forge/forge
10
7
Fork 5
Code Issues 85 Pull requests 1 Projects 3 Wiki Activity Actions

Users circumventing new repo creation limitation #465

New issue
Open
opened 2026-03-23 08:45:16 +00:00 by mattia · 10 comments
mattia commented 2026-03-23 08:45:16 +00:00
Copy link

Summary

Users can circumvent new repo creation block by cloning existing repos

Background

It has been reported on matrix chat that a user successfully managed to create a repository for their personal use:
https://forge.fedoraproject.org/mabbs/blog
That repo seems to have been forked by this very one, probably the user managed to erase the entire existing git history and put their stuff in it.

Details

Since it is supposed that the new Fedora Forge has to be used only for Fedora related work, this is something that needs to be fixed.

Summary

Prevent users to create repos for their personal stuff

### Summary Users can circumvent new repo creation block by cloning existing repos ### Background It has been reported on matrix chat that a user successfully managed to create a repository for their personal use: https://forge.fedoraproject.org/mabbs/blog That repo seems to have been forked by this very one, probably the user managed to erase the entire existing git history and put their stuff in it. ### Details Since it is supposed that the new Fedora Forge has to be used only for Fedora related work, this is something that needs to be fixed. ### Summary Prevent users to create repos for their personal stuff
ryanlerch commented 2026-03-23 08:58:12 +00:00
Owner
Copy link

Yeah, this was a known "workaround" to the setup.

Now it has happened We will need to come up with a way to manage this with moderation.

Yeah, this was a known "workaround" to the setup. Now it has happened We will need to come up with a way to manage this with moderation.
t0xic0der commented 2026-03-23 09:01:04 +00:00
Member
Copy link

@ryanlerch, can / should we restrict forking to folks only belonging to the namespace that they are trying to fork the repository from? Like, if I am not a part of the science namespace, that would restrict me from being able to fork science/stem unless I end up being a part of that group, which has to happen manually since the sponsors can only add me. Assuming that what I stated is indeed possible, that is.

@ryanlerch, can / should we restrict forking to folks only belonging to the namespace that they are trying to fork the repository from? Like, if I am not a part of the `science` namespace, that would restrict me from being able to fork `science/stem` unless I end up being a part of that group, which has to happen manually since the sponsors can only add me. Assuming that what I stated is indeed possible, that is.
ryanlerch commented 2026-03-23 09:03:58 +00:00
Owner
Copy link

Sadly, That will be too restrictive, as a contributor that wants to contribute to a project would have to become a member first.

Maybe we can restrict forking to CLA+1 somehow?

Forking a repo and replacing the content with your own because you cant make a fresh repo is a little shady IMHO.

Sadly, That will be too restrictive, as a contributor that wants to contribute to a project would have to become a member first. Maybe we can restrict forking to CLA+1 somehow? Forking a repo and replacing the content with your own because you cant make a fresh repo is a little shady IMHO.
t0xic0der commented 2026-03-23 09:10:03 +00:00
Member
Copy link

CLA+1 acceptance-based restriction feels right. Not too restrictive, not too allowing.

I do suggest nuking the repository, it is a repository of an already existing repository https://github.com/Mabbs/mabbs.github.io, and on a superficial skim, has nothing to do with the Fedora Project at all.

CLA+1 acceptance-based restriction feels right. Not too restrictive, not too allowing. I do suggest nuking the repository, it is a repository of an already existing repository https://github.com/Mabbs/mabbs.github.io, and on a superficial skim, has nothing to do with the Fedora Project at all.
ryanlerch added this to the Sprint 17 project 2026-03-23 10:29:07 +00:00
kevin commented 2026-03-23 16:51:59 +00:00
Copy link

I'd suggest talking to the user, perhaps they misunderstood things?

But in any case, it might be worth waiting to see how big a problem this is before investing in a lot of work to avoid it, or restricting users?

I'd suggest talking to the user, perhaps they misunderstood things? But in any case, it might be worth waiting to see how big a problem this is before investing in a lot of work to avoid it, or restricting users?
👍 1
lihis commented 2026-03-23 18:22:42 +00:00
Copy link

@t0xic0der wrote in #465 (comment):

@ryanlerch, can / should we restrict forking to folks only belonging to the namespace that they are trying to fork the repository from? Like, if I am not a part of the science namespace, that would restrict me from being able to fork science/stem unless I end up being a part of that group, which has to happen manually since the sponsors can only add me. Assuming that what I stated is indeed possible, that is.

