A binary release (amd64 & arm64) and container image (root & rootless) of Gitea 1.18 is self-published. Exactly the same as the Gitea releases, only with the 100% Free Software promise.
See the task list of the codename repository for more details.
A binary release (amd64 & arm64) and container image (root & rootless) of Gitea 1.18 is self-published. Exactly the same as the Gitea releases, only with the 100% Free Software promise.
See the task list of the codename repository for more details.
nitpick: consider replacing "docker" with "container image".
And if a software must quoted, podman is probably to be prefered (as far as I know, moby is the open-core of the proprietary docker software).
@Gusted Do you think that's enough for the launch?
nitpick: consider replacing "docker" with "container image".
And if a software must quoted, podman is probably to be prefered (as far as I know, moby is the open-core of the proprietary docker software).
Good point, I replaced as suggested.
@Gusted Do you think that's enough for the launch?
I've also linked some other things codename/meta#9 (comment), but technical-wise, we would need to take a hard look at the code to ensure that promise, while I'm sure it's already the case, even I still find new code bits in Gitea. But otherwise it's fine.
Auditing the existing codebase is a formidable task indeed. Keeping an eye on merged pull requests when they look like they could lead to be linked to proprietary software is easier.
Alright, also good. I'm already passively looking at new pull requests and issues, so this should be fine.
I'm also doing it daily, as part of my Gna! duties https://gitea.gna.org/Gna/organization/issues/22 between the two of us that will have to do.
Perhaps worth a new ticket, but auditing should also look out for vulnerabilities.
I've heard, one such audit was done in the past.
Perhaps worth a new ticket, but auditing should also look out for vulnerabilities.
I'm by no mean a security researcher (even though I did found a couple in Gitea), but yeah that would be a bit harder to also think trough every logical step etc. especially with the commits that add new features. Ideally I would also look for that, but it's pure luck that I spot something in my 👀.
I've heard, one such audit was done in the past.
Luckily I know this was mentioned in the Gitea general chatroom:
techknowlogick: Yes, but it was commissioned by a third party and the condition that they provided us the report under was that we are unable to disclose who performed the audit. They are a well known company though, and they didn’t find any serious issues (nothing to warrant a CVE)
And a required security audit would be done as part of a NLNet grant, due to the conditions of the last grant, that never really happend (I and another contributor did got in contact with the security audit company as part of the previous NLNet grant, but nothing ever happend).
I and another contributor did got in contact with the security audit company as part of the previous NLNet grant, but nothing ever happend
Are there more information about that available publicly?
It was discussed in the private maintainers chatroom and I will need to keep that information confidence.
For the launch I propose to build releases for:
and leave the more exotic architectures (arm5, etc.) and windows for later. Unless someone with knowledge of those is willing to step up before the launch. So that sorting out problems specific to them can be done.
I'm able to test amd64 + arm64 binaries. I'm not knowledgeable enough for containers. I don't have access to arm5 + Winodws, so that's a no for me as well.
All is ready for creating the binary & container releases (see the corresponding CI:).
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?