[24.05] gitea: mark as insecure

[Ma27]

The patch for this doesn't apply on 1.21 doesn't apply with half of the hunks failing.

Moving forward on stable isn't an option either, minor releases of gitea are also breaking.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[SuperSandro2000]

If hydra would still cache the package this would be a viable option but it doesn't which makes setting this kinda igghh.

[Ma27]

So, I've been told by @emilylange about the situation at forgejo (thanks a lot for that btw!) which is

• there's no security release for that
• no hotfix at codeberg.org

i.e. the severity is considered rather low and probably nothing to mark the entire package as insecure over that.

I'm inclined to agree. This would probably be something that can be handled by a warning if rfc127 infrastructure was already in place.

I'll give @NixOS/security a few hours to object, then close.

[LeSuisse]

No strong opinion either way on my side but indeed the issue does not seem too bad (it would be nice if they published an abstract on their page https://about.gitea.com/security ...).

I made an attempt at backporting the fix but I do not have a proper env to test it, if one of you is interested: https://gist.github.com/LeSuisse/e1558caf8d61c543251d56a77648deae

[Ma27]

I'd really like to have a review from @techknowlogick for that, then.
But since we all seem to agree that marking as insecure isn't needed, I'll close.