NotABug: A Comprehensive Guide to Free and Community-Driven Code Hosting

NotABug: A Comprehensive Guide to Free and Community-Driven Code Hosting

By Pashalis LaoutarisCategory: GitHub Alternatives28 min read

Editor’s Note: This article is part of our definitive guide to GitHub Alternatives. Click here to read the main overview.

This article provides an in-depth look at NotABug.org, a free-software code collaboration platform. It explores its core principles, technical foundation, features, its vision for a decentralized future, and the latest developments as of mid-2026 — including the platform’s current AI-scraper-driven outage, critical security disclosures affecting its Gogs foundation, growing competition from Forgejo, and the accelerating ForgeFed federation landscape.


⚠️ Current Status — June 2026

NotABug.org’s web UI is currently inaccessible due to overwhelming traffic from AI training scrapers that have repeatedly taken the server offline. The administrators have confirmed that Git access over SSH remains functional for users who already know a repository’s URL. New repository creation, web browsing, issue tracking, and pull request management are unavailable until the situation is resolved. This is a significant, ongoing operational disruption — not a minor blip — and readers evaluating NotABug as a primary host should weigh it heavily. See Section IX for the full picture.


Table of Contents

  1. Introduction
  2. What is NotABug?
  3. Key Features and Functionality
  4. Technical Architecture and Implementation
  5. NotABug 2.0: Vision for Decentralization
  6. Comparison with Other Code Hosting Platforms
  7. User Experience and Community
  8. Challenges and Criticisms
  9. Mid-2026 Updates and the Evolving Landscape
  10. Future Prospects and Development
  11. Conclusion
  12. Frequently Asked Questions (FAQ)
  13. References

I. Introduction

In a digital landscape dominated by a few major players, NotABug.org has long stood as a distinctive code collaboration platform dedicated to the principles of the free software movement. It provides a home for developers and projects that operate under free licenses, positioning itself not just as a service but as part of a broader philosophy supporting software freedom and digital autonomy.

That ideological clarity, however, collides with an increasingly turbulent operational reality in mid-2026. The platform is currently down for most users, felled by the same wave of aggressive AI training crawlers that have disrupted self-hosted forges, university GitLabs, and community infrastructure worldwide. Meanwhile, the upstream Gogs engine NotABug is built on has accumulated a serious backlog of critical vulnerabilities, and rival platforms built on actively maintained forks — particularly Forgejo and Codeberg — are attracting the developer communities that NotABug’s mission was designed to serve.

This guide is for developers, open-source advocates, and anyone evaluating community-driven alternatives to corporate-owned code hosting. It covers what NotABug is and what it set out to do, what it currently is and is not capable of, and what developers who share its values should consider doing in 2026.


II. What is NotABug?

NotABug Homepage

A. Core Identity and Mission

NotABug.org is a free-software code collaboration platform designed exclusively for freely licensed projects. Its mission is to support the development and distribution of software under licenses that meet the Free Software Definition — the GPL, MIT, BSD, and similar licenses. This strict focus on free software distinguishes it from mainstream platforms that host a mix of open-source and proprietary projects. The underlying philosophy is a commitment to a “free society,” where software and culture are shared openly for the benefit of all.

B. Technical Foundation

The platform is built upon Gogs (Go Git Service), a lightweight, self-hosted Git service written in the Go programming language. NotABug runs its own “liberated version” of Gogs, which strips out proprietary dependencies and third-party analytics trackers and includes custom modifications — with the source code always available on the platform itself.

Important (mid-2026): The NotABug fork of Gogs was last publicly committed in approximately 2018. Multiple critical security vulnerabilities have been disclosed in Gogs since then. Whether those patches have been applied to NotABug’s live instance is not publicly confirmed. See Section IX for details.

C. Organizational Structure

NotABug.org is operated by “Peers,” a community group dedicated to advancing free software and free culture, started in 2015. The platform is administered by Hein-Pieter van Braam-Stewart and a small team of volunteers. This non-profit, grassroots structure contrasts sharply with the corporate ownership of GitHub (Microsoft) and GitLab (publicly traded). It also means there is no dedicated engineering team to respond to security incidents or absorb sudden infrastructure load.


