0 install party

The Forgejo v8.0 install party was a nice community meetup and we got to know some Forgejo users. Some users performed their updates live and had only minor issues that were mostly caused by an issue on their end. Due to the lack of actual problems, some might have perceived it as boring. Finally, it was decided to also upgrade Codeberg to Forgejo v8, which was also a smooth experience.

https://floss.social/@forgejo was setup about two years ago and it works flawlessly. However, a problem emerged over the past six months that requires finding a new home: the moderation team at floss.social cannot be contacted, despite numerous attempts over a period of months and via multiple channels.

Nothing indicates it is anything more than a case of being overwhelmed by requests on a rather large instance. But it is best addressed by looking for a new home now instead of waiting that an event requiring moderation happens and is left unattended.

Security policy

A discussion began in 2023, before Forgejo became a hard-fork of Gitea, to improve the security collaboration with upstream projects. It led to a security policy that was agreed on according to the Forgejo decision making process.

Dependency management

A dedicated renovate repository runs every 30 minutes in the https://code.forgejo.org instance to service Forgejo related projects, saving them the burden of running it individually.

The configuration of renovate within Forgejo spaces is the same with regard to Go dependencies. Instead of repeating them in each repository (forgejo/renovate.json, runner/renovate.json), they import a shared configuration found in a repository created for that purpose.

Localization

5 batches of translation updates were merged with 2090 new strings and 1020 string improvements - more than the previous two months combined.

The localization team keeps making sure that the merged translation updates are backported to the current stable versions of Forgejo, so that the releases are always shipped with the most complete and highest quality translations available.

Forgejo is used by a wide variety of people and organizations around the world. For some of them the availability and quality of translations are important factors. Everyone is welcome to contribute to the localization by translating and checking strings. Details on how to participate can be found here.

Forgejo runner

A new version of the Forgejo runner was published which fixes a security issue. It was made easier by using the same tooling as Forgejo itself to upgrade the dependencies.

Security is the most important aspect that the Forgejo runner needs to address before it can be considered for beta testing and will be helped by a security audit which is in the early stages with Radically Open Security.

It will also need more contributors to help with its long term maintenance and anyone interested is encouraged to join.

Sustainability

Donations to the Forgejo Liberapay team reached around 40€ per week and are distributed to three beneficiaries.

Drawing upon previous sustainability discussions, a grant application was submitted for the Sovereign Tech Fund.

The creation of a sustainability team, tasked to map out and implement a strategy on how to make Forgejo a durable endeavour over the next years was proposed.

We Forge

Forgejo is a community of people who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is meant to reflect this diversity and acknowledge all contributions since the last monthly report was published. If you are missing, please ask for an update.

A minority of Forgejo contributors earn a living by implementing the roadmap co-created by the Forgejo community, see the sustainability repository for the details.