We are struggling to keep Codebreg.org available for unauthenticated users due to massive abuse of expensive endpoints.
Our current priority is keeping Codeberg.org responsive for authenticated users.
@codebergstatus
How about using nginx or Anubis CDN to prevent abuse while respecting users' privacy?
Always love Codeberg's mission.
@codebergstatus I cant seem to login...niether on codeberg or git.disroot.org
is the service down for account holders as well?
@Pouakai @codebergstatus they lock out lynx users. Plus, Anubis is also slop…
@mirabilos @Pouakai @codebergstatus And Anubis is easy for someone with slop-engine-scale GPU resources to compute. It puts more borden on ordinary desktop and mobile browser users than on the abusers.
@amirbkhan @codebergstatus I was able to sign in just now.
@codebergstatus Thanks for the heads-up and good luck keeping those bots under control :) I was able to log in just now, so I don't complain :)
@codebergstatus i had a lot of issues when hosting forgejo as well, i managed to mitigate them with Anubis + rate limiting via nginx + fail2ban
i mean were still cranking like ~10 gb a day on average but better than like 150 or however much it was before idr :D
best of luck fighting them bots
@codebergstatus keep fighting the good fight, we all appreciate the time and hard work you put into this public good.
@Pouakai @codebergstatus they're struggling to keep codeberg available to users, not to restrict even more users from accessing it.
@phnt @codebergstatus congrats, you missed a point big time
@phnt @codebergstatus also, this solution sucks
@fozunja @lumi gitea is also sloppy https://aidirtylist.info/repositories/go-gitea/gitea/1
Forgejo does not accept works of authorship (code, documentation, etc.) either partially or completely generated by AI due to legal uncertainties
@madeindex @codebergstatus do get it working, you have to breg for it
@codebergstatus Thanks for all your efforts! Much appreciated #hugops
@dalias @mirabilos @Pouakai @codebergstatus
Anubis uses bog standard SHA256 as PoW method. It’s the equivalent of a wet cheeto for protection, you can generate a difficulty 6 solution in <1ms on any CPU made past 2015 with a decent implementation.
It’s only really doing anything when not being handled at all 
@privateger @dalias @Pouakai @codebergstatus my Linux laptop is from 2007.
Trying to visit the Linux kernel website overheated it for several minutes on end.
@privateger @dalias @Pouakai @codebergstatus and this proves that it’s just as bad environmental pollution as the whole blockchain racket was and needs to be forbidden.
@mirabilos @dalias @Pouakai @codebergstatus
Note how I said decent implementation, meaning native code. JS is not that. It’s a PoW algo implemented in a way that makes actual client users slower by >100x.
The most resistance it poses to scraping is a mild inconvenience while adding support for handling it
@privateger @dalias @Pouakai @codebergstatus yeah. It needs to be gone fast.
@dalias @mirabilos@toot.mirbsd.org @Pouakai @codebergstatus i don't understand this. anubis is very easy for me to sit through because i only do it once. someone spamming at scale has to pay a higher cost to do so. for resources that are meant to be accessed by humans and not programmatically, it seems appropriate
@hipsterelectron @Pouakai @codebergstatus It's not just once though. Every time I visit the sites using it I get challenged again. No idea why they don't make the cookies persist forever. And # links don't work because it loses the # part.
@dalias @Pouakai @codebergstatus that is indeed confusing
@hipsterelectron @Pouakai @codebergstatus I think they suspect humans are going to be giving/selling their cookies to abusive scraper bots and thus make them short lived to limit the value.
@dalias @Pouakai @codebergstatus i'm glad their focus in general is on authenticated users who have a reputation in the system to dissuade them from abuse
@hipsterelectron @Pouakai @codebergstatus I don't understand why they impose Anubis on authenticated users at all. If you catch an authenticated user abusively scraping you just ban their account.
@dalias @hipsterelectron @Pouakai @codebergstatus I don’t see any indication they would be using Anubis for authenticated users, even for example go-away inspects the auth cookie for Forgejo probably in the style of forward_auth and doesn’t show the challenge for authenticated users
@natty @Pouakai @codebergstatus @dalias @hipsterelectron It is possible to do that in Anubis too, users just don't. I probably need to spend the energy to write a tutorial or something. I've been kinda burnt out.
@fozunja note the wording "[...] due to legal uncertainties [...]":
This means #Forgejo doesn't oppose it for #security, #envoirmental or #social reasons...
@lumi there is a meeting out this later this month! If you're a member, please attend!
@lumi @mirabilos @jessebot @Pouakai @codebergstatus Sounds like a great reason to become a member!
@noisytoot @Pouakai @lumi @codebergstatus @mirabilos If we only have to deal with it coming from the most awful people who are willing to lie and violate other people's boundaries, rather than coming from all sorts, then
(1) there's a lot less of it to deal with, and
(2) we already have plenty of other red flags to spot these people and plenty of reason to ban them from our projects.
@lumi @mirabilos @dalias @Pouakai @codebergstatus hi, a proposal will be put up to an asynchronous vote among the 1700+ e.V. members as part of this year's annual assembly, which takes place next sunday
@phnt @codebergstatus I have that setting on my ForgeJo instance, pretty sure Codeberg has it in their toolbox, but the goal of Codeberg is to be a public forge, where stuff can be published !
@codebergstatus Having a similar issue on my instance, even with anubis. Facebook loves scraping everything over and over.
@phnt @codebergstatus Isn't that exactly what they now do?
@codebergstatus At the moment, this causes some "downstream" projects to fail, e.g. building librewolf-bin on AUR (ArchLinux) fails. https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=librewolf-bin#n73
> fatal: unable to access 'https://codeberg.org/librewolf/source.git/': TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
I think you have a great mission and I hope you'll find a solution! ❤️
@codebergstatus the typo shows a human wrote it #codebreg
@phnt @codebergstatus I replied earlier, misunderstanding that the setting had a difference between gitea and forgejo; my bad.
Still, the gitea feature as-is is not sufficient for what codeberg wants, as it also blocks unauthenticated users from looking at any code, fetching any raw files, looking at issues or pull requests, and looking at the wiki. I get blocking commits, diffs, blames, graph, and some other things, but this prevents unauthenticated users from doing anything except for pretty much looking at the README.
At least looking at code on the main branch should be accessible without logging in, and certainly getting an overview of issues.
@codebergstatus sorry for the stupid question guys. But why would you want an unauthenticated endpoint for a repo? 🫡🥰
I'm an authenticated user btw...
@handi @codebergstatus git clones?? And what about release files that would be downloaded?