- update to 8.0.1:

* A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
2024-08-11 22:22:28 +00:00 · 2024-08-11 22:22:28 +00:00 · 817c8031f2
commit 817c8031f2
parent 3ee08f8470
14 changed files with 4365 additions and 3413 deletions
--- a/custom-app.ini.patch
+++ b/custom-app.ini.patch
@ -1,9 +1,8 @@
-Index: gitea-1.21.3/custom/conf/app.example.ini
-===================================================================
--- gitea-1.21.3.orig/custom/conf/app.example.ini
-+++ gitea-1.21.3/custom/conf/app.example.ini
-@@ -44,7 +44,7 @@
- APP_NAME = ; Gitea: Git with a cup of tea
+diff -rub forgejo-src-8.0.0/custom/conf/app.example.ini forgejo-src-8.0.0-patched/custom/conf/app.example.ini
+--- forgejo-src-8.0.0/custom/conf/app.example.ini	2024-07-30 06:40:03.000000000 +0200
+++ forgejo-src-8.0.0-patched/custom/conf/app.example.ini	2024-08-01 20:24:55.972480197 +0200
+@@ -51,7 +51,7 @@
+ ;APP_DISPLAY_NAME_FORMAT = {APP_NAME}: {APP_SLOGAN}
 ;;
 ;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
 -RUN_USER = ; git
@ -11,7 +10,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Application run mode, affects performance and debugging: "dev" or "prod", default is "prod"
 ;; Mode "dev" makes Gitea easier to develop and debug, values other than "dev" are treated as "prod" which is for production use.
-@@ -273,15 +273,17 @@ RUN_USER = ; git
+@@ -284,15 +284,17 @@
 ;; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
 ;; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
 ;; Paths are relative to CUSTOM_PATH
@ -31,7 +30,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Enable gzip compression for runtime-generated content, static resources excluded
 ;ENABLE_GZIP = false
-@@ -293,6 +295,7 @@ RUN_USER = ; git
+@@ -304,6 +306,7 @@
 ;;
 ;; PPROF_DATA_PATH, use an absolute path when you start gitea as service
 ;PPROF_DATA_PATH = data/tmp/pprof ; Path is relative to _`AppWorkPath`_
@ -39,16 +38,57 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Landing page, can be "home", "explore", "organizations", "login", or any URL such as "/org/repo" or even "https://anotherwebsite.com"
 ;; The "login" choice is not a security measure but just a UI flow change, use REQUIRE_SIGNIN_VIEW to force users to log in.
-@@ -368,7 +371,7 @@ USER = root
+@@ -355,10 +358,10 @@
+ ;;
+ ;; MySQL Configuration
+ ;;
+-DB_TYPE = mysql
+-HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+-NAME = gitea
+-USER = root
+;DB_TYPE = mysql
+;HOST = 127.0.0.1:3306 ; can use socket e.g. /var/run/mysqld/mysqld.sock
+;NAME = forgejo
+;USER = root
+ ;PASSWD = ;Use PASSWD = `your password` for quoting if you use special characters in the password.
+ ;SSL_MODE = false ; either "false" (default), "true", or "skip-verify"
+ ;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
+@@ -369,7 +372,7 @@
+ ;;
+ ;DB_TYPE = postgres
+ ;HOST = 127.0.0.1:5432 ; can use socket e.g. /var/run/postgresql/
+-;NAME = gitea
+;NAME = forgejo
+ ;USER = root
+ ;PASSWD =
+ ;SCHEMA =
+@@ -379,21 +382,10 @@
+ ;;
 ;; SQLite Configuration
 ;;
- ;DB_TYPE = sqlite3
+-;DB_TYPE = sqlite3
 -;PATH= ; defaults to data/forgejo.db
-+;PATH= /var/lib/forgejo/data/gitea.db ; defaults to data/forgejo.db
- ;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
- ;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
