On Sun, Jan 25, 2026 at 6:10 AM <[email protected]> wrote: > I contributed to Forgejo for a while (tried to improve the HTTPS setup > instructions but was frustrated by a slow/haphazard review process and > gave up), so FWIW my impressions: > > It's a project that it constrained by developer time, which has > consequences: > * Not all parts of the code have a maintainer. This is partly due to the > fact that Forgejo is a fork of a fork. > * The CVE track record shows that they do care (and that they do have a > working CVE process), but also that they did have two remotely > exploitable vulnerabilities in the past three years and needed roughly a > month to fix each one. >
FWIW, those of us involved with the Glasgow Haskell Compiler have been considering alternatives to GitLab because of various non-technical issues. We rejected ForgeJo in large part because of that developer time constraint: we don't have enough active developers to contribute to both it and GHC, and they indeed don't appear to have enough on their own. I personally contribute to a project on CodeBerg, and my impression of it is that it seems to be mostly branding and points you to ForgeJo for documentation and contribution. Also, its CI appears to be pretty underpowered and large projects would probably need to self-host it. -- brandon s allbery kf8nh [email protected]
