sleepy/forgejo
1
0
Fork
You've already forked forgejo
 0
Code Issues 562 Pull requests Projects Releases Packages Wiki Activity Actions 3

Feature Request: Multi-Owner Authorization (Quorum) for Sensitive Org-Level Actions #12451

New issue
Open
opened 2026-05-07 15:43:02 +02:00 by lsmith · 9 comments
lsmith commented 2026-05-07 15:43:02 +02:00 (Migrated from codeberg.org)
Copy link

Existing problems this enhancement addresses

Currently, a single organization owner has the unilateral power to perform "destructive" or high-impact actions, such as transferring a repository to a different organization or deleting it entirely. This creates two major risks:

  • Account Compromise: If one owner’s credentials are stolen, the entire project's infrastructure is at risk.
  • Internal Misalignment: A single owner can act against the project’s governance (e.g., there was a recent incident like this within the CHAOSS project).

Enhancement description

Proposed Workflow:

  • Initiation: An owner triggers a sensitive action (e.g., Transfer Repository).
  • Pending State: The action is placed in a "Pending Approval" state. The repository remains in place but is locked for further transfers.
  • Notification: All owners receive a notification (email/in-app) regarding the request.
  • Verification: A configurable number of owners (e.g., 2, or a 51% quorum) must click "Approve."
  • Execution: Once the threshold is met, the action completes automatically.

Possible Configuration Options:

  • Threshold: "Require X owners to approve" or "Require $X$% of owners."
  • Expiry: A timeframe (e.g., 72 hours) after which the request expires if the quorum isn't met.
  • Scope: Options to toggle which actions require this (Transfer, Delete, Rename, Adding/Removing other Owners, Multi-Owner Authorization Configuration ..?).

Details and notes

Security vs. Governance:

This should be viewed strictly as a security layer. It is not intended to replace project governance or consensus-building, but rather to ensure that a single compromised account or rogue owner cannot hijacked a project's history and home.

The "Deadlock" Scenario:

What happens if the number of active owners falls below the required quorum?

Possible solution brought up by @zoe:
If after a predetermined period there is no (significant?) opposition, it is approved.

Audit Logs:

Not sure if there should be an audit log?

### Existing problems this enhancement addresses Currently, a single organization owner has the unilateral power to perform "destructive" or high-impact actions, such as transferring a repository to a different organization or deleting it entirely. This creates two major risks: * Account Compromise: If one owner’s credentials are stolen, the entire project's infrastructure is at risk. * Internal Misalignment: A single owner can act against the project’s governance (e.g., there was a recent incident like this within the CHAOSS project). ### Enhancement description Proposed Workflow: * Initiation: An owner triggers a sensitive action (e.g., Transfer Repository). * Pending State: The action is placed in a "Pending Approval" state. The repository remains in place but is locked for further transfers. * Notification: All owners receive a notification (email/in-app) regarding the request. * Verification: A configurable number of owners (e.g., 2, or a 51% quorum) must click "Approve." * Execution: Once the threshold is met, the action completes automatically. Possible Configuration Options: * Threshold: "Require $X$ owners to approve" or "Require $X$% of owners." * Expiry: A timeframe (e.g., 72 hours) after which the request expires if the quorum isn't met. * Scope: Options to toggle which actions require this (Transfer, Delete, Rename, Adding/Removing other Owners, Multi-Owner Authorization Configuration ..?). ### Details and notes #### Security vs. Governance: This should be viewed strictly as a security layer. It is not intended to replace project governance or consensus-building, but rather to ensure that a single compromised account or rogue owner cannot hijacked a project's history and home. #### The "Deadlock" Scenario: What happens if the number of active owners falls below the required quorum? Possible solution brought up by @zoe: If after a predetermined period there is no (significant?) opposition, it is approved. #### Audit Logs: Not sure if there should be an audit log?
Gusted commented 2026-05-07 15:51:44 +02:00 (Migrated from codeberg.org)
Copy link

@wetneb is this by any chance within the area you wanted to work on for organizations?

