Forgejo has a package registry that handles 23 ecosystems. Packages are uploaded directly -- there's no pull-through cache from upstream registries like npmjs.org or crates.io. git-pkgs/proxy is a standalone caching proxy for 16 ecosystems that already solves this problem. The question is what can be reused.
This has been requested multiple times in the Gitea tracker (forgejo inherits these):
| The Commission's call for evidence rightly identifies European reliance on non-EU digital technologies, but focuses primarily on cloud infrastructure, AI, and end-user applications. There's a critical layer missing: the dependency intelligence infrastructure that sits between source code hosting and application deployment. | |
| Open source software underpins 70-90% of all code in the digital economy. But the infrastructure that tracks, analyses, and secures that software is almost entirely US-controlled: package registries, vulnerability databases, dependency graphs, software composition analysis tools, and automated update services. A European company can self-host Forgejo for code hosting and still depend entirely on US services for vulnerability scanning, dependency updates, license compliance, and SBOM generation. | |
| The M×N Problem | |
| Package management has an M×N problem. Every tool implements support for every ecosystem separately. When a new language ships a package manager, it goes to the back of every queue |
| require "net/http" | |
| require "json" | |
| require "uri" | |
| require "digest" | |
| require "fileutils" | |
| INSTANCE = "https://mastodon.social" | |
| USERNAME = "andrewnez" | |
| CACHE_DIR = File.join(__dir__, ".cache") |
This document explores how git-pkgs and gittuf could integrate to enable dependency-aware security policies for Git repositories. The goal: let gittuf enforce policies like "adding new runtime dependencies requires two approvals" or "block dependencies with critical CVEs" by leveraging git-pkgs' understanding of package ecosystems.
git-pkgs is a Git subcommand for tracking package dependencies across git history. It answers questions like "when was this dependency added?", "who added it?", and "what changed between these two commits?" with a unified interface across 40+ package ecosystems.
git-pkgs was recently rewritten from Ruby into Go, partly to enable this kind of integration (importable as a Go library) and partly to simplify deployment as a single binary. It's in early development and can be adapted to work well with gittuf based on feedback.
| Toss a coin to your maintainer, | |
| O guardian of the tree, | |
| For the forests of dependency | |
| Are darker than they seem. | |
| He patches through the nightfall, | |
| He merges through the dawn, | |
| While the auditors ride eastward | |
| To demand another form. |
| Repository,Owner,File Path,HTML URL,Size,Downloaded | |
| jaegertracing/jaeger,jaegertracing,THREAT-MODEL.md,https://github.com/jaegertracing/jaeger/blob/0cf2b7bc16f8acb94fa0f427c12f7868de667cfa/THREAT-MODEL.md,,Yes | |
| backstage/backstage,backstage,docs/overview/threat-model.md,https://github.com/backstage/backstage/blob/9f67ede0651a187ed890df3de4caee941e078c95/docs/overview/threat-model.md,,Yes | |
| dotnet/msbuild,dotnet,documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,https://github.com/dotnet/msbuild/blob/e4dc6152ef4332d8736cadc189044aa3446956f4/documentation/specs/BuildCheck/BuildCheck-feature-threat-model.md,,Yes | |
| projectcontour/contour,projectcontour,site/content/resources/security-threat-model.md,https://github.com/projectcontour/contour/blob/0119d761110441ad3a4ed9406e339eb28ead5da7/site/content/resources/security-threat-model.md,,Yes | |
| cncf/tag-security,cncf,community/assessments/projects/tikv/tikv-threat-model.md,https://github.com/cncf/tag-security/blob/e9e846978149d349300fccb15feff43e58def8ad/commu |
Initial thought: https://mastodon.social/@andrewnez/112151957657701569
Based on https://en.wikipedia.org/wiki/Tier_list
Comments and critiques welcome
Usage ideas:
| [["github.com", 3114781], | |
| ["gitlab.com", 32138], | |
| ["bitbucket.org", 25904], | |
| ["gitee.com", 20218], | |
| ["gitbox.apache.org", 6262], | |
| ["svn.apache.org", 5852], | |
| ["git-wip-us.apache.org", 3167], | |
| ["wiki.opendaylight.org", 3108], | |
| ["code.google.com", 2217], | |
| ["git.eclipse.org", 1772], |
| http://artifactory.javassh.com/opensource-releases | |
| http://artifactory.javassh.com/opensource-snapshots | |
| http://artifacts.metaborg.org/content/repositories/releases | |
| http://artifacts.metaborg.org/content/repositories/snapshots | |
| http://bp-cms-commons.sourceforge.net/m2repo | |
| http://files.couchbase.com/maven2 | |
| http://java.freehep.org/maven2 | |
| http://maven.ecs.soton.ac.uk/content/repositories/openimaj-releases | |
| http://maven.ecs.soton.ac.uk/content/repositories/openimaj-snapshots | |
| http://maven.inria.fr/artifactory/malai-public-snapshot |