III. Key Features and Functionality

NotABug provides a comprehensive suite of tools for modern software development and collaboration, based on its Gogs foundation.

Note (June 2026): With the web UI currently inaccessible, most of the browser-based features below are temporarily unavailable. Git access over SSH remains usable for existing repositories.

A. Core Git Services

Repository Hosting: Users can create and manage unlimited public repositories for free software projects. Private repositories are also available with size limitations (around 100 MB for private, ~1 GB for public).

  • Version Control: Full Git support, including branch management, merging, tagging, and Git LFS.
  • Issue Tracking: A built-in issue tracker for project management, bug reporting, and feature requests.

B. Collaboration Features

  • Pull Requests: A standard pull request system for code contributions, reviews, and discussions.
  • User and Organization Accounts: Personal projects and multi-contributor organization accounts.
  • Project Wikis: Per-repository wikis for documentation and guides.
  • Webhooks: Integration with services like Slack and Discord via repository and organization webhooks.
Setting Up a Webhook on NotABug

When the web UI is accessible, webhooks can be configured through the interface or via the Gogs REST API:

curl -X POST "https://notabug.org/api/v1/repos/{owner}/{repo}/hooks" \
  -H "Content-Type: application/json" \
  -H "Authorization: token YOUR_ACCESS_TOKEN" \
  -d '{
    "type": "gogs",
    "config": {
      "url": "https://your-server.example.com/webhook",
      "content_type": "json",
      "secret": "your_webhook_secret"
    },
    "events": ["push", "issues", "pull_request"],
    "active": true
  }'

C. SSH and HTTPS Access

NotABug supports both SSH key-based and HTTPS access. During the current outage, SSH is the only reliable access method:

# Clone via SSH (works during current outage if you know the repo URL)
git clone git@notabug.org:username/my-project.git

# Clone via HTTPS (may be unavailable while web UI is down)
git clone https://notabug.org/username/my-project.git

# Add NotABug as a remote for mirroring
git remote add notabug git@notabug.org:username/my-project.git
git push notabug main

D. User Interface

NotABug User Interface

The platform’s web interface is clean and intentionally minimal — free from algorithmic feeds, sponsored content, and tracking. When accessible, it allows repository browsing, code exploration, and project discovery.


IV. Technical Architecture and Implementation

A. Gogs Foundation

NotABug’s architecture is fundamentally shaped by Gogs. The choice of Go as the implementation language provides high performance and cross-platform compatibility — Linux, macOS, and Windows — with a single binary. Gogs is self-contained and requires minimal infrastructure, which aligns with the non-profit volunteer-run model.

B. Custom Modifications

NotABug runs a fork of Gogs, stripping proprietary dependencies and analytics hooks and adding community-specific customizations. However, because the fork’s public commit history ends around 2018, it is unclear to what extent upstream security patches have been applied over the following eight years.

C. Hosting and Infrastructure

The platform is maintained by volunteer administrators. It offers access via HTTPS and through a Tor hidden service for privacy. The current AI-scraper crisis has exposed the fragility of this model: a small volunteer team with no commercial backing or CDN-level bot mitigation cannot easily absorb the traffic volumes that have brought well-resourced platforms like GNOME’s GitLab and French research institute CNRS to their knees in the same period.

D. Self-Hosting Risks of Unmaintained Gogs Forks

For developers considering running their own Gogs-based forge, the mid-2026 vulnerability disclosures make it critical to understand what you are taking on. Any Gogs instance running on v0.14.2 or earlier is potentially exposed to multiple RCE vulnerabilities. The minimum safe version as of June 2026 is v0.14.3.

