Beyond coding. We forge.
Find a file
Gusted 12f97ef51f
[SEC] Add keying module
The keying modules tries to solve two problems, the lack of key
separation and the lack of AEAD being used for encryption. The currently
used `secrets` doesn't provide this and is hard to adjust to provide
this functionality.

For encryption, the additional data is now a parameter that can be used,
as the underlying primitive is an AEAD constructions. This allows for
context binding to happen and can be seen as defense-in-depth; it
ensures that if a value X is encrypted for context Y (e.g. ID=3,
Column="private_key") it will only decrypt if that context Y is also
given in the Decrypt function. This makes confused deputy attack harder
to exploit.[^1]

For key separation, HKDF is used to derives subkeys from some IKM, which
is the value of the `[service].SECRET_KEY` config setting. The context
for subkeys are hardcoded, any variable should be shuffled into the the
additional data parameter when encrypting.

[^1]: This is still possible, because the used AEAD construction is not
key-comitting. For Forgejo's current use-case this risk is negligible,
because the subkeys aren't known to a malicious user (which is required
for such attack), unless they also have access to the IKM (at which
point you can assume the whole system is compromised). See
https://scottarc.blog/2022/10/17/lucid-multi-key-deputies-require-commitment/
2024-08-21 16:06:17 +02:00
.devcontainer Update ghcr.io/devcontainers/features/git-lfs Docker tag to v1.2.1 2024-06-20 00:01:42 +00:00
.forgejo Merge pull request 'feat: add forgejo-cli to the container images' (#5012) from earl-warren/forgejo:wip-cli into forgejo 2024-08-19 08:47:57 +00:00
assets feat: upgrade F3 to v3.7.0 2024-08-18 19:39:20 +02:00
build Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
cmd Fix linting issues 2024-08-18 16:25:13 +02:00
contrib Switch to FORGEJO_WORK_DIR in the systemd service configuration file (#4850) 2024-08-06 14:56:13 +00:00
custom/conf Merge pull request 'git-grep: set timeout to 2s by default and allow configuring it' (#4966) from yoctozepto/git-grep-timeout into forgejo 2024-08-15 12:15:16 +00:00
docker fix(Dockerfile.rootless): revert to default path for app.ini 2024-04-26 21:30:10 +02:00
models Merge pull request '[gitea] week 2024-34 cherry pick (gitea/main -> forgejo)' (#4998) from earl-warren/wcp/2024-34 into forgejo 2024-08-20 06:32:09 +00:00
modules [SEC] Add keying module 2024-08-21 16:06:17 +02:00
options i18n: Improve clarity of confirmation email messages 2024-08-16 16:11:18 +02:00
public Arch packages implementation (#4785) 2024-08-04 06:16:29 +00:00
release-notes Merge pull request '[gitea] week 2024-34 cherry pick (gitea/main -> forgejo)' (#4998) from earl-warren/wcp/2024-34 into forgejo 2024-08-20 06:32:09 +00:00
releases/images [DOCS] RELEASE-NOTES.md 2024-02-05 14:44:32 +01:00
routers Merge pull request '[UI] Adjust trailing EOL behavior for empty file' (#5013) from gusted/forgejo-adjust-eol into forgejo 2024-08-20 13:42:04 +00:00
services Merge pull request '[BUG] Don't fire notification for comment of pending review' (#4487) from gusted/webhook-issue into forgejo 2024-08-19 09:04:50 +00:00
templates Merge pull request '[UI] Adjust trailing EOL behavior for empty file' (#5013) from gusted/forgejo-adjust-eol into forgejo 2024-08-20 13:42:04 +00:00
tests Merge pull request '[UI] Adjust trailing EOL behavior for empty file' (#5013) from gusted/forgejo-adjust-eol into forgejo 2024-08-20 13:42:04 +00:00
tools Adjust codespell config + make it fix few typos which sneaked in since addition of codespell support (#4857) 2024-08-08 16:07:35 +00:00
web_src [UI] Remove snapping for images on project cards 2024-08-20 16:02:52 +02:00
.air.toml Reduce air verbosity (#31417) 2024-06-23 12:30:09 +02:00
.deadcode-out [SEC] Add keying module 2024-08-21 16:06:17 +02:00
.dockerignore Add /public/assets/img/webpack to ignore files again (#30451) 2024-04-15 20:01:36 +02:00
.editorconfig fixed indentation style in editorconfig for go.mod 2024-05-14 00:24:18 +02:00
.envrc Enable direnv (#31672) 2024-07-28 07:18:24 +02:00
.eslintrc.yaml [PORT] Enable no-jquery/no-parse-html-literal and fix violation (gitea#31684) 2024-07-28 16:52:02 +02:00
