The gitea user settings have a “hide email address” tickbox. Then it suggests using username@noreply.gitea-instance.tld as the email address for commits.

What happens when someone uses the address? It seems a gitea admin could have an mail server on noreply.gitea-instance.tld, which could do anything the admin wants, such as:

• forward the mail to the users secret address (though the “noreply” string would be deceptive in this case)
• refuse all msgs on connect
• accept msgs then auto-reply with a msg
• accept then blackhole msgs
• have no mail server at all

Is that the case? There is no universal expectation of what happens with email in that case?

This bug report shows the initial discussion.. though it does not answer my question.

There are two common methods for starting a new repository: using git init or git clone. This post demonstrates the former.

Preconditions:

• SSH, git, and Tor are installed
• a Tor SOCKS proxy listens on port 9050 (i.e. SocksPort 9050 in /etc/tor/torrc)
• (optional) You have an HTTP proxy such as privoxy listening on port 8118

Create an accout and a repository on a gitea instance. The following parameters are placeholders assumed for these instructions:

forge: gitea
instance: git.platypush.tech (many choices)
repo name: tuneInTurnOffDropOut
username: timLeary

Locally, make a new directory and go there. CLI steps from there:

$ git init
$ git config http.proxy http://127.0.0.1:8118/; # optional; only useful if you later want/need to switch to HTTP and you run an HTTP proxy over Tor
$ git config credential.helper store; # optional; only useful to store your creds if you later want/need to forgo SSH keys
$ git config user.name timLeary

Visit your settings (e.g. https://git.platypush.tech/user/settings), ☑ Hide email address, and see what special address is supplied. Use that in the next step.

(update) some gitea servers have this tickbox but they do not mention a special email address. 🤷

$ git config user.email timLeary@noreply.git.platypush.tech; # get this from account settings, or use an email address of your choice

Visit your new repo (e.g. https://git.platypush.tech/timLeary/tuneInTurnOffDropOut) which will show a “quick guide” because it’s an empty repo. Highlight “SSH“ to see the SSH username to the left of the “@”. Remember that for the next step.

$ git remote add origin forgejo@platy:timLeary/tuneInTurnOffDropOut.git; # ⚠ Do not use the gitea-suggested parameter verbatim; just grab the git API username (generally “git” or “forgejo”) from the previous step to prefix into this format. “platy” is an arbitrary string of your choice.
$ git checkout -b main; # “master” is a popular historic variation to “main”, but main is the woke gitea default so we’ll run with it
$ printf '%s\n' 'Put a blurb about the project here.' > README.md
$ git add README.md
$ git commit -m "first commit"
$ ssh-keygen -t rsa -N '' -C 'timLeary at platypush' -f ~/.ssh/id_rsa_platypush-timLeary; # the "-C $comment" parameter is optional
$ wl-copy < ~/.ssh/id_rsa_platypush-timLeary.pub; # Use your preferred way to get the pubkey in your clipboard. wl-copy is the Wayland-specific way to do that.

git.platypush.tech → settings → SSH/GPG Keys → Manage SSH Key → add key → (paste from clipboard)

$ ssh-keygen -l -f ~/.ssh/id_rsa_platypush-timLeary; # optional check; compare the local sha256 fingerprint to that in platypush/timLeary web account settings
$ cat >> ~/.ssh/config <<eof
host platy
     hostname     git.platypush.tech
     ForwardX11   no
     ProxyCommand connect -4 -S 127.0.0.1:9050 \$(tor-resolve %h 127.0.0.1:9050) %p
     IdentityFile /home/$(whoami)/.ssh/id_rsa_platypush-timLeary
eof

$ git push -u origin main

Note that the host value in ~/.ssh/config is any identifier you want. But it must match the token between @ and : in the git remote add origin command. I chose platy in the example.

Benefits

The beauty of this configuration is that you never need to prefix your git commands with torsocks going forward. All cloud ops will automatically tunnel over Tor. In fact, using torsocks would fail with this config.

Drawbacks

• Probably does not work on gitea onion instances (ouch!)
• Some gitea instances refuse SSH and/or Tor connections, but they are opaque about it. In those cases you get error messages that lie. Switching to HTTP is the workaround.

