What's cooking on SourceHut? Q2 2026
What’s cooking on SourceHut? Q2 2026
SourceHut 近况更新:2026 年第二季度
Hello everyone! It’s time for another quarterly update, keeping you up to date on what we’re cooking up here at SourceHut. 大家好!又到了季度更新的时间,向大家同步我们在 SourceHut 的最新进展。
Drew’s update
Drew 的更新
This past quarter I found myself mostly focused on “invisible” labor for SourceHut, which will make for a boring update from me this time. Most of my time was spent preparing a grant proposal, jointly with some other open source forges and related partners, to apply for funding from the EU. We’ll learn how that went sometime next quarter! 过去的一个季度,我主要专注于 SourceHut 的“隐形”工作,所以这次我的更新可能会有些枯燥。我大部分时间都在与其他开源代码托管平台及相关合作伙伴共同准备一份拨款申请,以争取欧盟的资金支持。我们将在下个季度得知申请结果!
Otherwise I’ve been focused on greasing the wheels and keeping the lights on – doing code reviews, fixing little bugs here and there, handling user support, mitigating rolling DDoS attacks (Conrad will elaborate on these in a moment), dealing with the finances (it’s tax season), and enjoying some rest after dealing with all of the above. 除此之外,我主要致力于维持平台的正常运转——进行代码审查、修复零星的小 Bug、处理用户支持、缓解持续不断的 DDoS 攻击(Conrad 稍后会详细说明)、处理财务事宜(正值报税季),并在处理完这些琐事后享受一些休息时间。
In the coming quarter, I plan to write our annual financial report, and to invest more time in user-visible improvements. There’s a lot of work going into our GraphQL APIs now (led by Simon Martin!) which I want to build on. With this momentum I also plan to look into anonymous API access and more standardized and uniform GraphQL API designs, such as support for the connections specification for resource enumeration. 在接下来的季度里,我计划撰写年度财务报告,并投入更多时间在用户可见的改进上。目前我们正在对 GraphQL API 进行大量工作(由 Simon Martin 领导!),我希望在此基础上继续推进。借此势头,我还计划研究匿名 API 访问以及更标准化、统一的 GraphQL API 设计,例如支持用于资源枚举的连接规范(connections specification)。
We’ll leverage these API improvements to facilitate some long-awaited features, such as linking resource pages (e.g. git repos) back to the projects they belong to on the project hub. I also plan on doing some more work on the billing system, to finalize the migration to the EU, so if this works out all customers will be moved into the EU billing system soon enough. 我们将利用这些 API 改进来推动一些期待已久的功能,例如将资源页面(如 Git 仓库)链接回项目中心(project hub)中所属的项目。我还计划在计费系统上做更多工作,以完成向欧盟计费系统的迁移。如果一切顺利,所有客户很快都将迁移到欧盟计费系统中。
Conrad’s update
Conrad 的更新
While I did get a good deal done this quarter, some of that work was certainly of the kind I wish I wouldn’t have to do in the first place. Let’s start with the elephant in the room: the DDoS. We still remain cautious about sharing too many details, but we wanted to at least offer a little glimpse into what we were facing. The below graph was provided by our network provider. For scale, note that the baseline traffic you can make out is not just ours - it’s us plus other customers. The visible spikes, however, were unfortunately directed at us alone… 虽然本季度我完成了很多工作,但其中一些确实是我希望不必去处理的。让我们先从最棘手的问题谈起:DDoS 攻击。我们对分享过多细节仍持谨慎态度,但至少想让大家了解我们所面临的情况。下图由我们的网络服务商提供。请注意,图中可见的基准流量不仅是我们自己的,还包括其他客户的流量。然而,那些明显的峰值不幸地全都是针对我们个人的……
The graph is from some time ago. A few more waves came in after that. We are still on alert and of course discussing what if any mitigations we can put in place for such events in the future. There is a small silver lining to this. The DDoS came in several waves of different traffic patterns, but it was mostly aimed at network resource exhaustion. This “helped” us identify several places where internal network traffic (such as inter-service requests) was still routed over public (that is, saturated) interfaces. Those were all fixed and we were happy to see that afterwards those few requests that made it to our servers could successfully be handled. 该图是前段时间的数据。此后又出现了几波攻击。我们仍保持警惕,并正在讨论未来针对此类事件可以采取哪些缓解措施。这件事也有好的一面:DDoS 攻击分几波以不同的流量模式进行,但主要针对的是网络资源耗尽。这“帮助”我们发现了几个内部网络流量(如服务间请求)仍通过公共(即已饱和)接口路由的地方。这些问题都已修复,我们很高兴地看到,之后到达我们服务器的少数请求都能被成功处理。
