this post was submitted on 29 Apr 2026
70 points (90.7% liked)

Selfhosted

59275 readers
980 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
70
Remote Code Execution in Forgejo? (dustri.org)
submitted 2 weeks ago* (last edited 2 weeks ago) by tofu@lemmy.nocturnal.garden to c/selfhosted@lemmy.world
40 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] irotsoma@piefed.blahaj.zone -2 points 2 weeks ago* (last edited 2 weeks ago)

I believe they were already frustrated by the responses to the fixes they did submit.

I get the frustration. It is how many big companies avoid responsibility, but that's usually to avoid cost on actually fixing stuff. In a FOSS project, what's the point of rejecting a simple fix because some complex process meant for complex issues in proprietary software that the security researcher can't suggest specific fixes for wasn't followed. Why fill out a bunch of "paperwork" and initiate a long embargo period before a fix is considered when the fix is already submitted and is simple enough and low risk and impact enough to not require more that a cursory review. It's like asking a road engineer who sees a small pothole that only damages a few cars a year and offers to fill it because they are often affected by it to file a superior court case in order to report it, much less fix it.

So, it's a matter of, give up because it's too much of a burden to report, or announce in the most ethical way possible to incentivize fixes actually happening.

Edit: based on replies I guess my analogy was better in my head than on paper without explaining. Rather than try a new analogy let me explain a bit.

I wasn't saying the city should let the engineer fix it. I'm saying they shouldn't have let it get that far and should have followed normal pothole patching processes that probably would have been resolved weeks before despite the potholes having caused damage/bug being "security" related rather than feature related. But despite filing detailed bug reports and patches they were told they had to follow a complex policy of notifications and do it separately for each defect of which there were likely to be many, individually, that include triggering an embargo that would not allow them to write or submit those patches for 90 days at which point this engineer would likely have moved on to other issues and forgotten all of the details of how to fix the issues. Heck I often forget and have to start over after a few days much less months.