# Check your running Gogs version
./gogs --version
# or, via Docker:
docker exec <container_name> /app/gogs/gogs --version

If you are below v0.14.3, apply emergency mitigations immediately:

# In /path/to/gogs/custom/conf/app.ini

[service]
# Prevent untrusted users from creating accounts (highest-impact mitigation)
DISABLE_REGISTRATION    = true
# Prevent existing users from creating new repos
MAX_CREATION_LIMIT      = 0

[security]
INSTALL_LOCK            = true
SECRET_KEY              = <long random string, change this>

[server]
# If you must allow HTTPS Git access, enforce token auth at the proxy level
DISABLE_HTTP_GIT        = false

Then upgrade as soon as possible:

# Docker upgrade to patched version
docker pull gogs/gogs:0.14.3
docker stop gogs && docker rm gogs
# Re-run with your existing volume mount
docker run -d --name gogs \
  -p 3000:3000 -p 2222:22 \
  -v gogs-data:/data \
  gogs/gogs:0.14.3

For production deployments, place Gogs behind a reverse proxy with TLS and aggressive rate limiting:

server {
    listen 443 ssl;
    server_name git.yourdomain.example;

    ssl_certificate     /etc/letsencrypt/live/git.yourdomain.example/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/git.yourdomain.example/privkey.pem;

    # Rate-limit the web UI to blunt AI scraper load
    limit_req_zone $binary_remote_addr zone=gogs:10m rate=10r/s;

    location / {
        limit_req zone=gogs burst=20 nodelay;
        proxy_pass         http://127.0.0.1:3000;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}

E. Using the Gogs API

Gogs exposes a REST API (v1) largely compatible with the GitHub API for basic operations. Here is a Python example using requests:

import requests

NOTABUG_BASE = "https://notabug.org/api/v1"
TOKEN = "your_personal_access_token"

headers = {
    "Authorization": f"token {TOKEN}",
    "Content-Type": "application/json",
}

def list_repos(username: str) -> list[dict]:
    """List all repositories for a given user."""
    response = requests.get(
        f"{NOTABUG_BASE}/users/{username}/repos",
        headers=headers,
        timeout=10,
    )
    response.raise_for_status()
    return response.json()

def create_repo(name: str, description: str = "", private: bool = False) -> dict:
    """Create a new repository for the authenticated user."""
    payload = {
        "name": name,
        "description": description,
        "private": private,
        "auto_init": True,
    }
    response = requests.post(
        f"{NOTABUG_BASE}/user/repos",
        headers=headers,
        json=payload,
        timeout=10,
    )
    response.raise_for_status()
    return response.json()

if __name__ == "__main__":
    # Note: API may be unavailable during the current web outage
    repos = list_repos("peers")
    for repo in repos:
        print(f"{repo['full_name']}{repo.get('description', '')}")

Caveat (June 2026): The API endpoint at notabug.org/api/v1 is served by the same web process affected by the current outage. Callers should implement retry logic and be prepared for connection failures.


V. NotABug 2.0: Vision for Decentralization

A. Current Limitations of Centralized Hosting

The traditional code hosting model, even for open-source services, creates a centralized “hub.” This creates dependencies on a single entity and a canonical upstream source, making projects vulnerable to platform shutdowns or policy changes — as seen with the closure of Google Code.

B. Proposed Decentralized Model

NotABug 2.0 envisions a federated network of Git instances that mirrors Git’s own distributed nature. Users could host their own server or use a public instance and collaborate seamlessly with users on other instances — forking a repository, opening an issue, or sending a pull request to a foreign repository without needing an account on that specific host.

C. Implementation Challenges and Goals

The design goals for NotABug 2.0 prioritize transparent authentication across instances, trivial setup for self-hosting, and ensuring users only need to trust their “home-server.” These goals are compelling, but development depends entirely on volunteer effort, and no public progress has been published for several years.

As of mid-2026, the broader ForgeFed ecosystem (see Section IX.C) has made measurable production progress on the same vision using the ActivityPub protocol. NotABug has not publicly indicated whether it plans to adopt ForgeFed or build a bespoke protocol.


VI. Comparison with Other Code Hosting Platforms

A. Platform Comparison Table

PlatformEngineFederationMaintenanceScaleFree-SW Focus
NotABugGogs (fork)Planned (2.0)⚠️ Stagnant ~2018Small / niche✅ Exclusive
CodebergForgejo✅ Experimental (AP)✅ Active300k+ repos✅ Exclusive
ForgejoSelf✅ Experimental (AP)✅ ActiveSelf-hosted/public✅ Strong
GitHubProprietary❌ None✅ Commercial100M+ repos❌ Mixed
GitLabProprietary🔄 Exploring AP✅ CommercialEnterprise❌ Mixed
SourceForgeLegacy❌ None⚠️ LimitedLegacy user base❌ Mixed

AP = ActivityPub / ForgeFed

B. Major Competitors in Detail

GitHub is the market leader, owned by Microsoft, with a vast ecosystem and the largest developer community. In 2025, growing concerns over GitHub Copilot’s handling of open-source training data drove a meaningful segment of developers to seek alternatives.