.gitattributes Add interface{} to any replacement to make fmt, exclude *.pb.go (#30461) 2024-04-15 20:01:36 +02:00
.gitignore Enable direnv (#31672) 2024-07-28 07:18:24 +02:00
.gitmodules cleanup(tests): remove manual testing submodule 2024-04-21 10:13:51 +02:00
.gitpod.yml Remove sqlite-viewer and using database client (#31223) 2024-06-09 11:13:39 +02:00
.golangci.yml style: reenable switch check 2024-08-18 15:19:01 +02:00
.ignore Add /options/license and /options/gitignore to .ignore (#30219) 2024-04-07 15:40:31 +02:00
.mailmap Add .mailmap with aliases for Unknwon (github.com/Unknwon) 2024-08-14 08:26:16 -04:00
.markdownlint.yaml Update JS dependencies (#28537) 2023-12-30 05:29:03 +00:00
.npmrc Upgrade to npm lockfile v3 and explicitely set it (#23561) 2023-03-18 19:38:10 +01:00
.release-notes-assistant.yaml feat(release-notes-assistant): diff of the change in preview 2024-07-25 22:32:14 +02:00
.spectral.yaml Add spectral linter for Swagger (#20321) 2022-07-11 18:07:16 -05:00
.yamllint.yaml fully replace drone with actions (#27556) 2023-10-11 06:39:32 +00:00
BSDmakefile Fix build errors on BSD (in BSDMakefile) (#27594) 2023-10-13 15:38:27 +00:00
build.go User/Org Feed render description as per web (#23887) 2023-04-04 04:39:47 +01:00
CODEOWNERS chore(CODEOWNERS): @earl-warren watches over all PRs 2024-08-20 08:24:48 +02:00
CONTRIBUTING.md docs: contributing: avoid information duplication (#3454) 2024-04-25 19:10:43 +00:00
DCO Remove address from DCO (#22595) 2023-01-24 18:52:38 +00:00
Dockerfile Merge pull request '[CHORE] Support reproducible builds' (#4970) from gusted/forgejo-reproducible-builds into forgejo 2024-08-20 18:14:33 +00:00
Dockerfile.rootless feat: add forgejo-cli to the container images 2024-08-19 09:44:04 +02:00
flake.lock Fix update flake (#31626) 2024-07-14 11:35:15 +02:00
flake.nix Fix update flake (#31626) 2024-07-14 11:35:15 +02:00
go.mod feat: upgrade F3 to v3.7.0 2024-08-18 19:39:20 +02:00
go.sum feat: upgrade F3 to v3.7.0 2024-08-18 19:39:20 +02:00
LICENSE [DOCS] LICENSE: add Forgejo Authors 2024-02-05 14:44:32 +01:00
main.go [RELEASE] decouple the release name from the version number 2024-02-17 15:27:35 +01:00
Makefile Merge pull request '[CHORE] Support reproducible builds' (#4970) from gusted/forgejo-reproducible-builds into forgejo 2024-08-20 18:14:33 +00:00
package-lock.json Merge pull request 'Update dependency @axe-core/playwright to v4.10.0 (forgejo)' (#5021) from renovate/forgejo-axe-core-playwright-4.x into forgejo 2024-08-20 05:57:07 +00:00
package.json Merge pull request 'Update dependency @axe-core/playwright to v4.10.0 (forgejo)' (#5021) from renovate/forgejo-axe-core-playwright-4.x into forgejo 2024-08-20 05:57:07 +00:00
playwright.config.js Enforce trailing comma in JS on multiline (#30002) 2024-03-26 19:04:27 +01:00
poetry.lock Lock file maintenance 2024-08-12 02:06:15 +00:00
poetry.toml Clean up pyproject.toml and package.json, fix poetry options (#25327) 2023-06-18 18:13:08 +00:00
pyproject.toml Adjust codespell config + make it fix few typos which sneaked in since addition of codespell support (#4857) 2024-08-08 16:07:35 +00:00
README.md [skip ci] IGNORE (#4106) 2024-06-11 16:06:50 +00:00
release-notes-assistant.sh fix(release-notes-assistant): categorize multiline drafts & cleanup 2024-08-01 20:56:34 +02:00
RELEASE-NOTES.md docs: add links to the v7.0.7 & v8.0.1 release notes 2024-08-09 07:26:50 +02:00
renovate.json Merge pull request 'chore(renovate): F3 is under development, update quarterly' (#5025) from earl-warren/forgejo:wip-f3-renovate into forgejo 2024-08-20 13:52:38 +00:00
stylelint.config.js Merge pull request 'Port "Enable declaration-block-no-redundant-longhand-properties (#30950)' (#3769) from beowulf/gitea-port-pull-30950 into forgejo 2024-05-14 22:23:54 +00:00
tailwind.config.js Adjust codespell config + make it fix few typos which sneaked in since addition of codespell support (#4857) 2024-08-08 16:07:35 +00:00
vitest.config.js Switch to happy-dom for testing (#29948) 2024-03-26 19:04:26 +01:00
webpack.config.js Merge pull request '[CHORE] Remove AGPL-1.0 as allowed license' (#4673) from gusted/forgejo-rm-agpl into forgejo 2024-07-25 07:40:19 +00:00

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of builtin functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.