Archived
15
23
Fork
You've already forked meta
6

Binary and container images releases #6

Closed
opened 2022年11月06日 11:33:00 +01:00 by Ghost · 14 comments

A binary release (amd64 & arm64) and container image (root & rootless) of Gitea 1.18 is self-published. Exactly the same as the Gitea releases, only with the 100% Free Software promise.

See the task list of the codename repository for more details.

A binary release (amd64 & arm64) and container image (root & rootless) of Gitea 1.18 is self-published. Exactly the same as the Gitea releases, only with the 100% Free Software promise. See the [task list of the codename repository](https://codeberg.org/codename/codename/milestone/2794) for more details.
Ghost added this to the Launch milestone 2022年11月06日 11:33:00 +01:00

nitpick: consider replacing "docker" with "container image".
And if a software must quoted, podman is probably to be prefered (as far as I know, moby is the open-core of the proprietary docker software).

nitpick: consider replacing "docker" with "container image". And if a software must quoted, podman is probably to be prefered (as far as I know, moby is the open-core of the proprietary docker software).

@Gusted Do you think that's enough for the launch?

@Gusted Do you think that's enough for the launch?

nitpick: consider replacing "docker" with "container image".
And if a software must quoted, podman is probably to be prefered (as far as I know, moby is the open-core of the proprietary docker software).

Good point, I replaced as suggested.

> nitpick: consider replacing "docker" with "container image". > And if a software must quoted, podman is probably to be prefered (as far as I know, moby is the open-core of the proprietary docker software). Good point, I replaced as suggested.

@Gusted Do you think that's enough for the launch?

I've also linked some other things codename/meta#9 (comment), but technical-wise, we would need to take a hard look at the code to ensure that promise, while I'm sure it's already the case, even I still find new code bits in Gitea. But otherwise it's fine.

> @Gusted Do you think that's enough for the launch? I've also linked some other things https://codeberg.org/codename/meta/issues/9#issuecomment-667892, but technical-wise, we would need to take a hard look at the code to ensure that promise, while I'm sure it's already the case, even I still find new code bits in Gitea. But otherwise it's fine.

Auditing the existing codebase is a formidable task indeed. Keeping an eye on merged pull requests when they look like they could lead to be linked to proprietary software is easier.

Auditing the existing codebase is a formidable task indeed. Keeping an eye on merged pull requests when they look like they could lead to be linked to proprietary software is easier.

Alright, also good. I'm already passively looking at new pull requests and issues, so this should be fine.

Alright, also good. I'm already passively looking at new pull requests and issues, so this should be fine.

I'm also doing it daily, as part of my Gna! duties https://gitea.gna.org/Gna/organization/issues/22 between the two of us that will have to do.

I'm also doing it daily, as part of my Gna! duties https://gitea.gna.org/Gna/organization/issues/22 between the two of us that will have to do.
Contributor
Copy link

Perhaps worth a new ticket, but auditing should also look out for vulnerabilities.
I've heard, one such audit was done in the past.

Perhaps worth a new ticket, but auditing should also look out for vulnerabilities. I've heard, one such audit was done in the past.

Perhaps worth a new ticket, but auditing should also look out for vulnerabilities.

I'm by no mean a security researcher (even though I did found a couple in Gitea), but yeah that would be a bit harder to also think trough every logical step etc. especially with the commits that add new features. Ideally I would also look for that, but it's pure luck that I spot something in my 👀.

I've heard, one such audit was done in the past.

Luckily I know this was mentioned in the Gitea general chatroom:

techknowlogick: Yes, but it was commissioned by a third party and the condition that they provided us the report under was that we are unable to disclose who performed the audit. They are a well known company though, and they didn’t find any serious issues (nothing to warrant a CVE)

And a required security audit would be done as part of a NLNet grant, due to the conditions of the last grant, that never really happend (I and another contributor did got in contact with the security audit company as part of the previous NLNet grant, but nothing ever happend).

> Perhaps worth a new ticket, but auditing should also look out for vulnerabilities. I'm by no mean a security researcher (even though I did found a couple in Gitea), but yeah that would be a bit harder to also think trough every logical step etc. especially with the commits that add new features. Ideally I would also look for that, but it's pure luck that I spot something in my 👀. > I've heard, one such audit was done in the past. Luckily I know this was mentioned in [the Gitea general chatroom](https://matrix.to/#/!bXIgKPtRdSXHBnVBaz:osgeo.org/$HAJ7JQV-Vx3UWPI00UtQj_bbzim69J_I_xXRUsRDS2c?via=libera.chat&via=t2bot.io&via=matrix.org): > techknowlogick: Yes, but it was commissioned by a third party and the condition that they provided us the report under was that we are unable to disclose who performed the audit. They are a well known company though, and they didn’t find any serious issues (nothing to warrant a CVE) And a required security audit would be done as part of a NLNet grant, due to the conditions of the last grant, that never really happend (I and another contributor did got in contact with the security audit company as part of the previous NLNet grant, but nothing ever happend).

I and another contributor did got in contact with the security audit company as part of the previous NLNet grant, but nothing ever happend

Are there more information about that available publicly?

> I and another contributor did got in contact with the security audit company as part of the previous NLNet grant, but nothing ever happend Are there more information about that available publicly?

It was discussed in the private maintainers chatroom and I will need to keep that information confidence.

It was discussed in the private maintainers chatroom and I will need to keep that information confidence.
Ghost changed title from (削除) Binary and docker images releases (削除ここまで) to Binary and container images releases 2022年11月08日 12:59:04 +01:00

For the launch I propose to build releases for:

  • binaries amd64 & arm64
  • containers root & rootless

and leave the more exotic architectures (arm5, etc.) and windows for later. Unless someone with knowledge of those is willing to step up before the launch. So that sorting out problems specific to them can be done.

For the launch I propose to build releases for: * binaries amd64 & arm64 * containers root & rootless and leave the more exotic architectures (arm5, etc.) and windows for later. Unless someone with knowledge of those is willing to step up before the launch. So that sorting out problems specific to them can be done.

I'm able to test amd64 + arm64 binaries. I'm not knowledgeable enough for containers. I don't have access to arm5 + Winodws, so that's a no for me as well.

I'm able to test amd64 + arm64 binaries. I'm not knowledgeable enough for containers. I don't have access to arm5 + Winodws, so that's a no for me as well.

All is ready for creating the binary & container releases (see the corresponding CI:).

All is ready for creating the binary & container releases (see the [corresponding CI:](issues)).
Commenting is not possible because the repository is archived.
No Branch/Tag specified
readme
No results found.
Labels
Clear labels
[Decision] Building proposal(s)
We're in a decision-making process, buiding one or more proposals to address the shared aim based on the criteria
[Decision] Gathering criteria
We're in a decision-making process, gathering criteria, considerations and needs
[Decision] Integrating concerns
We're in a decision-making process, working with a proposal, trying to integrate concerns and create modifications/support such that the proposal works for everyone
Accessibility
Relates to Accessibility (a11y) of product, project and process.
Agreement proposal
Forgejo agreement proposal, following a discussion
Communication
Relates to all channels, social media, website, blog posts.
Election
Process of appointing a person into a role or team (if choosing people just for a specific one-time task, use the Entrustment label)
Entrustment
Process of choosing/approving specific people to do a critical/high-impact one-time task (if choosing people for an ongoing role/team, use the Election label)
Governance
Relates to processes, procedures and decision-making.
Meeting
An upcoming team meeting
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/meta#6
Reference in a new issue
forgejo/meta
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?