For me this sounds a bit too restrictive..

What if one wants to fix some documentation, let's use this as example: fesco/docs#122

I'm not part of fesco so instead of just creating PR I would need to either:

  • become a member, or
  • create an issue and wait for someone from the group to pick it up and fix it

where first one is probably not going to happen

@t0xic0der wrote in https://forge.fedoraproject.org/forge/forge/issues/465#issuecomment-581249: > @ryanlerch, can / should we restrict forking to folks only belonging to the namespace that they are trying to fork the repository from? Like, if I am not a part of the `science` namespace, that would restrict me from being able to fork `science/stem` unless I end up being a part of that group, which has to happen manually since the sponsors can only add me. Assuming that what I stated is indeed possible, that is. For me this sounds a bit too restrictive.. What if one wants to fix some documentation, let's use this as example: https://forge.fedoraproject.org/fesco/docs/pulls/122 I'm not part of `fesco` so instead of just creating PR I would need to either: - become a member, or - create an issue and wait for someone from the group to pick it up and fix it where first one is probably not going to happen
mattia commented 2026-03-25 06:54:25 +00:00
Author
Copy link

I think the requirement on CLA+1 signing is acceptable. After all, the reason behind forking a project in the new forge should be to contribute to Fedora in some way.

I think the requirement on CLA+1 signing is acceptable. After all, the reason behind forking a project in the new forge should be to contribute to Fedora in some way.
gotmax23 commented 2026-03-25 09:33:32 +00:00
Copy link

Please don't require group memberships and create extra barriers to contribution for people getting started in Fedora.

Please don't require group memberships and create extra barriers to contribution for people getting started in Fedora.
ryanlerch commented 2026-03-27 00:38:19 +00:00
Owner
Copy link

i'm leaning towards even CLA+1 being too restrictive still.

First change, going to add a note to the fork page stating that this behaviour is not permitted. -- #466

Then going to write a script or come up with a way to identify forks that are misusing this.

Also, I will reach out to the individual user here and inform them that what they have done is not permitted on Fedora Forge.

i'm leaning towards even CLA+1 being too restrictive still. First change, going to add a note to the fork page stating that this behaviour is not permitted. -- https://forge.fedoraproject.org/forge/forge/issues/466 Then going to write a script or come up with a way to identify forks that are misusing this. Also, I will reach out to the individual user here and inform them that what they have done is not permitted on Fedora Forge.
jflory7 commented 2026-03-27 02:47:06 +00:00
Contributor
Copy link

I agree with @kevin, @gotmax23, and @ryanlerch. "FPCA+1" as a requirement makes sense for dist-git, but not Fedora Forge. I am thinking of the wave of Outreachy intern applicants we have currently surging into our infrastructure and tools. These folks are brand new and would immediately hit this issue where they wouldn't be able to fork an important repo, and the mentoring team wouldn't be able to support the applicant easily. The workflow of trying to teach a new open source contributor how to do a Pull Request across two different git forges is a time investment I would prefer not to have to make. Fedora Mentored Projects would suffer if forking is disabled and limited to this special group only.

@kevin wrote…
I'd suggest talking to the user, perhaps they misunderstood things?

@ryanlerch wrote…
Also, I will reach out to the individual user here and inform them that what they have done is not permitted on Fedora Forge.

I think @kevin was on the right track. There are clear usage terms about using Fedora Forge. There are appropriate uses and inappropriate usages. The correct action is to have a conversation with the user, make sure they are aware that this is an intentional limitation, and then take action based on the outcome of the conversation.

@ryanlerch wrote…
First change, going to add a note to the fork page stating that this behaviour is not permitted. -- #466

I like this idea a lot. I have a hunch that most of the people attempting to get around this requirement likely are unaware that this is a limitation put in place on purpose.

@ryanlerch wrote…
Then going to write a script or come up with a way to identify forks that are misusing this.

