Some talks I watched (remotely) from FrOSCon.

Recently I am involved in the ForgeFed Working Group, which target it is to create a specification to assist different Software Development Forges (like GitLab, GitHub, Gitea, Gogs, etc.) to form a federated network.

There were and are some challenges I would like to write down here to order my mind. I somehow feel more comfortable about publishing this here then (just) sending it to the ML, so please bear with me here. :)

The core workflows that where quickly identified by the WG as central have been namely Forking, Pull Requests and Issue Tracking. Because the success of ActivityPub in the Fediverse, ForgeFed atm should instrument ActivityPub although there are discussions (and have been there from the beginning on) if AP is required or should be used. But I will leave aside this discussion for the moment because the challenges I would like to discuss here live on a different level as might become more clear during explaining them.

First, let’s explore the different workflows from above.


Forking has two meanings.

The first one is forking off a project, which refers to a group or individual splitting from a project for whatever reason and continuing the project in a different direction.
The second is much less drastic and just describes a necessity of distributed version control: For others being able to incorporate your changes you need to have available a public repository everyone can read, which is just a copy of a other publicly accessible repository, referring to the [distributed workflows] from ProGit here.

In context of Software Development Forges a Fork can be both of this things. If you see a project you are interested in and would like to work on, you create a public copy of it and start working, making your changes, etc. If your changes are accepted back (we will come to the how in just a moment), everything is good and the Fork was just a public developer copy. But if your changes are not accepted, e.g. because the project is dead, does not like the direction your are going or whatever reason, and you continue maintaining your development fork as an independent project, it now becomes a project fork.

But technologically both forks are not very different, in the end both are just a diverged copy of a repository.

The interesting bit about Forking in the context of Forges is the traceability: If you fork a project on GitLab or GitHub, your project is a) visually marked as a fork and b) appears in the list of forks of the origin repository.
This could help developers (or even users) in example finding still forks of the project that are still alive if the original project dies.

So Forking in the second sense is nothing new to distributed version control, so you might ask why even bother about it?

The challenge ForgeFed is addressing is the interoperability of Forges. While it is easy to create a Fork in a centralized environment (it’s just copying data around), it’s more complicated in a federated environment. Let’s me visualize this using a small example.

Imagine your are on and see a interesting project (Awesome Project) you would like to contribute to. If we assume you already have an account on, you just click the fork button, and et and at voilá you have a fork.
Now imagine the same, but being on your own GitLab instance at and discovering the project on If you are not interested in Federation, you now could just create you a account on and do the same thing as above. But we don’t want that. We want that you can click the fork button on, telling it you would like to fork it to and then having it there! (Leaving out authentication on your personal instance for brevity.)

The problem here now is: How does tell that you would like to create a fork of the repository? As a developer you might would say that could sends a request to a endpoint on the personal instance. And that’s the way to go, the work ForgeFed does here now is to specify where this endpoint is, so that does not need to guess whether the request has to got to, or and how this request should be formatted. (A GET? A POST? A PUT? Repo as a parameter? As body? As header?) And how does tell it has created the fork so it can be integrated in the forking graph? A HTTP POST? Sending an eMail to the administrator? Sending a dove?

How exactly all this need to be done is currently worked out by the WG. Let’s now move on to Pull Requests. (Note that the working group focuses on the exchange specification only, not on the UI things.)

Pull Requests

Pull Requests, also called Merge Requests, are the opposite of Forking: They are about bringing the changes from one (forked) repository to another repository (typically the origin repository).

Let’s continue the example form above and assume you have made some (obviously awesome) changes to Awesome Project. If you are in a centralized environment for the developer this is as easy as clicking a Create Pull Request button and typing in some informational blah-blah and then, et voilá, having created a Pull Request. In a federated environment, your should offer you a similar button, but now (again) needs to know where to send the request (which your instance could memorize for you) and how to format it.

You now might say this is easy, but you still have to sit down and write down a document so the different Forges know how to to this steps. And this is what the working group is doing. This takes a little bit longer because in the WG we decided to make ForgeFed agnostic to the version control system in use, so you cannot simply specify the following because there might be a completely different VCS.

# if you get the HTTP request
#     branch=awesomefeature
# Then

git remote add \

git fetch

# And create a Merge Request for the
# `` branch
# [...]

While one could now require all Pull Requests being sent around as patch series, we would still be able to make two Forges that are talking about a Git repository still being able to handle the process through Git, we’re currently discussing a more generic approach to transfer changes. (In the worst case one can still fall back to patch series.)

Another challenge (both in Forking and PRs) is to not requiring the user to specify the VCS URL to the repository (, but simply the URL of the forge repository ( While both GitLab and GitHub allow HTTPS-cloning through the URL, there needs to be a way one forge telling another forge “for /user/repo you can use HTTPS via [URL A], and the Git protocol via [URL B]”.
The WG is trying to address this using JSON-LD, meaning that one Forge can send a JSON-LD query to and the being able to determine all the important URLs, e.g. for PRs, cloning, etc.

I hope that makes sense. :) Anyway, let’s move to the most complex topic: Issue Tracking.

