Forgejo monthly update - April 2025

The monthly report is meant to provide a good overview of what has changed in Forgejo in the past month. If you would like to help, please get in touch in the chatroom or participate in the ongoing discussions.

Releases

Forgejo v11.0

It has been a few weeks since Forgejo v11.0 was released and Codeberg upgraded a little later. Preliminary testing by developers who upgraded their own instances before the release date revealed a few regressions that were fixed quickly, resulting in a on-time release on 16 April 2025. Some users encountered minor issues unrelated to the release, and the release notes have been updated to document the fixes (e.g. a case of an internal Alpine container change that is not backward compatible).

Forgejo Actions related work led to an undocumented default that broke workflows relying on it. This may have been fixed for backward compatibility, but Forgejo Actions is still in an experimental stage, so supporting undocumented behaviors wouldn’t be sustainable. Nevertheless, every effort is being made to ensure that all changes to Forgejo Action are backward compatible and the end-to-end testing is constantly being improved to increase coverage.

There is additional pressure on this release because it is the second LTS release. Along with upgrades from Forgejo v10.0, there will be upgrades from v7.0, which may cause their own issues. So far, all reported upgrades have been successful, except one. An instance was migrated to v7.0 and from PostgreSQL to SQLite. Migrating from one database to another is not advertised as supported, but it is a common misconception that an SQL dump and the associated table schema can be used with any SQL database. In this case, the Forgejo instance worked, but due to the unexpected format of the SQL table schema, migrations gradually corrupted its definition. It was possible to restore and upgrade the instance with some manual work, but this is not something you want to try yourself.

Security releases v11.0.1 and v7.0.15

There will be a security update for the two current LTS versions, v11 and v7, on 2 May 2025. We strongly recommend that all Forgejo installations are upgraded to the latest version as soon as possible.

Helm chart v12

After the release of Forgejo v11.0, the helm chart was updated to version 12 a day later to ensure compatibility with the latest major Forgejo release. In addition, the release is no longer published to https://code.forgejo.org/forgejo-contrib/forgejo and several dependencies have been updated. In addition, there have been minor releases adding support for Anubis to make it easier to use Anubis. Work has also started on replacing Redis with Valkey.

Call for help

Accessibility and usability

Contributions to Forgejo are growing steadily, but the human effort to maintain it doesn’t seem to be growing proportionally. Achieving high quality in Forgejo is a goal, but this also requires reviewing pull requests for accessibility and regressions in usability.

Currently, the accessibility and user research teams are understaffed. So if you have some spare time and are interested in these topics, we would appreciate your help to make Forgejo even better and more inclusive. Please have a look at the call for help if you are interested.

Federation

For a high-level overview, check out the federation roadmap.

Earlier this month a PR about enabling HTTP signatures on all ActivityPub endpoints was merged. HTTP signatures in the context of ActivityPub are often required to interact with a server for authentication and moderation purposes. This merged PR provides an important foundation for further federation work.

In addition, work resumed on the pull request from last year that implements following user activities. This will provide support for following a forgejo user from an ActivityPub server and receiving their activity in the feed.

Sustainability

A new grant application has been submitted for the April 2025 NLnet funding round. Several contributors have applied for a total of €50,000 to complete various tasks. We intend to work on improved moderation tooling, better Git LFS support, making our themes more accessible, and overhauling the contributor workflow. We expect to hear a decision on this application in a few months.

Funded work on the moderation tooling has continued, and we hope to complete all remaining tasks from previous grants soon.

User interface

New improvements to the user interface were merged, making it more modern, consistent and accessible. Some highlights include a reworked switch between comment editor modes and a change to the pagination buttons to ensure that screen readers announce them correctly.

Infrastructure

SSH connection failures

Not long after https://code.forgejo.org/ was upgraded to run the Forgejo v11.0 release candidate, intermittent SSH connection failures were noticed. It took a few days to realize that the problem was not client-side, but server-side: trying to git fetch a repository every 30 seconds would fail at least once an hour for a few minutes. This was frequent enough to start looking for the root cause.