👍

I agree with @kevin, @gotmax23, and @ryanlerch. "FPCA+1" as a requirement makes sense for dist-git, but not Fedora Forge. I am thinking of the wave of Outreachy intern applicants we have currently surging into our infrastructure and tools. These folks are brand new and would immediately hit this issue where they wouldn't be able to fork an important repo, and the mentoring team wouldn't be able to support the applicant easily. The workflow of trying to teach a new open source contributor how to do a Pull Request across two different git forges is a time investment I would prefer not to have to make. Fedora Mentored Projects would suffer if forking is disabled and limited to this special group only. > _**@kevin wrote…**_ > I'd suggest talking to the user, perhaps they misunderstood things? > _**@ryanlerch wrote…**_ > Also, I will reach out to the individual user here and inform them that what they have done is not permitted on Fedora Forge. I think @kevin was on the right track. There are clear usage terms about using Fedora Forge. There are appropriate uses and inappropriate usages. The correct action is to have a conversation with the user, make sure they are aware that this is an intentional limitation, and then take action based on the outcome of the conversation. > _**@ryanlerch wrote…**_ > First change, going to add a note to the fork page stating that this behaviour is not permitted. -- #466 I like this idea a lot. I have a hunch that most of the people attempting to get around this requirement likely are unaware that this is a limitation put in place on purpose. > _**@ryanlerch wrote…**_ > Then going to write a script or come up with a way to identify forks that are misusing this. 👍
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
test
docs
No results found.
Labels
Clear labels   
Backlog Status
Needs Review
Work items that have been created or updated but need review, refinement, or approval before they can be considered ready for sprint planning.

  
Backlog Status
Ready
Work items that have been reviewed, refined, and are ready to be committed to a sprint. These items have clear requirements and could be worked on immediately when capacity is available.

  
Chore

Tasks that are necessary but don't directly deliver new value to the end-user. These are internal tasks like updating a library, managing user accounts, or setting up a new service.

  
points
01
A task that is simple, small, and has very little uncertainty. It should be easy enough for any team member to pick up and complete quickly, without a lot of discussion or research.

  
points
02
This is a task that is slightly more complex or larger than a "1." It might involve two or three simple steps, but the outcome is still very clear and there's little uncertainty.

  
points
03
medium-sized task with some noticeable complexity. It might require a bit more thought or collaboration. The steps are well-defined, but it's not a trivial change.

  
points
05
a significant piece of work. It has more complexity and a higher degree of uncertainty than smaller tasks. It might require some research, a design discussion, or collaboration across multiple teams.

  
points
08
complex task with a lot of uncertainty. It's often the largest size that a team will consider for a single sprint. It likely requires a detailed breakdown and multiple team members to complete.

  
points
13
Any task that feels like it's a "13" or more is considered an Epic. These are too large and uncertain to be worked on in a single sprint.

  
Priority
High
This is for work that is critical and needs to be addressed in the next sprint. It's often for urgent bugs, important features, or a major piece of technical debt that is blocking other work.

  
Priority
Low
This is for work that is good to do but not urgent. It's a candidate for being worked on when there's extra time or when it rises in importance. It can stay in the backlog for a longer period.

  
Priority
Medium
This is for important work that should be done soon, but isn't as urgent as a high-priority item. It will likely be considered for the next 1-2 sprints.

  
Sprint Status
Blocked
Indicates the work cannot proceed. There is a dependency or an issue that is preventing the team from completing the task. This is a flag for the Scrum Master to help unblock the team.

  
Sprint Status
Done
Work items that have been completed, reviewed, and integrated. No further work is needed within the current sprint.

  
Sprint Status
In Progress
This label is for work that a developer is actively working on. This is usually what you'll see on the "In Progress" column of your project board.

  
Sprint Status
Review
This indicates that the work is complete, but it is now in a review state. This could mean a peer code review, a QA check, or a review by the Product Owner.

  
Sprint Status
To Do
Work items that are committed to the sprint but haven't been started yet. These items are ready to be picked up by team members.

  
Technical Debt

work that improves the codebase without adding new features. It's work that pays down the "debt" you've accumulated, such as refactoring a messy piece of code, improving test coverage.

  
Work Item
Bug
Issues where the system is not working as intended or designed. Bugs represent deviations from expected behavior.

  
Work Item
Epic

  
Work Item
Spike

  
Work Item
Task

  
Work Item
User Story

  
Backlog Status
Needs Review
Work items that have been created or updated but need review, refinement, or approval before they can be considered ready for sprint planning.