GitLab offers a comprehensive DevOps platform with both SaaS and self-hosted options. It has begun exploring ActivityPub federation support, though it remains primarily enterprise-focused.

Codeberg is the closest philosophical peer to NotABug — a non-profit, exclusively FOSS-focused forge based in Germany, running Forgejo. As of November 2025, it hosts over 300,000 repositories and is the fastest-growing ethical code forge. Unlike NotABug, its infrastructure is actively maintained.

Forgejo is a community fork of Gitea that emerged in late 2022 following governance concerns. By 2026 it is the leading free-software forge engine, with active ActivityPub federation, built-in CI/CD Actions, package registries, and adoption by institutions like the Fedora Linux project.

C. NotABug’s Unique Value Propositions

Despite its current difficulties, NotABug retains genuine differentiators:

  • Exclusive free-software hosting: Unlike GitHub or GitLab, NotABug hosts only freely licensed projects.
  • Community governance: Non-profit, non-corporate, community-run.
  • Privacy by design: No tracking scripts, no advertising, no data monetization. Tor access available.
  • Decentralization vision: NotABug 2.0, while dormant, articulated the federated model long before ForgeFed.

D. Limitations and Trade-offs

  • Current downtime: The web UI is inaccessible as of June 2026 due to AI scraper load.
  • Stagnant fork: The Gogs fork powering NotABug has not received public commits since approximately 2018.
  • Security uncertainty: Multiple critical CVEs in Gogs upstream; patch status on NotABug is unconfirmed.
  • No CI/CD, no package registry: Missing features developers now expect as standard.
  • Smaller ecosystem: Less discoverable, fewer integrations.

VII. User Experience and Community

A. Getting Started

When the platform is accessible, creating an account and setting up a repository is straightforward and familiar to anyone who has used GitHub or GitLab. The platform also supports repository migration, allowing users to mirror projects from other sites. As of June 2026, account creation and web-based setup are not possible due to the outage.

Migrating a Repository to NotABug (when accessible)
# After creating the empty repo on NotABug via the web UI
cd my-project

# Add the NotABug remote alongside the existing origin
git remote add notabug git@notabug.org:yourusername/my-project.git

# Push all branches and tags
git push notabug --all
git push notabug --tags

For users who already have repositories on NotABug, SSH access remains available:

# Access existing repo during the current web outage (SSH only)
git clone git@notabug.org:yourusername/existing-project.git
git pull  # fetch updates
git push notabug main  # push changes

B. Community Dynamics

The projects hosted on NotABug are often those with a strong ideological commitment to software freedom: fully-libre Linux distributions, privacy tools, and projects by members of the FSF community. The platform maintains a code of conduct and requires projects to meet the Free Software or Free Culture definition.

C. Project Examples

NotABug hosts the official repositories for the Peers Community itself, as well as mirrors and primary repositories for projects like Libreboot and various free software distributions. The FSF evaluates platforms including NotABug against its GNU Ethical Repository Criteria (ERC), where NotABug scores well on freedom and privacy criteria.

D. Migration Alternatives

Given the current outage and maintenance concerns, developers may consider Codeberg as a primary home for free-software projects, with NotABug as an ideological mirror when it returns to service. Both platforms enforce free-software-only hosting policies.


VIII. Challenges and Criticisms

A. Sustainability Concerns

Like many volunteer-driven, non-profit projects, long-term sustainability is a fundamental challenge. NotABug has no dedicated engineering team, no commercial revenue stream, and limited capacity to absorb infrastructure shocks — as the current AI-scraper outage demonstrates. This is not a criticism unique to NotABug; it describes a structural tension inherent to all community-run infrastructure.

B. Feature Gaps

NotABug provides the core of what is needed for code hosting, but lacks features that developers now consider standard: built-in CI/CD (Forgejo ships Actions runners modelled on GitHub Actions), package registries, container registries, and security scanning. For projects with modern DevOps requirements, these gaps are significant.