Hot on the heels of the DDoS we were targeted by another huge wave of spam sign-ups. These are accounts that get created solely for link farming. They basically get an advertisement with one or more links in their bio and never get used again. This time around, there seems to have been a serious campaign going on, creating over 300 accounts in a single month. We’ve seen such campaigns before, but we were mostly able to stall them by blocking the email domains they were using, which often seemed to be from obscure, hijacked relays or such. Unfortunately, by now, the main offender for fake accounts has become: Gmail… sad trombone. 紧随 DDoS 攻击之后,我们又遭到了大规模垃圾注册的攻击。这些账户创建的唯一目的就是进行链接农场(link farming)推广。它们通常在个人简介中放置一个或多个链接,之后便不再使用。这一次,似乎是一场有组织的行动,在一个月内创建了超过 300 个账户。我们以前也见过类似的活动,但通常可以通过封锁它们使用的电子邮件域名来阻止,这些域名往往来自一些不知名的、被劫持的中继服务器。不幸的是,目前虚假账户的主要来源变成了:Gmail……(悲伤的号角声)。
So we had to resort to other means, and I added a keyword capability to our abuse detection system. All profile updates are now checked against certain keywords, and if there are a certain number of matching keywords the account is suspended right away. We will be very careful with the keywords we add to this to avoid false positives. The kind of crap we are dealing with is fortunately pretty easy to detect with 100% accuracy. 因此,我们不得不采取其他手段。我在滥用检测系统中增加了关键词功能。现在,所有的个人资料更新都会根据特定关键词进行检查,如果匹配的关键词达到一定数量,账户就会立即被封禁。我们会非常谨慎地添加关键词,以避免误报。幸运的是,我们所处理的这些垃圾信息很容易以 100% 的准确率检测出来。
Let’s talk about more interesting stuff. My favorite this quarter is of course that I managed just right on time to finish git.sr.ht deploy keys! In the “Access” tab of your repository settings, you can now add SSH keys which will be able to access only this very repository, either read-write or read-only. This is intended for keys used for example in CI or similar automation. This work was preceded by a clean-up of the meta.sr.ht SSH key handling, with the user-visible side effect that finally SHA256 fingerprints are used everywhere as opposed to the legacy MD5 fingerprints. 让我们谈谈更有趣的事情。本季度我最喜欢的功能当然是及时完成了 git.sr.ht 的部署密钥(deploy keys)!在仓库设置的“访问(Access)”选项卡中,你现在可以添加 SSH 密钥,这些密钥将只能访问该特定仓库,支持读写或只读权限。这旨在为 CI 或类似自动化工具使用的密钥提供支持。这项工作之前,我们清理了 meta.sr.ht 的 SSH 密钥处理机制,用户可见的改进是:所有地方终于都改用 SHA256 指纹,而不是传统的 MD5 指纹了。
Besides the few fixes here and there I also floated a first patch to replace the builds.sr.ht shell (currently Python) with a Go implementation. It might need a few fix-ups, but it already went through an RFC phase, so I think it’s fair to mention this now and call it a day. 除了零星的修复外,我还提交了第一个补丁,旨在用 Go 实现替换 builds.sr.ht 的 shell(目前是 Python)。它可能还需要一些修正,但已经通过了 RFC 阶段,所以我认为现在提一下并告一段落是合适的。
Everyone else
其他贡献者
SourceHut is 100% free and open source software, and the community is invited to participate in its development. Let’s take a moment to acknowledge the work of the volunteers who use and depend on SourceHut and sent along patches to improve it over the past few months. SourceHut 是 100% 的自由开源软件,我们欢迎社区参与其开发。让我们花点时间感谢那些使用并依赖 SourceHut,并在过去几个月里提交补丁以改进它的志愿者们。
Simon Martin has been back at it again this quarter, writing many patches to improve the project hub. Thanks to Simon, the project hub now has a writable GraphQL API, allowing you to manage projects and project resources via the API. He has a few more patches queued up to improve the API further and reduce our Python footprint there. Simon also added some improvements for lists.sr.ht’s patch review view, associating new patchset revisions with their previous versions and adding a UI for navigating between different versions of a patch. Thanks for these and many other patches, Simon! Simon Martin 本季度再次回归,编写了许多补丁来改进项目中心。多亏了 Simon,项目中心现在拥有了可写的 GraphQL API,允许你通过 API 管理项目和项目资源。他还有几个补丁正在排队,以进一步改进 API 并减少我们在该部分的 Python 代码依赖。Simon 还对 lists.sr.ht 的补丁审查视图进行了一些改进,将新的补丁集修订版与其先前版本关联起来,并增加了用于在不同补丁版本之间导航的 UI。感谢 Simon 贡献了这些以及许多其他补丁!
Other community-led improvements include CismonX’s improvements to PGP keys, allowing one to update an existing PGP key, for example, to bump its expiry date or update subkeys, and some other smaller improvements as well. Our volunteer build image maintainers have also been quietly keeping your build images up to date this month – CismonX was back to update FreeB… 其他由社区主导的改进包括 CismonX 对 PGP 密钥的优化,允许用户更新现有的 PGP 密钥(例如延长过期日期或更新子密钥),以及其他一些较小的改进。我们的志愿者构建镜像维护者本月也一直在默默地更新构建镜像——CismonX 回归并更新了 FreeB…