{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiesendftlwc2vl7d3wzj3u7z7haolhsvb5bo342xtcl5kjg7f6gay",
    "uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mkqazcjmv6n2"
  },
  "path": "/t/carrot-disclosure-forgejo/37484#post_6",
  "publishedAt": "2026-04-30T18:14:15.000Z",
  "site": "https://discuss.privacyguides.net",
  "textContent": "Understandable concerns; not the way to go about these issues. I see that pull requests were made, with no attempt to contact or properly coordinate with the security team, warning them of the findings or giving them proof through proper communication channels beforehand.\n\nAdditionally, from the post:\n\n> But given the sorry state of the codebase (not their fault though, they inherited the gitea/gogs ones), I’m pretty sure I could spend another evening and find another chain, and odds are that others have a bunch as well. I could try to fix the issues one by one myself and send pull-requests, but even if I wanted, this is a systemic issue, there is little point in playing endless wack-a-mole.\n\nThey recognize that lot of the problems of Forgejo are inherited from the Gitea codebase from which it was forked off, but not that to change those architectural shortcomings a lot of resources would be required. This is essentially technical debt, which doesn’t make it _acceptable_ , but it makes it _understandable_ why these issues are there. It’s a non-profit, volunteer-driven project.\n\nA “carrot disclosure” is a nuclear option when nothing is done after reporting the issues. The issues weren’t reported before this, AFAIK. Again, proper coordination with the proper team would be better than “I found these issues, fixed some in code, but don’t care about communicating with the project or following it’s guidelines“. This is a tangled web kind of issue, and is not being treated as such.",
  "title": "Carrot disclosure: Forgejo"
}