+-;SQLITE_TIMEOUT = ; Query timeout defaults to: 500
+-;SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
+-;;
+-;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+-;;
+-;; MSSQL Configuration
+-;;
+-;DB_TYPE = mssql
+-;HOST = 172.17.0.2:1433
+-;NAME = gitea
+-;USER = SA
+-;PASSWD = MwantsaSecurePassword1
+-;CHARSET_COLLATION = ; Empty as default, Gitea will try to find a case-sensitive collation. Don't change it unless you clearly know what you need.
+DB_TYPE = sqlite3
+PATH= /var/lib/forgejo/data/forgejo.db ; defaults to data/forgejo.db
+SQLITE_TIMEOUT = ; Query timeout defaults to: 500
+SQLITE_JOURNAL_MODE = ; defaults to sqlite database default (often DELETE), can be used to enable WAL mode. https://www.sqlite.org/pragma.html#pragma_journal_mode
 ;;
-@@ -561,14 +564,14 @@ ENABLE = true
+ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+ ;;
+@@ -579,14 +571,14 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Root path for the log files - defaults to %(GITEA_WORK_DIR)/log
@ -65,7 +105,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Either "Trace", "Debug", "Info", "Warn", "Error" or "None", default is "Info"
 LEVEL = Info
-@@ -904,7 +907,7 @@ LEVEL = Info
+@@ -946,7 +938,7 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Root path for storing all repository data. By default, it is set to %(APP_DATA_PATH)s/gitea-repositories.
 ;; A relative path is interpreted as _`AppWorkPath`_/%(ROOT)s
@ -74,7 +114,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; The script type this server supports. Usually this is `bash`, but some users report that only `sh` is available.
 ;SCRIPT_TYPE = bash
-@@ -1014,7 +1017,7 @@ LEVEL = Info
+@@ -1065,7 +1057,7 @@
 ;ENABLED = true
 ;;
 ;; Path for uploads. Defaults to `data/tmp/uploads` (content gets deleted on gitea restart)
@ -83,7 +123,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Comma-separated list of allowed file extensions (`.zip`), mime types (`text/plain`) or wildcard type (`image/*`, `audio/*`, `video/*`). Empty value or `*/*` allows all types.
 ;ALLOWED_TYPES =
-@@ -1368,7 +1371,7 @@ LEVEL = Info
+@@ -1444,7 +1436,7 @@
 ;ISSUE_INDEXER_TYPE = bleve
 ;;
 ;; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
@ -92,7 +132,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Issue indexer connection string, available when ISSUE_INDEXER_TYPE is elasticsearch (e.g. http://elastic:password@localhost:9200) or meilisearch (e.g. http://:apikey@localhost:7700)
 ;ISSUE_INDEXER_CONN_STR =
-@@ -1395,7 +1398,7 @@ LEVEL = Info
+@@ -1471,7 +1463,7 @@
 ;REPO_INDEXER_TYPE = bleve
 ;;
 ;; Index file used for code search. available when `REPO_INDEXER_TYPE` is bleve
@ -101,7 +141,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Code indexer connection string, available when `REPO_INDEXER_TYPE` is elasticsearch. i.e. http://elastic:changeme@localhost:9200
 ;REPO_INDEXER_CONN_STR =
-@@ -1429,6 +1432,7 @@ LEVEL = Info
+@@ -1510,6 +1502,7 @@
 ;;
 ;; data-dir for storing persistable queues and level queues, individual queues will default to `queues/common` meaning the queue is shared.
 ;DATADIR = queues/ ; Relative paths will be made absolute against `%(APP_DATA_PATH)s`.
@ -109,16 +149,16 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Default queue length before a channel queue will block
 ;LENGTH = 100000
-@@ -1752,7 +1756,7 @@ LEVEL = Info
- ;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
- ;; redis-cluster: `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s`
+@@ -1852,7 +1845,7 @@
+ ;; file: session file path, e.g. `data/sessions`
+ ;; redis: `redis://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` (or `redis+cluster://127.0.0.1:6379/0?pool_size=100&idle_timeout=180s` for a Redis cluster)
 ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
 -;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 +;PROVIDER_CONFIG = /var/lib/forgejo/data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;;
 ;; Session cookie name
 ;COOKIE_NAME = i_like_gitea
-@@ -1839,7 +1843,7 @@ LEVEL = Info
+@@ -1939,7 +1932,7 @@
 ;;
 ;; Path for attachments. Defaults to `attachments`. Only available when STORAGE_TYPE is `local`
 ;; Relative paths will be resolved to `${AppDataPath}/${attachment.PATH}`
@ -127,7 +167,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Minio endpoint to connect only available when STORAGE_TYPE is `minio`
 ;MINIO_ENDPOINT = localhost:9000
-@@ -1857,7 +1861,7 @@ LEVEL = Info
+@@ -1965,7 +1958,7 @@
 ;MINIO_LOCATION = us-east-1
 ;;
 ;; Minio base path on the bucket only available when STORAGE_TYPE is `minio`
@ -136,7 +176,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Minio enabled ssl only available when STORAGE_TYPE is `minio`
 ;MINIO_USE_SSL = false
-@@ -2428,10 +2432,10 @@ LEVEL = Info
+@@ -2548,10 +2541,10 @@
 ;;
 ;STORAGE_TYPE = local
 ;; override the minio base path if storage type is minio
@ -149,7 +189,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 ;;
 ;; Maximum count of package versions a single owner can have (`-1` means no limits)
 ;LIMIT_TOTAL_OWNER_COUNT = -1
-@@ -2498,10 +2502,10 @@ LEVEL = Info
+@@ -2618,10 +2611,10 @@
 ;STORAGE_TYPE = local
 ;;
 ;; Where your lfs files reside, default is data/lfs.
@ -162,7 +202,7 @@ Index: gitea-1.21.3/custom/conf/app.example.ini
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-@@ -2521,10 +2525,10 @@ LEVEL = Info
+@@ -2641,10 +2634,10 @@
 ;STORAGE_TYPE = local
 ;;
 ;; Where your lfs files reside, default is data/lfs.
--- a/forgejo-src-7.0.7.tar.gz
+++ b/forgejo-src-7.0.7.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ba66fa2bf335149d6bda0a943bcbb2021af3692f10c10ede646cdcabfe762029
-size 53549049
--- a/forgejo-src-7.0.7.tar.gz.asc
+++ b/forgejo-src-7.0.7.tar.gz.asc
@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYTZAAKCRCkthotxZI3
-EPgYAP9o2VTTDnul4cDr6xEfw9k90sk323uk4WhcSktc+qgxqwEAmUKcJ4pk7scZ
-O2O5Ru3o7nomtBPrflFoGJXKO8ACrQ8=
-=7IAF
-----END PGP SIGNATURE-----
--- a/forgejo-src-8.0.1.tar.gz
+++ b/forgejo-src-8.0.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:284b2cc2a609d1766bb61f20cea7c6a9e2a34a9972f243d4962df2a24d15204a
+size 53413049
--- a/forgejo-src-8.0.1.tar.gz.asc
+++ b/forgejo-src-8.0.1.tar.gz.asc
@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYIAB0WIQTrEU9ebA3CvN0YNVCkthotxZI3EAUCZrYYFgAKCRCkthotxZI3
+EHz8AP90KeP3zRxXpllCJkXngANdUYN4wajU50u8p73dUY2jWAD/Wn87xN7RbrVd
+0U3wPsUy4Memvg4WYavNWBOEwDtTtww=
+=JG8G
+-----END PGP SIGNATURE-----
--- a/apparmor-usr.bin.forgejo
+++ b/apparmor-usr.bin.forgejo
@ -1,88 +1,64 @@
 abi <abi/3.0>,

