So I ended up sending and email to Forgejo security team, containing: an apology, a bit about my reasoning for proceeding with carrot disclosure, recommendations about what to harden/review, and a bunch of commented exploits/proof-of-concepts as attachment. We’ll see how it goes.
this shit stirrer ex-googler really does not understand the signals people are giving… apparently the community response is “hilarious”, the moderators removing their toots at both instances are “overzealous” for acting upon multiple reports and giving a proper hilarious removal reason.
“everyone is dumb but me!” lol… (not a quote)
this person is really butthurt that people are telling them they have acted very irresponsibly.
I think they know what they’re doing, bit of a troll. Framed like this in the article:
Various entities, including some with security teams, revised their judgment about what Forgejo is and isn’t, which was the main goal of the previous blogpost.
There’s a follow up by the author:
https://dustri.org/b/follow-up-to-carrot-disclosure-forgejo.html
Including this:
this shit stirrer ex-googler really does not understand the signals people are giving… apparently the community response is “hilarious”, the moderators removing their toots at both instances are “overzealous” for acting upon multiple reports and giving a
properhilarious removal reason.“everyone is dumb but me!” lol… (not a quote)
this person is really butthurt that people are telling them they have acted very irresponsibly.
I think they know what they’re doing, bit of a troll. Framed like this in the article: