Meeting notes between Forgejo and the Dutch government via Git commits
35 comments
·November 14, 2025bwblabs
0cf8612b2e1e
The Forgejo people say that it is Gitea who is compromising security [0]. Not involved either way, but I have seen enough rug pulls that I will prefer the product which does not have a commercial offering and financial incentives to sabotage it.
bwblabs
I know the claims, but look at Gitea version v1.24.7 (with some security fixes), released on October 25th, which includes 'fix LFS auth bypass, fix symlink bypass' that was merged on October 20th (#35708). This was fixed in Forgejo on the 25th https://codeberg.org/forgejo/forgejo/commit/fa1a2ba669301238... and released on the 26th, although "Originally scheduled for 7 November, the release date of these patches was advanced because a vulnerability had been leaked publicly." (https://codeberg.org/forgejo/forgejo/src/branch/forgejo/rele...)
Security wise, Gitea was safer in this case.
Also note the SECURITY.md was deleted: https://codeberg.org/forgejo/forgejo/commit/277dd02e706b6e51..., there is a security https://forgejo.org/docs/next/contributor/discussions/#secur... but it's a bit harder to find.
The problem is, Forgejo changed the license (https://codeberg.org/forgejo/governance/pulls/24#issuecommen...) and ended up doing a hard fork (https://forgejo.org/2024-02-forking-forward/#consequences-of...) which creates quite some maintenance burden. There used to be a (weekly) gitea chery-pick (e.g. https://codeberg.org/forgejo/forgejo/pulls?state=closed&labe...) but the TODO section was getting ever larger, and it seems it stopped in July (week 26).
So they start missing stuff, e.g. features like https://codeberg.org/forgejo/forgejo/issues/9552
ekjhgkejhgk
> The ideologically forked Forgejo made some license changes
Lets be clear. These "some license changes" that you reference was Forgejo forked Gitea and replaced MIT license with GPLv3. Forgejo doesn't want to be contributing to receiving effort from contributors into a project that then gets re-used, re-branded, and exploited by a big corp. By making the project copyleft they ensured that the contributions stay Free. This was an ethical move.
Gitea on the other hand doesn't mind sucking up free-of-charge contributions and handing them to a company to build their walled garden around.
bwblabs
Correct, also see the initial discussion about changing the license: https://codeberg.org/forgejo/governance/pulls/24#issuecommen...
The issue with deviating from the upstream license is that only the code author can upstream a patch, since GPLv3 cannot be changed by a non-author of the code to MIT. Resulting in less being patched upstream, and so more merge conflicts, the maintenance burden I was talking about.
ekjhgkejhgk
> Forgejo is more busy managing ideals, than creating software.
But managing ideals is far more important than creating software. Software is just a tool. It's a mean to an end, it's not the end in itself.
If software improves humanity we should create it. If not, we shouldn't. We shouldn't create software just because. We can, but that's not ethical.
And regarding your comments that "the original contributors stayed with Gitea", as if that's a point in favor of Gitea: Well of course! If the original contributors wanted copyleft that's how they would've licensed it. To me that just reinforces that I don't want to contribute to their project.
alexrp
> Forgejo is more busy managing ideals, than creating software.
Can't say I agree with this point. Zig has been trying out Forgejo/Codeberg as an alternative to GitHub, and about two months into the experiment, almost all of our technical concerns with Forgejo (and Forgejo Actions) have been addressed, with the only straggler being a UI bug related to the Cancel button in the Actions infrastructure (which has a WIP PR open, and which also has a straightforward workaround).
I can't speak to the platforms themselves, but in regards to their CI systems, it looks to me like the Forgejo Actions runner sees more development than the Gitea act_runner. For example, Forgejo gained support for concurrency groups recently, which to my knowledge are still not supported in Gitea.
krick
Thanks. I was wondering what is the status of it, given that Forgejo is being pushed more in the media lately. TBH, I haven't understood the controversy even after reading a couple of recaps. I remember it being about having "suddenly revealed" a couple of years ago that the guy on top is the owner of the trademark. Doesn't sound like a big deal to me, given that he actually was the main contributor and de-facto the leader of the project the whole time.
But then a couple of years have passed, and I started to hear about Forgejo more often only very recently, so I was wondering, if maybe the original project actually had some downfall and questionable technical decisions since. I still haven't switched, and was wondering if I should do so. As far, as I've heard it's still basically a matter of running the different docker container with the same volume, and it should work seamlessly. So what's about this "hard fork" you are mentioning? Did it actually break compatibility?
homebrewer
Have a look at this: https://lwn.net/Articles/963608/
bwblabs
See https://news.ycombinator.com/item?id=45929247#45930310
Forgejo used to be a set of patches applied on Gitea, but they moved to a fork with cherry picking Gitea commits, this is more work. In my view they don't have the development to keep up with Gitea.
mfld
Based on those meeting notes, the conflict of interest that arises when attempting to add features that compete with paid ones is real. So its that ideology that it is actually needed for a Government user/contributor.
homebrewer
To this day anything of worth that's been added to Gitea is released under MIT. Their business model is: you pay us to develop the features we need, we release them for everybody, which is how their collaboration with Blender has been working thus far. If it's good enough for Blender, who decided to stay with Gitea, it's good enough for me.
bwblabs
Not sure: the government could just buy Gitea Enterprise license right? And thereby not really run true 'open source' software, but it would support the main development behind Gitea.
0_gravitas
There's a batch of dialog that indicates an interest in 'digital sovereignty', so it sounds like they are less interested in being an explicit customer of a given company.
zamalek
> Forgejo is more busy managing ideals, than creating software.