-#include <tunables/global>
+include <tunables/global>

 profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/mysql>
+  include <abstractions/nameservice>
+  include <abstractions/opencl-pocl>
+  include <abstractions/openssl>
+  include <abstractions/user-tmp>
+  include if exists <local/usr.bin.forgejo>

-  #include <abstractions/base>
-  #include <abstractions/nameservice>
-  #include <abstractions/openssl>
-  #include <abstractions/user-tmp>
-  #include <abstractions/mysql>
-
-  network inet  stream,
+  network inet stream,
  network inet6 stream,

-  /usr/bin/forgejo mr,
-  /usr/bin/gzip mr,
-
-  # Grant read access to config files
-  /etc/mime.types r,
-  /usr/share/mime/globs2 r,
-  /etc/machine-id r,
  /etc/forgejo/ r,
-  /etc/forgejo/{conf,https,mailer}/ r,
-  /etc/forgejo/https/*.{crt,key,pem} r,
-
-  # Access to config file app.ini
  /etc/forgejo/conf/app.ini r,
-  # Config must be writeable for initial setup
-  # to restrict to read-only access admin can do after setup:
-  # chown root:gitea /etc/gitea/conf/app.ini
-  # chmod 0640 /etc/gitea/conf/app.ini
-  owner /etc/forgejo/conf/app.ini w,
-
-  # Grant read access to public custom static content
  /etc/forgejo/public/ r,
  /etc/forgejo/public/** r,
-
-  # allow invoking executables
-  /usr/bin/{basename,bash,cat,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
-  /usr/{lib,libexec}/git/git ix,
-  /usr/{lib,libexec}/git/git-remote-http ix,
-  /usr/share/git-core/templates/ r,
-  /usr/share/git-core/templates/** r,
+  /etc/forgejo/{conf,https,mailer}/ r,
  /etc/gitconfig r,
-
-  # Grant read access to static content
-  /usr/share/forgejo/** r,
-
-  # Grant read access to some process parameters
+  /etc/mime.types r,
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  @{PROC}/sys/net/core/somaxconn r,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
-
-  # Grant read access to working directory
-  /var/lib/forgejo/ r,
-
-  # Allow TTY access
-  /dev/tty rw,
-
-  # Grant access to various data/repo directories
-  owner /tmp/patch* rw,
-  owner /tmp/index* rw,
-  owner /tmp/forgejo** rwl,
-  owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
-  owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
-  owner /var/lib/forgejo/data/forgejo-repositories/** rwkl,
-  owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
-  owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
-  owner /var/lib/forgejo/https/** rwkl,
-
-  # Ugly!
+  /usr/bin/forgejo mr,
+  /usr/bin/git mr,
+  /usr/bin/gzip mr,
+  /usr/bin/{basename,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
+  /usr/libexec/git/git-write-tree mrix,
+  /usr/share/forgejo/** r,
  /usr/share/forgejo/.gitconfig rw,
  /usr/share/forgejo/.gitconfig.lock rw,
+  /usr/share/git-core/templates/ r,
+  /usr/share/git-core/templates/** r,
+  /usr/share/mime/globs2 r,
+  /usr/{lib,libexec}/git/git ix,
+  /usr/{lib,libexec}/git/git-remote-http ix,
+  /var/ r,
+  /var/lib/ r,
+  /var/lib/forgejo/ r,
+  /var/lib/forgejo/.local/** rw,
  /var/lib/forgejo/.ssh/ rw,
  /var/lib/forgejo/.ssh/* rw,
-  /var/lib/forgejo/.local/** rw,
-
-  # for writing access log file
  /var/log/forgejo/ rw,
  /var/log/forgejo/access.log rw,
  /var/log/forgejo/access.log.* w,
  /var/log/forgejo/doctors-* rw,
+  @{PROC}/sys/net/core/somaxconn r,
+  owner /etc/forgejo/conf/app.ini w,
+  owner /tmp/forgejo** rwl,
+  owner /tmp/index* rw,
+  owner /tmp/patch* rw,
+  owner /usr/share/forgejo/** rw,
+  owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
+  owner /var/lib/forgejo/data/forgejo-repositories/** rwlk,
+  owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
+  owner /var/lib/forgejo/https/** rwlk,
+  owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
+  owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
+  owner /var/log/forgejo/gitea.log w,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,