  
Backlog Status
Ready
Work items that have been reviewed, refined, and are ready to be committed to a sprint. These items have clear requirements and can be worked on immediately when capacity is available.

  
chore

Work that needs to be done but doesn't add new functionality or fix bugs. Maintenance tasks that keep the system running smoothly and the codebase clean.

  
documentation

Work focused on creating, updating, or improving documentation for users, developers, or system administrators.

  
points
01
A task that is simple, small, and has very little uncertainty. It should be easy enough for any team member to pick up and complete quickly, without a lot of discussion or research.

  
points
02
This is a task that is slightly more complex or larger than a "1." It might involve two or three simple steps, but the outcome is still very clear and there's little uncertainty.

  
points
03
Medium-sized task with some noticeable complexity. It might require a bit more thought or collaboration. The steps are well-defined, but it's not a trivial change.

  
points
05
A significant piece of work. It has more complexity and a higher degree of uncertainty than smaller tasks. It might require some research, a design discussion, or collaboration across multiple teams.

  
points
08
Complex task with a lot of uncertainty. It's often the largest size that a team will consider for a single sprint. It likely requires a detailed breakdown and multiple team members to complete.

  
points
13
Any task that feels like it's a "13" or more is considered an Epic. These are too large and uncertain to be worked on in a single sprint and should be broken down.

  
Priority
High
This is for work that is critical and needs to be addressed in the next sprint. It's often for urgent bugs, important features, or a major piece of technical debt that is blocking other work.

  
Priority
Low
This is for work that is good to do but not urgent. It's a candidate for being worked on when there's extra time or when it rises in importance. It can stay in the backlog for a longer period.

  
Priority
Medium
This is for important work that should be done soon, but isn't as urgent as a high-priority item. It will likely be considered for the next 1-2 sprints.

  
Sprint Status
Blocked
Work items that cannot progress due to external dependencies, blockers, or issues that need resolution.

  
Sprint Status
Done
Work items that have been completed, reviewed, and integrated. No further work is needed within the current sprint.

  
Sprint Status
In Progress
Work items currently being worked on by a team member. Active development, research, or implementation is happening.

  
Sprint Status
Review
Work items that are complete but need review, testing, or approval before being marked as done.

  
Sprint Status
To Do
Work items that are committed to the sprint but haven't been started yet. These items are ready to be picked up by team members.

  
Technical Debt

Work that addresses shortcuts, workarounds, or suboptimal implementations that were done previously to meet deadlines. These items improve code quality, maintainability, or performance without adding new features.

  
Work Item
Bug
Issues where the system is not working as intended or designed. Bugs represent deviations from expected behavior.

  
Work Item
Epic
Large initiatives that are broken down into multiple smaller work items (user stories, tasks, bugs). Epics represent significant features or projects that span multiple sprints.

  
Work Item
Spike
Time-boxed research, investigation, or proof-of-concept work to reduce uncertainty or explore solutions. Spikes help inform future development decisions.

  
Work Item
Task
Used to break down larger user stories into smaller, manageable implementation pieces. They focus on the specific technical steps needed to deliver the user story's value.

  
Work Item
User Story
User-facing features or functionality that can be framed from a user perspective, describing what someone wants to accomplish and why.

No labels
Backlog Status
Needs Review
Backlog Status
Ready
Chore
points
01
points
02
points
03
points
05
points
08
points
13
Priority
High
Priority
Low
Priority
Medium
Sprint Status
Blocked
Sprint Status
Done
Sprint Status
In Progress
Sprint Status
Review
Sprint Status
To Do
Technical Debt
Work Item
Bug
Work Item
Epic
Work Item
Spike
Work Item
Task
Work Item
User Story
Backlog Status
Needs Review
Backlog Status
Ready
chore
documentation
points
01
points
02
points
03
points
05
points
08
points
13
Priority
High
Priority
Low
Priority
Medium
Sprint Status
Blocked
Sprint Status
Done
Sprint Status
In Progress
Sprint Status
Review
Sprint Status
To Do
Technical Debt
Work Item
Bug
Work Item
Epic
Work Item
Spike
Work Item
Task
Work Item
User Story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Sprint 18
Assignees
Clear assignees
No assignees
ryanlerch
7 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forge/forge#465
No description provided.