Issue Tracking

First, Issue Tracking here is a term derived from GitHub, but should cover all Issue/Bug/Ticket tracking systems (BITT systems) that make any sense. In the WG there have been discussions about this, but mainly in regard to Distributed Issue Tracking. I have not yet thought this through thoroughly, but I would say that issue tracking might does not need to be covered by ForgeFed like Forks and PRs are. I would rather say that similar to ActivityPub, the WG could provide a basic Framework how BITT systems could federated with each other.

But as said, I have not thought this trough yet, so let’s see if this makes sense. :)

Thanks for reading.

In this post I would like to write about how I would like to change the function and design of my blog.

While I do not dislike the current design, I do not like it either. As an Utopia, I would like to create an framework for blog html designs. This framework could contain the different kinds of elements each blog needs, for example posts, comments and sites. That way a designer could create a template in HTML (and JS, if required) and that template could be used for more than just Wordpress, Jekyll or whatever blogging framework is out there.

I also see the site of my blog as my personal domain, so I would also like to include fediverse stuff here. For example I would like to be able to have a micro-blog that one can follow via ActivityPub (and maybe OStatus?). And where I also can follow other people. (So my own small one-person AP instance.)

My landing-page could have a short description about this site (I am site. What are you?) and then my most recent blog and micro-blog entries. And maybe some further information (Who the fuck is criztovyl?) and links to other networks and platforms. (eMail, GitLab?)

The company behind Fortnite decided to distribute it’s game outside of the Google Play Store. While I neither like Google, the Play Store, Android nor Free-To-Play Games that finance themselves via in-app transactions, I would like to pick out the issue that bugs me here: (Presumably) Not being able to verify the security of the software you download outside of an (app) store.

I refuse to accept that the only way of ensuring malware-free software is to use an non-free store. (Which in case of Google additionally even belongs to an privacy-invasive corporation.) I think there is at least one better way, which I will go forward to describe here now.

The issue I see here is that if you download an App from any website, for a normal web user it’s not easy to verify if the app is legit because everything outside of the store is untrusted. While I think it’s right not to trust any random website, I think there should be a way to make an application that comes from outside the store trusted.

Simply put, I would like that it is possible that a trusted corporation or an trusted individual verifies that my application is legit and that is then being accepted as “trusted” outside the app store.

Now, the important bits here that need to be explained further are when a corporation or individual is trusted and when an application is legit.

For establishing the trust I would create an organization which purpose is to act as an trust anchor and would finance itself by membership fees. I would differentiate between two kinds of memberships, where the first one woulds like to trust and the other one wants to be trusted.

While there should be no barriers for members that would like to trust, the other members need to be verified that they can be trusted. The trust into organizations and individuals should be verified regularly.

Now, I as an application developer could look for an organization or individual that is trusted by that organization, go to them and they can verify the legitimacy of my application. This verification I now can use to prove my applications legitimacy.

But wait, isn’t that just code signing, with an open organization instead of the current CA model?

What I don’t know if Android has any certificate trust model outside of the Play Store. Looks like it does not.

So, is it a Platform problem of not providing any means to verify the authenticity of a package? I guess so.

A draft I’ve created some weeks ago. I’ve polished it a little bit and published it now.

God is Dead, Individualism won’t save us, Socialism is Bad™ and Evolutionary Humanism isn’t the solution. Also, AI is around the corner, with a 50/50 chance to kill us all.

So, what to do until then?

I am currently employed at an large (large large) IT solutions company, and nothing I do there has any greater meaning to me. At the one hand there is a Public Sector project where managing the requirements seems very complicated to me and unnecessarily complicate the project. On the other hand a project in the Media Sector where the customer decided to make and not buy. While from the business view this might be okay, I dislike that the customer builds it’s own proprietary solution instead of the sector joining efforts. It’s this market lead thing, I guess? Meaning the single business in the sector won’t like to share with the others b/c improving anything only makes you more money if you are first? Well, that gets to complicated now and you don’t know the details so let’s stop here. Anyway, I would like to make the world better. Not do something utterly meaningless.

But the risk of doing meaningful things is just such high. (???) And I hate myself for that. I am very freedom orientated person, which makes all this very hard. But if you fight your lonely war against business-as-usual people you loose yourself. (WTF do you want to say?) Uhm, not sure. But I am very angry currently.

I just want to do Good™ but it’s not wanted. (You know that’s not exactly the truth.)

But it does not make any sense at all! Have you ever thought this through? There is no way for me in this situation changing this world: I can’t barely manage my own life, how should I change the world? (Well, you can barely manage it because you fight against yourself each single day. Let’s start by fixing that.)

Well so what do you suggest? “Doing one step after another”? I don’t have time for that. (You’re funny.) Well, okay. But it’s so hard to relax. Very hard. (You know we already talked about meditation?) Yes, but, you know, with barely getting along with life, it’s not exactly easy to look into that. (Nobody said it will be easy.) Well. So, what about starting to search for meditation advise right now? (You already excluded YouTube, didn’t you?) Yes. Let’s see if I find some friendly non-commercial website. (See you!) Be right back. :)

Let’s start by browsing Wikipedia about Meditation.

Oh nice, I found a Non-Profit about meditation, Mindful, that have some nice steps for doing Meditation. I listened to Last Lights while reading the steps and more then one time nearly broke down into tears. (Well, fuck?) Yup. I am currently thinking about meditating just now. (But the washing machine is very noisy?) Well, let’s try anyway, I want to relax now. (Want?) I even want it even right now! (whatever…)

(See you.) cu.