Codeberg/Community
Codeberg/Community
53
305
Fork 12
Code Issues 379 Activity

Repository cache of "global" artifact repositories, such as Maven Central, Pypi, NPM etc. #2146

New issue
Open
opened 2025-09-24 19:24:15 +02:00 by jornfranke · 5 comments
jornfranke commented 2025-09-24 19:24:15 +02:00
Copy link

Comment

Recently the stewards of popular open infrastructure, such as Maven Central, Pypi, NPM published a letter on the lack of funding of their infrastructure which could endanger their operation. Additionally, almost all of them are US-hosted and controlled.

One could think that Codeberg.org could provide additional European-based and hosted artifact repository "caches" or "mirrors" of Maven Central, Pypi, NPM. I propose not to copy all the artifacts, but if a user of the Codeberg.org access through the repository "cache"/"mirror" a package it fetches it from Maven Central/Pypi/NPM in the background and keeps the version cached.

Note: I do not talk about the functionality in Codeberg to publish own artifacts in a registry this for sure should be used as well.

Of course one needs to decide which solution to deploy for this as to my knowledge this is not supported by Forgejo. Pulp can do this for some package types, but maybe there are others. Probably a European CDN needs to be chosen (but might not be needed initially).

One should also of course consider the risk, e.g. similar to what other infrastructure provider have as a risk, the Codeberg repository "cache"/"mirror" could be heavily used. Here it could be worth to check with:

### Comment Recently the stewards of popular open infrastructure, such as Maven Central, Pypi, NPM published [a letter on the lack of funding of their infrastructure which could endanger their operation](https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/). Additionally, almost all of them are US-hosted and controlled. One could think that Codeberg.org could provide additional European-based and hosted artifact repository "caches" or "mirrors" of Maven Central, Pypi, NPM. I propose not to copy all the artifacts, but if a user of the Codeberg.org access through the repository "cache"/"mirror" a package it fetches it from Maven Central/Pypi/NPM in the background and keeps the version cached. Note: I do not talk about the functionality in Codeberg to publish own artifacts [in a registry](https://forgejo.org/docs/latest/user/packages/ ) this for sure should be used as well. Of course one needs to decide which solution to deploy for this as to my knowledge this is not supported by Forgejo. [Pulp](https://pulpproject.org/) can do this for some package types, but maybe there are others. Probably a European CDN needs to be chosen (but might not be needed initially). One should also of course consider the risk, e.g. similar to what other infrastructure provider have as a risk, the Codeberg repository "cache"/"mirror" could be heavily used. Here it could be worth to check with: * European Commission - They currently work on the [Open Source strategy](https://commission.europa.eu/about/departments-and-executive-agencies/digital-services/open-source-software-strategy_en) 2026-2030 * [NLNet](https://nlnet.nl/) * [German Sovereign Tech Agency](https://www.sovereign.tech/)
Gusted commented 2025-09-24 22:49:10 +02:00
Owner
Copy link

I'm not particularly sure this is in the scope of Codeberg and Codeberg's infrastructure is not set up in such a way to be used as a large-scale CDN. It would be hard to monitor that this mirror is actually used for free and open source development and not used by a (large) commercial entity that wants to avoid their responsibility of paying what they are using.

I'm not particularly sure this is in the scope of Codeberg and Codeberg's infrastructure is not set up in such a way to be used as a large-scale CDN. It would be hard to monitor that this mirror is actually used for free and open source development and not used by a (large) commercial entity that wants to avoid their responsibility of paying what they are using.
jornfranke commented 2025-09-25 21:16:43 +02:00
Author
Copy link

Yes, I mentioned it as a possible risks. However, it is good to have your opinion on it.
Hence, I also added possible partners (e.g. European Commission, German Sovereign Tech Agency etc.). Maybe they can contribute to running it or run it with Codeberg.org contribution.

Yes, I mentioned it as a possible risks. However, it is good to have your opinion on it. Hence, I also added possible partners (e.g. European Commission, German Sovereign Tech Agency etc.). Maybe they can contribute to running it or run it with Codeberg.org contribution.
devnewton commented 2025-10-14 18:30:06 +02:00
Copy link

Artipie can be used for this.

This kind of service could be:

  • free from job running inside codeberg ci ;
  • charged for public access.
[Artipie](https://github.com/artipie/artipie) can be used for this. This kind of service could be: - free from job running inside codeberg ci ; - charged for public access.
👍 1
jornfranke commented 2025-10-14 19:56:45 +02:00
Author
Copy link

Thanks, good to know. Another alternative could be Pulp

Thanks, good to know. Another alternative could be [Pulp](https://pulpproject.org/)
jornfranke commented 2025-10-14 20:07:10 +02:00
Author
Copy link

Btw. I like the idea that one can think about a charging model for public access. Maybe open source developers that have projects on Codeberg could get it for free for their local environment, but operating model is for sure something to look at.

Btw. I like the idea that one can think about a charging model for public access. Maybe open source developers that have projects on Codeberg could get it for free for their local environment, but operating model is for sure something to look at.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
accessibility

Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.

  
bug

Something is not working the way it should. Does not concern outages.

  
bug
infrastructure
Errors evidently caused by infrastructure malfunctions or outages

  
Codeberg

This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.

  
contributions welcome

Please join the discussion and consider contributing a PR!

  
docs

No bug, but an improvement to the docs or UI description will help

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
infrastructure

Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.

  
legal

An issue directly involving legal compliance

  
licence / ToS

involving questions about the ToS, especially licencing compliance

  
please chill
we are volunteers
Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.

  
public relations

Things related to Codeberg's external communication

  
question

More information is needed

  
question
user support
This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.

  
s/Forgejo

Related to Forgejo. Please also check Forgejo's issue tracker.

  
s/Forgejo/migration

Migration related issues in Forgejo

  
s/Pages

Issues related to the Codeberg Pages feature

  
s/Weblate

Issue is related to the Weblate instance at https://translate.codeberg.org

  
s/Woodpecker

Woodpecker CI related issue

  
security

involves improvements to the sites security

  
service

Add a new service to the Codeberg ecosystem (instead of implementing into Gitea)

  
upstream

An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Gitea, Forgejo, etc.)

  
wontfix

Codeberg's current set of contributors are not planning to spend time on delegating this issue.

No labels
accessibility
bug
bug
infrastructure
Codeberg
contributions welcome
docs
duplicate
enhancement
infrastructure
legal
licence / ToS
please chill
we are volunteers
public relations
question
question
user support
s/Forgejo
s/Forgejo/migration
s/Pages
s/Weblate
s/Woodpecker
security
service
upstream
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Codeberg/Community#2146
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?