C. Adoption Barriers

GitHub’s network effects are formidable. Many developers keep their work on the platform with the largest contributor base. For projects seeking broad community engagement and discoverability, a smaller platform like NotABug can feel limiting.

D. Reliability Concerns

Community feedback over 2024–2026 has documented recurring HTTP 500 errors and prolonged outages. The NotABug Gogs fork has not received public commits since 2018. The platform’s outage status page was last updated in 2016. These are not isolated data points — they form a pattern of deferred maintenance that culminated in the current June 2026 web UI shutdown.

E. Security Maintenance Posture

This is the most serious challenge. As detailed in the next section, Gogs has accumulated multiple critical security vulnerabilities. Running an eight-year-old fork of a piece of infrastructure software without confirmed patching is a high-risk posture, particularly for a platform that hosts source code — including potentially sensitive or security-critical projects.


IX. Mid-2026 Updates and the Evolving Landscape

A. Current Operational Status: AI Scraper Outage

The most immediate development for NotABug users is the ongoing web UI outage. The platform’s homepage currently displays an error state, with a message confirming that repositories are accessible via git+SSH for users who already know the URL — but the web interface is down.

The cause is a pattern affecting the broader self-hosted forge ecosystem in 2025–2026: AI training crawlers from multiple organizations have been hammering small, community-run Git services with traffic volumes they cannot sustain. AI training scrapers have been documented knocking a French national research institute’s GitLab server offline, overwhelming GNOME’s GitLab infrastructure, and disrupting dozens of smaller forges. Larger, well-resourced organizations have responded with bot-mitigation services (GNOME adopted Fastly; others use Anubis, a proof-of-work challenge proxy). NotABug, with its volunteer team and no commercial backing, has no equivalent capacity.

There is no publicly confirmed timeline for when the web UI will be restored, or what mitigation approach the administrators plan to adopt.

B. Critical Security Vulnerabilities in Gogs

The first half of 2026 saw an alarming wave of security disclosures affecting Gogs. Every user or administrator of a Gogs-based instance — including NotABug — should be aware of these:


CVE-2026-52806 (CVSSv4 9.4 — Critical) — Argument Injection RCE Discovered by Rapid7’s Jonah Burgess, reported March 17, 2026. A malicious pull request branch name can inject the --exec flag into git rebase during “Rebase before merging,” achieving remote code execution as the Gogs server process. Because Gogs ships with open registration and unlimited repository creation enabled by default, an unauthenticated attacker can create an account and exploit this in under 60 seconds on a default-configured instance. A Metasploit module was publicly released May 28, 2026 before a fix was available. Gogs maintainers did not respond to multiple follow-ups during a 70-day window.

Patched in Gogs v0.14.3 (released June 7, 2026), after Rapid7 submitted PR #8301 directly.


CVE-2026-25921 (CVSS 9.3 — Critical) — LFS Object Overwrite Missing content-hash verification in Gogs’s LFS implementation allows unauthenticated attackers to overwrite legitimate LFS objects across repositories. Since Gogs stores all LFS objects in a single location without repository isolation, this enables supply-chain attacks: malicious content can be silently substituted for legitimate build artifacts, and the web interface shows no integrity warning.


CVE-2025-8110 (CVSS 7.8 — High) — Symlink Path Traversal RCE A symlink-based path traversal bypass in the PutContents API, allowing authenticated users to overwrite arbitrary files on the server. Disclosed by Wiz researchers and actively exploited in the wild since December 2025. CISA added it to its actively exploited vulnerabilities catalog on January 12, 2026, ordering federal agencies to patch within three weeks. Gogs patched this in early 2026.