Onion workaround (update: tested and fails)

How can this be done for onion hosts? Would this work?:

$ sudo tee -a /etc/tor/torrc <<< 'mapaddress 192.168.1.25 hsdtecd4h2b5z732pvkg2yw3746epap4qusgvjjze6nhmfcdpz2suiad.onion'
$ cat >> ~/.ssh/config <<eof
host nogafam-onion
     hostname     192.168.1.25
     ForwardX11   no
     ProxyCommand connect -4 -S 127.0.0.1:9050 %h %p
     IdentityFile /home/$(whoami)/.ssh/id_rsa_nogafam
eof

Or is there a better way?

(note that nogafam.es is not a good example for testing because they block SSH deliberately)

update: the above stanza does not work.

Improvements?

Any feedback for improvements is welcome.

I need to start a project in the cloud for collaboration. Normally gitea would be the answer. But there are some binary blobs, like images (logos, icons, etc).

I think most ppl just say “fuck it, I will put these binary objects that do not need version control under version control, just to get them in the same place”.

Is there a smarter approach?

This is a catalog and detailed comparison of tens of forges - mostly public access:

https://git.sdf.org/humanacollaborator/humanacollabora/src/branch/master/forge_comparison.md

(this post is intended for the repo-criteria-discuss@gnu.org mailing list)

This article covers a lot of unethical characteristics of gitlab.com.

If you search for the string "criteria" on that page, it will bring you to the issues that are relevant to the FSF mission. I also suggest reading the whole thing, because some of gitlab.com's harmful conduct should inspire more criteria for ethical repositories.

E.g.:

• (3) Bugs should be easy to report. Some repos are so painful to use that people simply choose not to report bugs. Yet there is no criteria that covers this. Bug reporting is the one activity where convenience is critical.

• (7) Being able to run "torsocks git clone " should be a criteria.

• (9) Being able to register with a forwarding email account (and more generally, not being excluded from participation as a consequence of securing one's self).

This post is here because gnu.org has started using "OpenSPF" to restrict inbound email. The email above was rejected by the mail server automatically because the domain of the envelope FROM header does not match the reverse lookup of the sending server's IP address. In short, they are blocking contributors from using a forwarding email service to protect themselves. It's a pre-emptive strike with collateral damage to legitimate participants. Anyone with access to repo-criteria-discuss@gnu.org: please forward this to that list (or people thereon).

(this is a reply to a mailing list that's too restrictive to accept in-band replies)

Dr. Stallman said:

I've read that GitLab now requires nonfree software both to make an account (recaptcha) and to do various operations once you have an account. I'm told that gitlab.torproject.org makes it impossible to communicate with the developers from the free world.

Different Gitlab instances use different CAPTCHAs, and some have no CAPTCHA at all. Apparently the Gitlab CE code is written to use Google reCAPTCHA (the site admin apparently has control). However,the flagship instance (gitlab.com) is a CloudFlare site, and thus uses hCAPTCHA.

gnu.org is painfully ambiguous here, as it states that the eval is simply for "Gitlab". Is that the Gitlab software, or the service?

I think it's implied that the /service/ was evaluated, because Github was evaluated next to it and Github is only available as a service. So the next question is: which service? gitlab.com, or gitlab.torproject.org? The following page refers to "https://about.gitlab.com/":

https://www.gnu.org/software/repo-criteria-evaluation.html#GitLab

So it seems the "C" rating was given to gitlab.com-- which I find revolting. Ethically they're both quite controversial but gitlab.com is far more exclusive and odious than github.com. (I'll give more details about that on my next post.)

Thos needs to be tested, but assuming it is true, we need to downgrade our evaluation of GitLab ASAP. For our evaluation to be incorrect in such an important way is an embarrassment as well as steering people wrong.

I first complained about the GitLab "C" rating over a year ago (back when it was still reCAPTCHA as opposed to hCAPTCHA). I think it's fair to say the big component of the embarrassment is the length of time to address this over rating.

This post is here because gnu.org has started using "OpenSPF" to restrict inbound email. The email above was rejected by the mail server automatically because the domain of the envelope FROM header does not match the reverse lookup of the sending server's IP address. In short, they are blocking contributors from using a forwarding email service to protect themselves. It's a pre-emptive strike with collateral damage to legitimate participants. Anyone with access to repo-criteria-discuss@gnu.org: please forward this to that list (or people thereon).