-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/usr.bin.forgejo>
 }
--- a/forgejo.changes
+++ b/forgejo.changes
@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Fri Aug  9 21:25:45 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 8.0.1:
+  * A change introduced in Forgejo v1.21 allows a Forgejo user with write
+    permission on a repository description to inject a client-side script into
+    the web page viewed by the visitor. This XSS allows for href in anchor
+    elements to be set to a javascript: URI in the repository description,
+    which will execute the specified script upon clicking (and not upon
+    loading). AllowStandardURLs is now called for the repository description
+    policy, which ensures that URIs in anchor elements are mailto:, http:// 
+    or https:// and thereby disallowing the javascript: URI.
+  * Do not include trailing EOL character when counting lines
+  * Add background to reactions on hover
+  * Prevent uppercase in header of dashboard context selector
+  * Fix page layout in admin settings
+  * Ensure all filters are persistent in issue filters
+  * Allow 4 charachter SHA in /src/commit
+- update to 8.0.0:
+  full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0
+
+  Highlights:
+    * remove Microsoft SQL Server support
+    * introduce a branch/tag dropdown in the code search page
+    * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls
+    * API endpoints for managing tag protection.
+    * add Reviewed-on and Reviewed-by variables to the merge template
+    * display an error when an issue comment is edited simultaneously by
+      two users instead of silently overriding one of them
+    * when installing Forgejo through the built-in installer, open
+      (self-) registration is now disabled by default
+    * add support for the reddit and Hubspot OAuth providers.
+    * CERT management was improved when ENABLE_ACME=true
+    * language detection in the repository got additional languages
+    * add an immutable tarball link to archive download headers for Nix
+    * Show the AGit label on merged pull requests
+- fix apparmor profile
+- set sqlite3 as the default installation database
+- add a rule for firewalld
+
+
 -------------------------------------------------------------------
 Fri Aug  9 18:13:59 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>

--- a/forgejo.firewalld
+++ b/forgejo.firewalld
@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>Forgejo</short>
+  <description>Forgejo is a self-hostable forge. It was forked from gitea, and has the old UI style from GitHub.</description>
+  <port protocol="tcp" port="3000"/>
+</service>
--- a/forgejo.sh
+++ b/forgejo.sh
@ -1,56 +0,0 @@
-#!/bin/sh -e
-
-DIRNAME=`dirname $0`
-cd $DIRNAME
-USAGE="$0 [ --update ]"
-if [ `id -u` != 0 ]; then
-echo 'You must be root to run this script'
-exit 1
-fi
-
-if [ $# -eq 1 ]; then
-	if [ "$1" = "--update" ] ; then
-		time=`ls -l --time-style="+%x %X" forgejo.te | awk '{ printf "%s %s", $6, $7 }'`
-		rules=`ausearch --start $time -m avc --raw -se forgejo`
-		if [ x"$rules" != "x" ] ; then
-			echo "Found avc's to update policy with"
-			echo -e "$rules" | audit2allow -R
-			echo "Do you want these changes added to policy [y/n]?"
-			read ANS
-			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
-				echo "Updating policy"
-				echo -e "$rules" | audit2allow -R >> forgejo.te
-				# Fall though and rebuild policy
-			else
-				exit 0
-			fi
-		else
-			echo "No new avcs found"
-			exit 0
-		fi
-	else
-		echo -e $USAGE
-		exit 1
-	fi
-elif [ $# -ge 2 ] ; then
-	echo -e $USAGE
-	exit 1
-fi
-
-echo "Building and Loading Policy"
-set -x
-make -f /usr/share/selinux/devel/Makefile forgejo.pp || exit
-/usr/sbin/semodule -i forgejo.pp
-
-# Generate a man page of the installed module
-sepolicy manpage -p . -d forgejo_t
-# Fixing the file context on /usr/bin/forgejo
-/sbin/restorecon -F -R -v /usr/bin/forgejo
-# Fixing the file context on /var/log/forgejo
-/sbin/restorecon -F -R -v /var/log/forgejo
-# Fixing the file context on /var/lib/forgejo
-/sbin/restorecon -F -R -v /var/lib/forgejo
-# Generate a rpm package for the newly generated policy
-
-pwd=$(pwd)
-rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba forgejo_selinux.spec
--- a/forgejo.spec
+++ b/forgejo.spec
@ -30,7 +30,7 @@
 %endif
 %endif
 Name:           forgejo
-Version:        7.0.7
+Version:        8.0.1
 Release:        0
 Summary:        Self-hostable forge
 License:        MIT
@ -42,14 +42,13 @@ Source2:        http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xeb114f5e6
 Source3:        package-lock.json
 Source4:        node_modules.spec.inc
 %include        %{_sourcedir}/node_modules.spec.inc
-Source5:        node_modules.sums
-Source6:        %{name}.service
-Source7:        %{name}.sysusers
-Source8:        %{name}.fc
-Source9:        %{name}.if
-Source10:       %{name}.sh
-Source11:       %{name}.te
-Source12:       apparmor-usr.bin.%{name}
+Source5:        %{name}.service
+Source6:        %{name}.sysusers
+Source7:        %{name}.fc
+Source8:        %{name}.if
+Source9:        %{name}.te
+Source10:       %{name}.apparmor
+Source11:       %{name}.firewalld
 Source99:       get-sources.sh
 Patch0:         custom-app.ini.patch
 BuildRequires:  golang-packaging
@ -61,6 +60,8 @@ BuildRequires:  npm-default
 %else
 BuildRequires:  nodejs-packaging
 %endif
+BuildRequires:  firewall-macros
+BuildRequires:  firewalld
 BuildRequires:  local-npm-registry
 BuildRequires:  make
 BuildRequires:  systemd-rpm-macros
@ -68,6 +69,7 @@ BuildRequires:  sysuser-tools
 Requires:       git-core
 Requires:       git-lfs
 Requires:       (%{name}-apparmor if apparmor-abstractions)
+Requires:       (%{name}-firewalld if firewalld)
 Requires:       (%{name}-selinux if selinux-policy-targeted)
 %if %{with apparmor}
 BuildRequires:  apparmor-abstractions
@ -81,6 +83,13 @@ BuildRequires:  selinux-policy-devel
 %{systemd_requires}
 %{sysusers_requires}

+%package firewalld
+Summary:        Firewalld profile for %{name}
+BuildArch:      noarch
+
+%description firewalld
+This package adds a firewalld service profile to %{name}
+
 %if %{with apparmor}
 %package apparmor
 Summary:        Apparmor profile for %{name}
@ -111,7 +120,7 @@ Providing Git hosting for your project, friends, company or community? Forgejo (
 local-npm-registry %{_sourcedir} install --also=dev

 %build
-%sysusers_generate_pre %{SOURCE7} %{name} %{name}.conf
+%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
 export EXTRA_GOFLAGS="-buildmode=pie -mod=vendor"
 export TAGS="bindata timetzdata sqlite sqlite_unlock_notify"
 %make_build build
@ -126,12 +135,12 @@ install -d %{buildroot}%{_sysconfdir}/%{name}
 install -d %{buildroot}%{_localstatedir}/log/%{name}
 install -D -m 0644 %{_builddir}/%{name}-src-%{version}/custom/conf/app.example.ini %{buildroot}%{_sysconfdir}/%{name}/conf/app.ini
 install -D -m 0755 %{_builddir}/%{name}-src-%{version}/gitea %{buildroot}%{_bindir}/%{name}
-install -D -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/%{name}.service
-install -D -m 0644 %{SOURCE7} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/%{name}.service
+install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf

 %if %{with apparmor}
 install -d %{buildroot}%{_sysconfdir}/apparmor.d
-install -Dm0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
+install -Dm0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.%{name}
 %endif

 %if %{with selinux}
@ -141,12 +150,18 @@ install -Dm0644 %{name}.pp %{buildroot}%{_datadir}/selinux/packages/%{name}/%{na
 install -Dm0644 %{name}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{name}.if
 %endif

+#firewalld service file
+install -D -m 0644 %{SOURCE11} %{buildroot}%{_prefix}/lib/firewalld/services/%{name}.xml
+
 %pre -f %{name}.pre
 %service_add_pre %{name}.service

 %post
 %service_add_post %{name}.service

+%post firewalld
+%firewalld_reload
+
 %if %{with apparmor}
 %post apparmor
 %apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.%{name}
@ -198,4 +213,7 @@ semodule -r %{name} 2>/dev/null || :
 %{_datadir}/selinux/devel/include/distributed/%{name}.if
 %endif

+%files firewalld
+%config(noreplace) %{_prefix}/lib/firewalld/services/%{name}.xml
+
 %changelog
--- a/node_modules.obscpio
+++ b/node_modules.obscpio
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f5ea0007b140d739de145225fce8a34d2e257d06891cdf39ca350e6bd3136236
-size 185686620
+oid sha256:b460b33350264ff646c4480d291e710828bff706703ef3e7da7991a692e22e54
+size 276597904
--- a/node_modules.spec.inc
+++ b/node_modules.spec.inc
--- a/node_modules.sums
+++ b/node_modules.sums
--- a/package-lock.json
+++ b/package-lock.json