Additional 2026 advisories (all patched in v0.14.2 or v0.14.3):

AdvisoryIssue
GO-2026-44492FA bypass via recovery codes
GO-2026-4452Arbitrary file deletion via path traversal in wiki updates
GO-2026-4453Arbitrary file read/write via path traversal in Git hook editing
GO-2026-4454Stored XSS via Mermaid diagrams
GO-2026-4457Authorization bypass in repository deletion API
GO-2026-4627DOM-based XSS via milestone selection
CVE-2026-26194Argument injection via tag name in release deletion (fixed in 0.14.2)

⚠️ Warning for NotABug users: NotABug’s Gogs fork has not received confirmed public commits since approximately 2018. It is not publicly known whether the above patches — several covering actively exploited vulnerabilities — have been applied to the live instance. Users should treat NotABug as higher-risk for sensitive projects until the administrators publicly confirm their patching status. For security-critical source code, consider Codeberg or a self-hosted Forgejo instance running current releases.

Emergency mitigations for any self-hosted Gogs installation still on a vulnerable version:

# /path/to/gogs/custom/conf/app.ini

[service]
# Disable open registration — single highest-impact mitigation for CVE-2026-52806
DISABLE_REGISTRATION    = true
# Prevent users from creating repositories (blocks easiest attack path)
MAX_CREATION_LIMIT      = 0

[security]
INSTALL_LOCK            = true
SECRET_KEY              = <generate a long random string>

Audit for suspicious LFS symlinks (CVE-2026-25921):

# Scan all repo LFS objects for symlinks pointing outside the repository root
find /path/to/gogs/repositories -type l | while read symlink; do
  target=$(readlink -f "$symlink")
  repo_root=$(echo "$symlink" | sed 's|/objects/.*||')
  if [[ "$target" != "$repo_root"* ]]; then
    echo "SUSPICIOUS SYMLINK: $symlink -> $target"
  fi
done

Detect potential CVE-2026-52806 exploitation attempts in Gogs server logs:

# Look for the error signature of the argument injection attack
grep -E "\[E\].*merge: git checkout.*--exec=" /path/to/gogs/log/gogs.log

C. Gogs v0.14.3: What Changed

Released June 7, 2026, v0.14.3 is the most critical security release Gogs has issued. It patches CVE-2026-52806 (the argument injection RCE) along with several other issues. Upgrading to v0.14.3 is the minimum safe baseline as of June 2026.

# Upgrade via Docker
docker pull gogs/gogs:0.14.3

# Or build from source (requires Go 1.25+)
go version   # confirm >= 1.25
git clone https://github.com/gogs/gogs.git
cd gogs && git checkout v0.14.3
go build -o gogs .
./gogs web

Gogs v0.14.2 (February 2026) introduced additional improvements worth noting for self-hosters:

  • A next-generation Docker image (gogs/gogs:next-latest), which becomes the default at v0.16.0.
  • Pure-Go SQLite driver (no more CGO build dependency).
  • Mermaid JS updated to 11.9.0, patching stored XSS.
  • Repository creation now halts if the root already exists, preventing race conditions.

D. The ForgeFed Ecosystem Advances

While NotABug 2.0’s federated vision has seen no public progress, the broader ForgeFed ecosystem has accelerated significantly and is now delivering production features.

Forgejo (the community fork of Gitea) is the primary implementer of ForgeFed, backed by NLnet funding. By 2026, it has shipped experimental ActivityPub federation including the ability to federate repository stars across instances. This is a concrete, live demonstration of the model NotABug 2.0 described: a developer on one instance can follow a repository on another without creating a second account.

Codeberg, running Forgejo and hosting over 300,000 repositories, is the largest beneficiary. The Fedora Linux project chose Forgejo as its replacement for Pagure — a significant institutional endorsement of the community-governed model. GitLab has begun its own ActivityPub federation work.

ForgeFed is built on the W3C ActivityPub protocol, the same standard underlying Mastodon. A conceptual illustration of the protocol flow:

# Conceptual ForgeFed interaction (pseudo-notation)

# Step 1: Discover the repository's Actor URL via WebFinger
GET https://forge-b.example/.well-known/webfinger
    ?resource=acct:myrepo@forge-b.example
→ Returns: Actor URL for the repository

# Step 2: Send a Follow activity to the repository's inbox
POST https://forge-b.example/users/myrepo/inbox
Content-Type: application/activity+json

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "type": "Follow",
  "actor": "https://forge-a.example/users/alice",
  "object": "https://forge-b.example/users/myrepo"
}

# Step 3: Forge B sends Accept; subsequent push events are
#         delivered to Alice's inbox on Forge A as Push activities

NotABug administrators have not published a public statement on whether NotABug 2.0 will adopt ForgeFed/ActivityPub or pursue a different implementation approach.