@wetneb is this by any chance within the area you wanted to work on for organizations?
zoe commented 2026-05-07 15:58:18 +02:00 (Migrated from codeberg.org)
Copy link

Verification: A configurable number of owners (e.g., 2, or a 51% quorum) must click "Approve."

Just a thought here. That would also require being able to change it. The code would need to ensure, that an owner cannot just change this value to 1 and then delete.

So maybe a quorum change would also need to be configurable. Also would have to think about deadlock situations (what if someone becomes inactive, is not reachable anymore and thus cannot Approve a change).

Expiry: A timeframe (e.g., 72 hours) after which the request expires if the quorum isn't met.

Even a waiting period would be good in general. If the minimal quorum is met it is executed directly. Otherwise after a (predetermined time) it is also executed unless the number of "disagrees" is higher.

This would solve the first problem.

Also imagine a bad actor adding enough people to the Owners Team and then letting them all execute the action (I do not have a solution for that).

> Verification: A configurable number of owners (e.g., 2, or a 51% quorum) must click "Approve." Just a thought here. That would also require being able to change it. The code would need to ensure, that an owner cannot just change this value to 1 and then delete. So maybe a quorum change would also need to be configurable. Also would have to think about deadlock situations (what if someone becomes inactive, is not reachable anymore and thus cannot Approve a change). > Expiry: A timeframe (e.g., 72 hours) after which the request expires if the quorum isn't met. Even a waiting period would be good in general. If the minimal quorum is met it is executed directly. Otherwise after a (predetermined time) it is also executed unless the number of "disagrees" is higher. This would solve the first problem. Also imagine a bad actor adding enough people to the Owners Team and then letting them all execute the action (I do not have a solution for that).
lsmith commented 2026-05-07 16:02:05 +02:00 (Migrated from codeberg.org)
Copy link

@zoe wrote in https://codeberg.org/forgejo/forgejo/issues/12451#issuecomment-14450666:

Just a thought here. That would also require being able to change it. The code would need to ensure, that an owner cannot just change this value to 1 and then delete.

yeah all the settings related to this enhancement should also be protectable.

Even a waiting period would be good in general. If the minimal quorum is met it is executed directly. Otherwise after a (predetermined time) it is also executed unless the number of "disagrees" is higher.

Yeah that is a good idea to auto-execute if there isn't opposition after the predetermined time as it indeed elegantly handles the Deadlock Scenario. It just means you have to wait a bit longer.

@zoe wrote in https://codeberg.org/forgejo/forgejo/issues/12451#issuecomment-14450666: > Just a thought here. That would also require being able to change it. The code would need to ensure, that an owner cannot just change this value to 1 and then delete. yeah all the settings related to this enhancement should also be protectable. > Even a waiting period would be good in general. If the minimal quorum is met it is executed directly. Otherwise after a (predetermined time) it is also executed unless the number of "disagrees" is higher. Yeah that is a good idea to auto-execute if there isn't opposition after the predetermined time as it indeed elegantly handles the `Deadlock Scenario`. It just means you have to wait a bit longer.
lsmith commented 2026-05-07 16:29:29 +02:00 (Migrated from codeberg.org)
Copy link

FYI Github enterprise has some capabilities in this direction https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/governing-how-people-use-repositories-in-your-enterprise

FYI Github enterprise has some capabilities in this direction https://docs.github.com/en/enterprise-cloud@latest/admin/managing-accounts-and-repositories/managing-repositories-in-your-enterprise/governing-how-people-use-repositories-in-your-enterprise
matkoniecz commented 2026-05-07 17:36:02 +02:00 (Migrated from codeberg.org)
Copy link

Note that for single-owner projects extra fiddling should not be introduced (if I fully control project I want to be able to delete/move/whatever it).

Though opt-in may be wanted, to limit damage in case of a hack?