A number of theories were considered, ranging from a v11.0 regression to a client-side bug mistaken for server-side behavior. Finally, it was suggested that the cause might be OpenSSH’s built-in mechanism to terminate a connection early if it comes from an IP with a history of abuse, such as an excessive number of failed login attempts.

SSH connections to https://code.forgejo.org/ are reverse proxied, and all connections to the OpenSSH server originate from the same internal (IPv4 or IPv6) IP. It follows that if a bot tries to brute force the SSH port, it will count against these internal IPs, and if the server decides that’s too much, it will effectively block everyone for a few minutes by blocking a single IP. The problem is not new, and such intermittent outages have been occurring since https://code.forgejo.org/ migrated to the k8s cluster. It was only recently that they became more frequent and people started to notice.

The chosen solution was to disable OpenSSH’s built-in rate limiting feature altogether (PerSourcePenalties no) and rely instead on the reverse proxy that sits in front of OpenSSH. This is not without its challenges, but it is where such a feature belongs instead of being implemented in every service (OpenSSH, Forgejo, etc.) in a different and sometimes unexpected way.

Crawlers hitting Forgejo instances

The discussion about the global trend of excessive crawling hitting Forgejo instances continued as https://code.forgejo.org/ continues to be hit by waves of up to 600,000 unique IPs per day. Thanks to improvements to the k8s infrastructure since the February event, it held up and there was no downtime.

Analysis of this month’s event (and various experiments) over ten days revealed the following

  • This is a case of excessive crawling rather than a DDoS, as it continued at the same pace without impacting service availability.
  • Most of the millions of unique IPs involved are from residential proxy providers.
  • This is not cheap: 10TB of data was sent over 10 days, exceeding all advertised proxy provider plans. This is a competitive market where users, voluntarily or through malicious applications, contribute their private IPs and bandwidth in exchange for an estimated $0.1 per GB, which is then sold to the customer for profit.

These findings do not provide clarity on why such excessive crawling occurs, how it is funded, or by whom. However, they are useful in eliminating some speculation. For example, the theory that an individual or organization maliciously tries to increase the load of a Forgejo instance out of anger. This would be plausible if it cost a hundred USD or less. It is very unlikely if it costs at least thousands of USD and requires a non-standard contract with a private proxy provider.

While experimenting, some Forgejo users were blocked on 26 April when attempting to block hundreds of IP ranges. Hundreds of IPs in the same range as them were being used for crawling, and they got caught in the middle. This is a concrete example of how effective residential proxy providers are.

Anubis has been deployed on https://try.next.forgejo.org/ and https://dev.next.forgejo.org/. The instances are victims of excessive crawling and this will reduce the pressure on the Forgejo infrastructure. This was made easy by leveraging new features of the latest Forgejo helm 12.3.0 release. The goal is to eventually do the same on https://code.forgejo.org/ after gaining devops experience running Anubis, if only to deny the data to the organization behind the excessive crawling.

If you want to know more or have insights to share, check out the discussion “Crawlers hitting Forgejo instances - global abuse trend”.

Other

Forgejo Contribution Workshop

On 27 April 2025, n0toose held a Forgejo Contribution Workshop at the Chaos Computer Club Aachen e.V. (CCCAC). The workshop was held in person and four people attended. It was a success and led to the discovery of some problems with the onboarding documentation. In addition, it resulted in two completed PRs and some others that are currently in progress. We welcome every new contributor to Forgejo!

There are plans to repeat such a workshop in the future at other locations.

Talk about Federation

Jerger will give a talk in German about the state of federation at the FSCK in Backnang, Germany. It will be a short talk giving insights into the engine room, security considerations, challenges and the way forward.

A recording should be available at https://media.ccc.de/ afterwards.

Recognition by the Git project

The official Git website, https://git-scm.com/, has undergone a recent update. The updated homepage now features a section highlighting various Forges. This change prominently showcases the logos of Forgejo and Codeberg, highlighting the contribution to the broader Git ecosystem.

We Forge

Forgejo is a community of people who contribute in an inclusive environment. We forge on an equal footing, by reporting a bug, voicing an idea in the chatroom or implementing a new feature. The following list of contributors is intended to reflect this diversity and to acknowledge all the contributions made over the past month. If you are missing, please ask for an update.