Traffic analytics for notabug.org through early 2026 showed a declining trend, with the site’s global rank slipping from 1.6M to 2.0M over a three-month window and monthly web traffic down roughly 17%. Direct traffic accounted for over 52% of visits, indicating a loyal but contracting user base rather than new developer discovery. This contrasts with Codeberg’s rapid growth, where repository counts have been rising sharply.

F. The FSF’s GNU Ethical Repository Criteria

The Free Software Foundation evaluates code forges against its GNU Ethical Repository Criteria (ERC). NotABug performs well on core criteria around software freedom, privacy, and non-commercial operation. However, the stagnation of the platform’s Gogs fork and the unconfirmed security patch status are practical concerns that go beyond the ERC’s ideological criteria.


X. Future Prospects and Development

A. Paths Forward for NotABug

The platform has a few plausible trajectories:

  1. Stabilization and modernization: The administrators resolve the AI scraper outage using tools like Anubis (a proof-of-work challenge proxy purpose-built for this problem), apply outstanding security patches, and update the Gogs fork to a current baseline. This is achievable but requires sustained volunteer effort.

  2. ForgeFed adoption: NotABug adopts ActivityPub federation, aligning the NotABug 2.0 vision with the broader ForgeFed standard being developed by Forgejo and others. This would be the most impactful technical path forward, but requires significant development capacity.

  3. Niche consolidation: NotABug continues as a small, ideological mirror platform for free-software projects that also host their primary code elsewhere. This is the least ambitious outcome but the most realistic given current resources.

B. Role in the Broader Free Software Ecosystem

NotABug’s continued existence — even in a limited capacity — has value. It provides a non-commercial, non-corporate option for projects that want an ideologically aligned home. It serves as a model and an inspiration for the wider federated forge movement. And it represents a concrete form of resistance to the monoculture of GitHub.

C. What Developers Can Do Right Now

The most practical approach for developers who share NotABug’s values in mid-2026:

#!/bin/bash
# Mirror strategy: primary development on a well-maintained forge,
# NotABug as an ideological mirror when it returns to service.
# This script can be run in CI (e.g., Forgejo Actions, GitHub Actions).

set -euo pipefail

PRIMARY="git@codeberg.org:yourusername/my-project.git"
MIRRORS=(
  "git@notabug.org:yourusername/my-project.git"
)

# Push to primary
git push "$PRIMARY" --all
git push "$PRIMARY" --tags

# Mirror to secondary forges (fail gracefully — NotABug may be offline)
for remote in "${MIRRORS[@]}"; do
  echo "Mirroring to $remote..."
  git push "$remote" --all --force || echo "Warning: mirror push to $remote failed (may be offline)"
  git push "$remote" --tags --force || true
done

echo "Done."

In a Forgejo Actions workflow:

# .forgejo/workflows/mirror.yml
name: Mirror to secondary forges

on:
  push:
    branches: ["**"]
  create:  # also runs on tag creation

jobs:
  mirror:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0   # full history for mirroring

      - name: Configure SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.NOTABUG_SSH_KEY }}" > ~/.ssh/notabug_rsa
          chmod 600 ~/.ssh/notabug_rsa
          ssh-keyscan notabug.org >> ~/.ssh/known_hosts 2>/dev/null || true

      - name: Mirror to NotABug
        run: |
          git remote add notabug git@notabug.org:yourusername/my-project.git || true
          git push notabug --all --force || echo "NotABug mirror skipped (offline)"
          git push notabug --tags --force || true

XI. Conclusion

A. Summary

NotABug.org is more than a code hosting service. It is a community-driven platform with a strong ideological foundation in the free software movement, built on the principles of autonomy, privacy, and community governance. Those principles remain valuable and worth supporting.

The mid-2026 reality, however, is difficult to soften: the platform’s web UI is currently down due to AI scraper overload, its upstream Gogs engine has accumulated critical vulnerabilities including an actively exploited zero-day, and peer platforms built on actively maintained forks are growing rapidly. NotABug’s stagnant maintenance posture and lack of commercial infrastructure make it a niche, ideological choice rather than a robust primary host for production or security-sensitive projects.

