ForgeFed - Project hosting federation


and private repositories, private projects, will they be available too? as in, an ability to opt out of both/either federation or global searches?


I can’t think of a reason why private repos should not possible. :slight_smile:

Will be a challenge the specific implementation has to address.

  • A spec cannot force you to federate anything
  • If it’s really private:
    • use private federation or
    • do not federate at all
  • it it’s not that private / just needs to be hidden from the general public:
    • keep repo URI secret
    • use authentication and authorization (e.g. a token=abcd... parameter in the repo URI)

Or do you want to specifically have that addressed in the spec?


Thanks. You’ve opened that up further than I had considered. Can haz all of the above? :wink:

Also now I wonder, about pod* administrator choice of to what level of private hosting they’d have their server do (like if they want (another way(?)) to limit bandwidth/abuse), as well as user choice of to what level they’d want to make a repository (or finer-grain(!?)) private; (private-fed, non-fed, unpublished-url, auth-hidden).

* pods, instances, whatever they’re called


A good implementation should provide the server administrator(s) and the users with everything they need in this regard.

But the implementation(s) are not that far yet, so it’s rather a thing to keep in mind for later.

I would also categorize it as rather advanced UX, and currently ForgeFed is rather in a stage of clarifying/prototyping/spec’ing the basic functions. (Fork/PR, Follow, maybe Bug/Issue/Ticket tracking).

And some more thoughts:

I would maybe even say that the ForgeFed spec itself should be somewhat agnostic to the implementation of… let’s call it visibility levels.

If you choose HTTP Basic authentication, that’s standard HTTP, nothing special the spec has to to here aside maybe reminding implementers that this case can happen so it can be addressed in the UI.
If you choose token auth, you can simple put the token in the URI, nothing special the spec has to do.
If you choose something more special, like, dunno, Authorization: Bearer abcd..., I guess even that is rather a question of the specific implementation: It can choose to expose such an option to the user (or not).

To ForgeFed (and AP) in the and it’s all just HTTP Requests.