Note that for single-owner projects extra fiddling should not be introduced (if I fully control project I want to be able to delete/move/whatever it). Though opt-in may be wanted, to limit damage in case of a hack?
matkoniecz commented 2026-05-07 17:36:53 +02:00 (Migrated from codeberg.org)
Copy link

Just a thought here. That would also require being able to change it. The code would need to ensure, that an owner cannot just change this value to 1 and then delete.

another attack would be adding 20 dummy accounts as co-owners and voting with such sockpuppets to approve move

or kicking out co-owners/co-maintainers and then performing restricted action

> Just a thought here. That would also require being able to change it. The code would need to ensure, that an owner cannot just change this value to 1 and then delete. another attack would be adding 20 dummy accounts as co-owners and voting with such sockpuppets to approve move or kicking out co-owners/co-maintainers and then performing restricted action
matkoniecz commented 2026-05-07 17:38:05 +02:00 (Migrated from codeberg.org)
Copy link

Expiry: A timeframe (e.g., 72 hours) after which the request expires if the quorum isn't met.

maybe minimal time instead? so no matter what some action cannot be taken within first 24h?

(though there may be a valid reason for immediate action to be taken....)

> Expiry: A timeframe (e.g., 72 hours) after which the request expires if the quorum isn't met. maybe minimal time instead? so no matter what some action cannot be taken within first 24h? (though there may be a valid reason for immediate action to be taken....)
wetneb commented 2026-05-07 21:11:18 +02:00 (Migrated from codeberg.org)
Copy link

That's a really interesting issue, thanks for the ping @Gusted. It does fit the overall scope of my work interests.
It seems difficult to design something around this specific actions (transfer, deletion, archival).

That being said, one way of making this danger less of an issue would be to reduce the need to make people "Owners" of organizations in the first place. Which can be done in various ways (both of which I am interested in exploring):

  • making it possible to grant some privileges that are currently Owner-only to other teams. For instance, only owners can add new members to teams, but one could imagine other ways to do that: certain teams could be allowed to co-opt members (any member of that team can add other members) or that members of team A are able to add new members of team B.
  • enabling a "git-ops" style of organization/repo settings. Meaning that the settings of an organization or repo are mirrored by some files in a git repository, on which people can do PRs, have branch protection rules, and so on. I have been doing some research on the existing solutions for this: https://codeberg.org/wetneb/todo/issues/3 (designed to be notes for myself, may not be super understandable for others yet). Practically speaking, I am considering working on, in order of ambition:
    1. external tooling (as actions, or external web services) to ease the management of a Forgejo org/repo via git
    2. considering integrating some of that logic in Forgejo itself (a form of magic repos: https://codeberg.org/forgejo/design/issues/21)
    3. potentially, adding UI sugar on top of such a magic repo feature to open/review PRs on such repos for specific kinds of proposals (such as nominations of people in certain roles).
That's a really interesting issue, thanks for the ping @Gusted. It does fit the overall scope of my work interests. It seems difficult to design something around this specific actions (transfer, deletion, archival). That being said, one way of making this danger less of an issue would be to reduce the need to make people "Owners" of organizations in the first place. Which can be done in various ways (both of which I am interested in exploring): * making it possible to grant some privileges that are currently Owner-only to other teams. For instance, only owners can add new members to teams, but one could imagine other ways to do that: certain teams could be allowed to co-opt members (any member of that team can add other members) or that members of team A are able to add new members of team B. * enabling a "git-ops" style of organization/repo settings. Meaning that the settings of an organization or repo are mirrored by some files in a git repository, on which people can do PRs, have branch protection rules, and so on. I have been doing some research on the existing solutions for this: https://codeberg.org/wetneb/todo/issues/3 (designed to be notes for myself, may not be super understandable for others yet). Practically speaking, I am considering working on, in order of ambition: 1. external tooling (as actions, or external web services) to ease the management of a Forgejo org/repo via git 2. considering integrating some of that logic in Forgejo itself (a form of magic repos: https://codeberg.org/forgejo/design/issues/21) 3. potentially, adding UI sugar on top of such a magic repo feature to open/review PRs on such repos for specific kinds of proposals (such as nominations of people in certain roles).
aahlenst commented 2026-05-07 21:28:46 +02:00 (Migrated from codeberg.org)
Copy link

@wetneb wrote in https://codeberg.org/forgejo/forgejo/issues/12451#issuecomment-14463461:

That being said, one way of making this danger less of an issue would be to reduce the need to make people "Owners" of organizations in the first place.