B. Recommendations

Consider NotABug for:

  • Ideological mirroring — hosting a copy of a free-software project that lives primarily on a better-maintained forge.
  • Projects with existing presence on the platform who want to maintain continuity.
  • Contributing to the Peers Community and supporting independent infrastructure as a philosophical act.

For primary hosting of free-software projects in 2026, evaluate:

  • Codeberg — non-profit, FOSS-only, Forgejo-based, actively maintained, ~300k repos and growing.
  • Self-hosted Forgejo — full control, active security patches, CI/CD built in.

C. Final Thoughts

The importance of diverse, independent hosting options cannot be overstated. NotABug represents a critical idea in the software development ecosystem — that code hosting can be community-run, non-commercial, privacy-respecting, and genuinely autonomous. That idea is worth preserving, even if the current platform is struggling to embody it.

The platform needs sustained administrative attention, security patching, and a credible response to the AI scraper problem. If those challenges are met, NotABug can continue to be a meaningful participant in the emerging federated forge ecosystem. If not, the community it serves has increasingly capable alternatives in Codeberg and Forgejo that carry forward the same values with stronger operational foundations.


XII. Frequently Asked Questions (FAQ)

Q1: Is NotABug.org free to use? Yes, it is a free service for hosting freely licensed software projects, with no fees, ads, or data monetization.

Q2: Who runs NotABug.org? It is run by Peers, a community group dedicated to free software and free culture, started in 2015 and administered by Hein-Pieter van Braam-Stewart and a small volunteer team.

Q3: Is NotABug.org accessible right now (June 2026)? The web UI is currently down due to overwhelming AI scraper traffic. Git access over SSH remains functional for existing repositories if you already know the URL. There is no confirmed timeline for restoration of the web interface.

Q4: How is NotABug different from GitHub? NotABug only hosts free-software projects, is run by a non-profit community rather than a corporation, carries no advertising or user tracking, and offers Tor access. It is far smaller, with a much narrower scope and feature set.

Q5: What is Gogs? Gogs is a lightweight, self-hosted Git service written in Go. NotABug uses a modified fork of Gogs. As of June 2026, multiple critical vulnerabilities have been disclosed in Gogs — including an actively exploited RCE. The minimum safe version is v0.14.3 (released June 7, 2026). NotABug’s fork has not been publicly updated since ~2018; patch status is unconfirmed.

Q6: What is NotABug 2.0? NotABug 2.0 is the platform’s long-stated vision for a decentralized, federated network of Git instances allowing cross-instance collaboration without account creation on every server. The ForgeFed/ActivityPub standard now being implemented by Forgejo and Codeberg is pursuing the same goals and is further along in actual delivery.

Q7: Can I host a private project on NotABug? Yes, private repositories are supported with a size limit of around 100 MB. Web-based access is currently unavailable; SSH access to existing private repos should still work if you have the URL and SSH key configured.

Q8: Is NotABug safe for sensitive projects? Not with confidence, in mid-2026. The unconfirmed patch status of the Gogs fork, combined with multiple critical CVEs including an actively exploited RCE, means the security posture of the live instance is unknown. For security-sensitive code, use a platform with confirmed, current security patching (e.g., Codeberg or a self-hosted Forgejo running v7.0+).

Q9: Should I migrate away from NotABug? If NotABug is your only hosting location, yes — at minimum set up a mirror on Codeberg or another well-maintained forge immediately. The ongoing outage means your repository may be inaccessible to collaborators and contributors. If NotABug is already a secondary mirror, simply ensure your primary host is current and you can continue to mirror there when it returns to service.

Q10: What is ForgeFed? ForgeFed is an ActivityPub-based federation protocol enabling different Git forge instances to interoperate — users on Forge A can follow repositories on Forge B, open issues, and receive push notifications, without creating accounts on every instance. Think of it as the Mastodon model applied to code hosting. Forgejo is the leading implementer; NLnet funds development.


XIII. References


Back to All Posts
Share this post:
Share on Twitter
Share on LinkedIn
Share on Reddit
Share on Facebook
Copy Link
Copied!