How many Elastic Searches will it take for people to realize that this is mandatory. Linux would not be where it is today were it not for some ideals wrangling.
bwblabs
It really depends, e.g. take a look at PostgreSQL, which is licensed under the PostgreSQL License, which is similar to MIT.
IMHO a MIT license is better than AGPL with a Contributor License Agreement (CLA) like with Elastic.
Gitea is MIT, so free and open-source, permissive.
Also see https://news.ycombinator.com/item?id=45929247#45930949
szszrk
Why would they rather talk to gitea?
Isn't it sensible for a European government to talk to a player that is being backed by European companies and has a cleaner approach to open source?
I'm not arguing, I'm asking what's the rationale here.
krick
It appears to me that the rationale was clearly stated in GP:
> resulting in missing upstream features and decreased security
I.e. it's a matter of technical superiority, which, to me, how the decisions should be made. Not by having friends in the community and all of us being Europeans and so on. (But, of course, I would be glad to hear more particular details/examples of Forgejo lagging behind.)
homebrewer
You should simply compare release notes over the same time period for both projects, what's been done and how much. There's lots of nonsense repeated on this site and others, just do the research yourself, it won't take long. They both have very predictable release schedules.
We've stuck with Gitea, after not being impressed by the extremely FUDish behavior of the main driver of the fork, and this has proven to be the right choice so far. In spite of what some people claim, all of the major contributors to Gitea have continued developing it, none of the "heavy hitters" have left. It shows.
The database can be downgraded anyway. I've been doing backwards migrations for each new version all the way back to 1.22 (which is the last Gitea version that is "side-gradable" to Forgejo).
p2detar
I used to self-host Gogs on an RPi half a decade ago. At least for the needs of 1-2 people, it was one of the best pieces of software I ever used. If someone needs to host their repos privately, Gogs is more than enough.
rhdunn
I used Gitea for a while. I eventually switched to gitolite and CGit primarily because Gitea (and Forgejo) force you into a flat organization/project structure. This makes organizing personal projects harder because:
1. you need to create an organization for each group (lang, tools, template, etc.)
2. you can't create more complex organization structure (e.g. template/python/python-flask-template)
3. you can't group projects with different top-level names (e.g. apps, tools, lang; such as lang/java and tools/gradle) or across a top-level name (e.g. by programming language such as lang/typescript and lang/python)
mindcrash
Not sure if it's mentioned because I didn't read the whole thing but maybe it's good to know for those of you not familiar with Dutch government that most open source code (and possibly even private code) from all Dutch government orgs is currently hosted on private/public GitHub repositories.
If they move to self hosted Forgejo (which I assume this meeting is all about) Microsoft is going to lose a pretty big customer.
And yes, (good) CI is still is a big blocker to move to Forgejo for any org (or self hosting). Hope they can speed things up a bit there now they now a gov org is seriously interested.
j-krieger
After having worked extensively with both I still feel that Gitlab CI is miles better than GH actions. I'm a bit stunned that forgejo aims to reimplement GH actions..
mindcrash
They're aiming at making it near effortless to migrate off GitHub, and 99% of all GitHub users are using Actions... so there's that.
But yes, they also should work on making it super easy to integrate best of breed OSS CI/CD with their SCM and turn Actions off. If they manage that they are on their way making a product which blows GitHub and Gitlab right out of the water. Because while Gitlab allows to integrate third party CI/CD it really feels clunky. (at least at the time I've used it professionally)
isodev
Forgejo’s agent is brilliant to be honest. It’s a very well contained service, written in Go and builds in practically anything. Even before it was supported, I was able to setup a couple of my old Macs to become agents for building iOS apps… my very own “Xcode Cloud” from the back the office.
bwblabs
A lot of the government are using public free accounts that I'm aware of.
I'm a 5+ year government employee, I touched quite some governmental repositories but all are non-paid.
I'm also a fan of the government hosting the code in an EU jurisdiction, preferably our own Dutch jurisdiction, and even better, self host.
mac-attack
If, like me, you are part of the 99% unfamiliar w/ OSPO et al: https://interoperable-europe.ec.europa.eu/collection/open-so...
Good to see forgejo making inroads as someone who also self-hosts it.
kouunji
This is brilliant, especially if this kind of approach was adopted in policy development. Chunks of vetted “code” that is transparently shared and can be used by other governments facing similar challenges…imagine…
Terr_
I really really want the US legal process to abandon a certain style of incredibly cryptic bill, which contains hundreds of "the word foo shall be inserted in between teh words"-style changes.
It often seems like a trick to make is so that nobody really knows what they're voting on, as opposed to a wholesale "replace that entire section with the readable information below". I suppose, to be charitable, it may have originated as a conflict-avoidance strategy.
Ideally, bills would be changesets that can easily be turned into before-vs-after comparisons for legislators to review and approve.
isodev
Indeed. Very refreshing to see this approach. Also, Forgejo is a brilliant choice, I hope the talks continue.
ekjhgkejhgk
It's a shame that oliverpool uses the language of "open source software", especially given that forgejo has a Free license.
Words matter, and this would've been a great opportunity to raise awareness to the problem of oppressive software. I think these days most people have an intuition that this is happening.
Very positive to have a governmental hosted git/code platform, although I would still advise Gitea (it's not documented that pick is explored).
I'm a self hosting GoGogs / Gitea user for almost 10 years, I did follow the Gitea fork. However regarding the Forgejo fork: the main contributors stayed with Gitea. The ideologically forked Forgejo made some license changes and hard fork decisions that increased the maintenance burden even more, resulting in missing upstream features and decreased security. Forgejo is more busy managing ideals, than creating software.