Follow-up to Carrot disclosure: Forgejo
homebrewer
57 points
9 comments
April 30, 2026
Related Discussions
Found 5 related stories in 101.0ms across 8,303 title embeddings via pgvector HNSW
- Carrot Disclosure: Forgejo bo0tzz · 112 pts · April 28, 2026 · 86% similar
- Leaving GitHub for Forgejo jorijn · 559 pts · May 13, 2026 · 54% similar
- Mistral AI Releases Forge pember · 252 pts · March 17, 2026 · 50% similar
- Show HN: Forge – Guardrails take an 8B model from 53% to 99% on agentic tasks zambelli · 385 pts · May 19, 2026 · 47% similar
- We need a federation of forges icy · 548 pts · April 29, 2026 · 46% similar
Discussion Highlights (6 comments)
homebrewer
Previously: https://news.ycombinator.com/item?id=47941590
bombcar
This is the classic response of a troll.
bmandale
Missed the original. That seems like a reasonable way to highlight software that you believe is fundamentally insecure. Obviously you can't be on the hook to fix deep architectural issues yourself, but just submitting a single PR will be treated as "problem solved". Since most of any software contains some vulnerability, just saying "this software has an RCE" isn't actually a disclosure at all. The real issue is that the given vulnerability was (supposedly) easy to find, which if true is not something that will be fixed by targeting just that exploit chain, and needs deep changes to fix.
aaronbrethorst
Tangential: the favicon for dustri.org is from a really delightful (and hilariously dark) children's book called "I Want My Hat Back" https://en.wikipedia.org/wiki/I_Want_My_Hat_Back
sleepybrett
I get the criticism but also I don't get the criticism. Thank fuck that someone found this bug and let them and the rest of us about it so we can protect ourselves. My forgejo instance was already running on my tailnet with no public exposure but had been considering public disclosure of it for some collaborators. There has been a lot of talk around forgejo as an alternative to github for months now. To now understand that their security posture seems to be, 'like, yaknow, whatever...' is disturbing. I think both parties can take this opportunity to mature. I understand that Forgejo is a community project, but community projects should have standards or very explicit disclaimers when it comes to security.
rdtsc
(From one of the toots) > That said, I do not believe humiliation is the ultimate goal of the contributor here, nor venting a frustration. The ideal outcome is probably to acknowledge the risk, reduce the interpersonal heat I think that’s a very charitable interpretation, and that’s a good attitude in general. In this case though, given that this ended up with all toots and tweets about it, I would suspect notoriety and internet points are at the top of the list of at least some parties here…