I don't think that this issue can really be solved by trying to circumvent it. As long as there are owners, there can be problems. https://www.theregister.com/software/2025/09/25/open-source-to-closed-doors-rubygems-control-fight-erupts/1440976 is another example how it can play out.

enabling a "git-ops" style of organization/repo settings.

In Forgejo Actions, I'm striving for moving things out of the Git repository into the settings. Having settings in the Git repository is a giant headache because almost everybody has write access to the repository. That makes things like permissions in workflows almost pointless.

@wetneb wrote in https://codeberg.org/forgejo/forgejo/issues/12451#issuecomment-14463461: > That being said, one way of making this danger less of an issue would be to reduce the need to make people "Owners" of organizations in the first place. I don't think that this issue can really be solved by trying to circumvent it. As long as there are owners, there can be problems. https://www.theregister.com/software/2025/09/25/open-source-to-closed-doors-rubygems-control-fight-erupts/1440976 is another example how it can play out. > enabling a "git-ops" style of organization/repo settings. In Forgejo Actions, I'm striving for moving things out of the Git repository into the settings. Having settings in the Git repository is a giant headache because almost everybody has write access to the repository. That makes things like `permissions` in workflows almost pointless.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
forgejo
bp-v15.0/forgejo-49f9cc7
v15.0/forgejo
v11.0/forgejo
renovate/forgejo-postcss
renovate/forgejo-github.com-fsnotify-fsnotify-1.x
renovate/forgejo-github.com-alecthomas-chroma-v2-2.x
renovate/forgejo-github.com-go-webauthn-webauthn-0.x
v14.0/forgejo
bp-v15.0/forgejo-2176403
bp-v14.0/forgejo-9767ceb
bp-v14.0/forgejo-d996dfb
v13.0/forgejo
bp-v13.0/forgejo-dc0a63e
bp-v13.0/forgejo-e7ef2eb
v12.0/forgejo
bp-v12.0/forgejo-cf1fda8-a511e37
bp-v11.0/forgejo-b52cec7
v7.0/forgejo
v10.0/forgejo
v9.0/forgejo
v8.0/forgejo
v1.21/forgejo
v1.20/forgejo
v1.19/forgejo
v1.18/forgejo
v1.17/forgejo
v14.0.5
v15.0.1
v11.0.13
v15.0.0
v14.0.4
v11.0.12
v16.0.0-dev
v14.0.3
v11.0.11
v14.0.2
v14.0.1
v13.0.5
v11.0.10
v14.0.0
v13.0.4
v11.0.9
v15.0.0-dev
v13.0.3
v11.0.8
v11.0.7
v13.0.2
v13.0.1
v13.0.0
v14.0.0-dev
v11.0.6
v12.0.4
v12.0.3
v11.0.5
v11.0.4
v12.0.2
v12.0.1
v12.0.0
v7.0.16
v11.0.3
v13.0.0-dev
