Remote Code Execution in Forgejo? (dustri.org)

submitted 3 weeks ago* (last edited 3 weeks ago) by tofu@lemmy.nocturnal.garden to c/selfhosted@lemmy.world

26 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] slazer2au@lemmy.world 0 points 3 weeks ago* (last edited 3 weeks ago)

Yea. But did you read the security.md?
https://codeberg.org/forgejo/governance/src/branch/main/SECURITY-POLICY.md

Use an encrypted email to security@forgejo.org. If you can't, tell them and they will set one up.

Seems very assholeish to not at least do that.

[-] thesmokingman@programming.dev -1 points 3 weeks ago

I don’t think you read the article.

[-] slazer2au@lemmy.world -1 points 3 weeks ago

Did you miss this part

with a lot of MUST/MUST NOT about what I must or mustn't do should I decide to go this way.

Sounds like him being lazy.

[-] thesmokingman@programming.dev 1 points 3 weeks ago

Your comment said Forgejo has a disclosure process. The article says the author went with a carrot disclosure after reading the disclosure process and making a value judgement. Because your comment only mentioned Forgejo having a disclosure process, not an evaluation of the author’s evaluation of the disclosure process, it made you appear as if you had not read the article.

In your response to me calling that out, you offer an analysis. The author is lazy for using carrot disclosure over the defined disclosure process. That’s a valid take. I’m not going to disagree with that.

[-] irotsoma@piefed.blahaj.zone -1 points 3 weeks ago* (last edited 3 weeks ago)

Edit: I hate to remove comments and it may get me banned but due to the hate speech I'm receiving regarding things unrelated to software while trying to sympathize with a frustrated security researcher who got caught up in unnecessary bureaucracy when taken en masse, I'm going to remove these comments for now. This is why we volunteer FOSS engineers have to stay clear of popular projects I guess.

[-] notabot@piefed.social 1 points 3 weeks ago

Alternatively, they could have sent the security team an email with the 'carrot' and saying "There seems to be fundamental, systemic, security issues in Forgejo; here's some proof. There's too much for me to raise individual reports, what are we going to do about it?"

this post was submitted on 29 Apr 2026

7 points (81.8% liked)

Selfhosted

59464 readers

47 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz