|
Föderation EN Mo 31.03.2025 15:24:12 I migrated my coding life, including my static websites, off GitHub. It's easier than you might think! Here's how I did it. |
|
Föderation EN Mo 31.03.2025 15:25:31 @mttaggart I did the same! My needs were far simpler but I was happy with how easy it was. |
|
Föderation EN Mo 31.03.2025 15:29:37 @mttaggart This is great and is on my list of things to do. One question: I've always used SSH keys for auth but prefer GPG keys for commit signing, I can't quite articulate why, but is there a downside to this other than maintaining multiple key pairs? |
|
Föderation EN Mo 31.03.2025 15:31:56 @eternalyperplxed I consider GPG a downside on its face, but no. The difference to Git is a config entry. |
|
Föderation EN Mo 31.03.2025 15:32:44 @mttaggart ha, fair point. |
|
Föderation EN Mo 31.03.2025 16:29:21 @mttaggart Do note that @Codeberg has seen some attacks recently and doesn't have the same infosec staff as GitHub; nonetheless they are very fast at handling abuse and spam and do an awesome job all things considered. |
|
Föderation EN Mo 31.03.2025 19:10:23 @generalx |
|
Föderation EN Mo 31.03.2025 16:52:23 @mttaggart Did it 2 days ago. 😊 |
|
Föderation · Mo 31.03.2025 17:12:36 I moved to GitLab a decade ago, and then moved to Codeberg about four years ago. Last year, I spun up my own Forgejo instance that I run on my home computer. I still commit anything I want publicly available to Codeberg (including stuff on Codeberg Pages), but most of my stuff is now on my local instance, and I have even more control. I even have server-side commit hooks on my personal Forgejo instance to mirror what I want to Codeberg, instead of depending on the native mirroring feature, it's just a bash script that does a |
|
Föderation EN Mo 31.03.2025 17:50:09 @mttaggart Great article! Also, I guess it's not just me who thought of making a switch to Codeberg meme out of that template! |
|
Föderation EN Mo 31.03.2025 19:03:41 i love the post's image |
|
Föderation EN Mo 31.03.2025 20:32:48 @IzzyOnDroid I’ve been a happy Codeberg user for more than three years now. They are doing a great job. |
|
Föderation EN Mo 31.03.2025 20:39:55 @muminpappa Indeed! I'm with them since the early days, when they were still named TeaHub (almost became a founding member then). And I'm of course a full member now @mttaggart great write-up, thanks a lot! 🤩 Can you elaborate a little on using SSH to sign commits? Is that meanwhile possible without allowing the same key for auth as well? I so far only found this article on it in connection to Codeberg: https://bytes.zone/posts/signing-commits-with-ssh-keys/ (which mentioned that "handicap"). |
|
Föderation EN Mo 31.03.2025 20:43:51 @IzzyOnDroid @muminpappa You can add as many SSH keys as you want to Codeberg, and as long as they're verified, you can use them for auth and signing. I do not believe there's a requirement that they be the same. You can configure a global signing key option, but like all Git configs, you can also do that per-repo. ( Ironically, GH docs are great here: https://docs.github.com/en/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key#telling-git-about-your-ssh-key |
|
Föderation EN Mo 31.03.2025 20:48:11 @mttaggart Thanks! My concern was, as in the article I've linked, that I might want to use an SSH key for signing while not permitting it for login (hard to revoke it if it should get lost; removing it from my Codeberg account then would also mean all those commits showing up unverified, while a GPG key cannot be used for login, and it can be revoked when compromised). Apologies if my question sounds "stupid", but I've heard about SSH signing only today, from your article 😉 |
|
Föderation EN Mo 31.03.2025 20:49:33 @IzzyOnDroid Right so that is where I would contend though that if you have any reason to "revoke" a key, it should not be conditional. |
|
Föderation EN Mo 31.03.2025 20:54:27 @mttaggart Oh, it's less about me accidentally using it to log in. But you're correct: as my GPG key, the SSH key should have a proper passphrase set – so even if someone "finds" the private key, it would be useless to them 🤷♂️ Guess I've let myself be carried-away a little by that article. But Brian has a point there: not being configured for auth makes it not usable for auth. Well, the term "military grade" was "signaled" out recently I've heard 🙊 💨 |