v11.0.2
v7.0.15
v11.0.1
v11.0.0
v12.0.0-dev
v10.0.3
v10.0.2
v7.0.14
v7.0.13
v10.0.1
v10.0.0
v11.0.0-dev
v9.0.3
v7.0.12
v7.0.11
v9.0.2
v9.0.1
v7.0.10
v9.0.0
v10.0.0-dev
v8.0.3
v7.0.9
v8.0.2
v7.0.8
v8.0.1
v7.0.7
v7.0.6
v8.0.0
v9.0.0-dev
v7.0.5
v1.21.11-2
v7.0.4
v7.0.3
v7.0.2
v7.0.1
v7.0.0
v1.21.11-1
v1.21.11-0
v1.21.10-0
v8.0.0-dev
v1.21.8-0
v1.21.7-0
v1.21.6-0
v1.21.5-0
v1.21.4-0
v1.21.3-0
v1.20.6-1
v1.21.2-1
v1.21.2-0
v1.21.1-0
v1.20.6-0
v1.20.5-1
v1.21.0-rc2
v1.21.0-rc1
v1.20.5-0
v7.0.0-dev
v1.21.0-rc0
v1.20.4-1
v1.20.4-0
v1.20.3-0
v1.20.2-0
v1.20.1-0
v1.20.0
v1.19.4-0
v1.21.0-dev
v1.20.0-rc2
v1.19.3-0
v1.19.2-0
v1.19.1-0
v1.19.0-3
v1.19.0-2
v1.18.5-0
v1.20.0-dev
v1.19.0-rc0
v1.18.3-2
v1.18.3-1
v1.18.3-0
v1.18.2-1
v1.18.2-0
v1.18.1-0
v1.18.0-1
v1.18.0-0
v1.18.0-rc1-2
v1.18.0-rc1-1
v1.18.0-rc1
v1.18.0-rc0
v1.19.0-dev
v1.17.3
v1.17.2
v1.17.1
v1.17.0
v1.17.0-rc2
v1.16.9
v1.17.0-rc1
v1.18.0-dev
v1.16.8
v1.16.7
v1.16.6
v1.16.5
v1.16.4
v1.16.3
v1.16.2
v1.16.1
v1.16.0
v1.15.11
v1.17.0-dev
v1.16.0-rc1
v1.15.10
v1.15.9
v1.15.8
v1.15.7
v1.15.6
v1.15.5
v1.15.4
v1.15.3
v1.15.2
v1.15.1
v1.14.7
v1.15.0
v1.15.0-rc3
v1.14.6
v1.15.0-rc2
v1.14.5
v1.16.0-dev
v1.15.0-rc1
v1.14.4
v1.14.3
v1.14.2
v1.14.1
v1.14.0
v1.13.7
v1.14.0-rc2
v1.13.6
v1.13.5
v1.14.0-rc1
v1.15.0-dev
v1.13.4
v1.13.3
v1.13.2
v1.13.1
v1.13.0
v1.12.6
v1.13.0-rc2
v1.14.0-dev
v1.13.0-rc1
v1.12.5
v1.12.4
v1.12.3
v1.12.2
v1.12.1
v1.11.8
v1.12.0
v1.11.7
v1.12.0-rc2
v1.11.6
v1.12.0-rc1
v1.13.0-dev
v1.11.5
v1.11.4
v1.11.3
v1.10.6
v1.12.0-dev
v1.11.2
v1.10.5
v1.11.1
v1.10.4
v1.11.0
v1.11.0-rc2
v1.10.3
v1.11.0-rc1
v1.10.2
v1.10.1
v1.10.0
v1.9.6
v1.9.5
v1.10.0-rc2
v1.11.0-dev
v1.10.0-rc1
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.9.0-rc2
v1.10.0-dev
v1.9.0-rc1
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.8.0-rc3
v1.7.6
v1.8.0-rc2
v1.7.5
v1.8.0-rc1
v1.9.0-dev
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.7.0-rc3
v1.6.4
v1.7.0-rc2
v1.6.3
v1.7.0-rc1
v1.7.0-dev
v1.6.2
v1.6.1
v1.6.0
v1.6.0-rc2
v1.5.3
v1.6.0-rc1
v1.6.0-dev
v1.5.2
v1.5.1
v1.5.0
v1.5.0-rc2
v1.5.0-rc1
v1.5.0-dev
v1.4.3
v1.4.2
v1.4.1
v1.4.0
v1.4.0-rc3
v1.4.0-rc2
v1.3.3
v1.4.0-rc1
v1.3.2
v1.3.1
v1.3.0
v1.3.0-rc2
v1.3.0-rc1
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.2.0-rc3
v1.2.0-rc2
v1.1.4
v1.2.0-rc1
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.2
v1.0.1
v1.0.0
v0.9.99
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
sleepy/forgejo#12451
No description provided.