| 17 Dec 2022 |
 dachary.org | * Do you have a HOWTO with a sequence of lines I could copy paste (more or less) to do that? GITEA__security__INSTALL_LOCK=true GITEA__log__LEVEL=debug GITEA__server__ROOT_URL=http://0.0.0.0:3000/ forgejo? More involved? Do you have a home made app.ini file for that? | 22:15:10 |
 gusted | Not really. | 22:24:59 |
| dachary.org | I figured out why I got reqPackageAccess when doing curl --verbose -H "Authorization: token $TOKEN" -X DELETE http://0.0.0.0:8080/v2/root/forgejo/manifests/30 even though the token was obtained using an application token from root 😓 | 23:23:50 |
| dachary.org | * I figured out why I got reqPackageAccess when doing curl --verbose -H "Authorization: token $TOKEN" -X DELETE http://0.0.0.0:8080/v2/root/forgejo/manifests/30 even though the container registry token was obtained using an application token from root 😓 | 23:24:07 |
| dachary.org | I get an application token via the web interface and then run curl -H "Authorization: token xxxxx" -sS http://0.0.0.0:8080/v2/token which gives me a token to set TOKEN=. | 23:28:18 |
| dachary.org | only this container registry token is anonymous | 23:28:33 |
| dachary.org | I have no clue why | 23:29:03 |
 Gapodo (Michael) | ehm whaaaaaat? | 23:29:10 |
| Gapodo (Michael) | damn that sounds like a weird bug | 23:29:29 |
| dachary.org | I think it's me doing something wrong | 23:30:14 |
| dachary.org | curl -u root:xxxx http://0.0.0.0:8080/v2/token works fine -H "Authorization: token xxxxx" does not 🤷♂️ | 23:33:46 |
| dachary.org | it's probably not in the spec, it was me assuming that would work as the /v1 API endpoint but there is no reason it should. | 23:34:57 |
| Gapodo (Michael) | I'm just starting to look at the "specs" by docker... https://docs.docker.com/registry/spec/api/#detail | 23:35:36 |
| dachary.org | that curl command will improve the script that verifies the sanity of the container images in the release pipeline | 23:36:10 |
| Gapodo (Michael) | here.... https://docs.docker.com/registry/spec/api/#base | 23:36:46 |
| 18 Dec 2022 |
| dachary.org | the container registry is certainly not 100% compliant. I don't know if supporting that authentication scheme is required. In any case I'm happy with what works 😄 | 00:06:17 |
| dachary.org | Gapodo (Michael): IIRC you're back to work tomorrow and it will keep you busy, right? | 09:31:12 |
| Gapodo (Michael) | In reply to @dachary:matrix.org
Gapodo (Michael): IIRC you're back to work tomorrow and it will keep you busy, right? I'll be back at work tomorrow, I'll see how busy it keeps me... | 10:09:56 |
| dachary.org | I'll keep that in mind | 10:10:37 |
 Caesar | In reply to @dachary:matrix.org
Caesar: Is there anything I can do to help with the Forgejon landing page? Apologies, I didn't get the chance to look at this last night. I'll see what I can do tonight. | 17:06:05 |
| dachary.org | No worries, that was not a blocker on my end 😄 | 17:55:32 |
| dachary.org | gusted: https://github.com/go-gitea/gitea/issues/22161 potential security vulnerability | 18:02:09 |
| dachary.org | * gusted: https://github.com/go-gitea/gitea/issues/22161 potential security vulnerability https://github.com/go-gitea/gitea/issues/22161 | 18:03:23 |
| Gapodo (Michael) | damn that's quite the issue (not even looking closer, 750 is enough to cause me some nightmares...) | 18:03:28 |
| dachary.org | * gusted: https://github.com/go-gitea/gitea/issues/22161 potential security vulnerability | 18:03:29 |
| dachary.org | No clue how to exploit this though. It should have been reported privately to evaluate, but it went down differently. | 18:04:41 |
| Gapodo (Michael) | dachary.org: just as an aside, do we have a channel between our security team and the one of gitea (exchanging responsibly disclosed vulns before they are public?= | 18:05:00 |
| Gapodo (Michael) | * dachary.org: just as an aside, do we have a channel between our security team and the one of gitea (exchanging responsibly disclosed vulns before they are public?) | 18:05:09 |
| dachary.org | yes, there is a proper security team | 18:05:53 |
| dachary.org | https://forgejo.org/.well-known/security.txt | 18:06:17 |
