Principal

Lector de Feeds

MGASA-2026-0054 - Updated yt-dlp packages fix security vulnerability

Mageia Security - 10 Marzo, 2026 - 17:47
Publication date: 10 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-26331 Description When yt-dlp's --netrc-cmd command-line option (or netrc_cmd Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. References SRPMS 9/core
  • yt-dlp-2026.03.03-1.1.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0053 - Updated thunderbird packages fix security vulnerabilities

Mageia Security - 9 Marzo, 2026 - 20:19
Publication date: 09 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2757 , CVE-2026-2758 , CVE-2026-2759 , CVE-2026-2760 , CVE-2026-2761 , CVE-2026-2762 , CVE-2026-2763 , CVE-2026-2764 , CVE-2026-2765 , CVE-2026-2766 , CVE-2026-2767 , CVE-2026-2768 , CVE-2026-2769 , CVE-2026-2770 , CVE-2026-2771 , CVE-2026-2772 , CVE-2026-2773 , CVE-2026-2774 , CVE-2026-2775 , CVE-2026-2776 , CVE-2026-2777 , CVE-2026-2778 , CVE-2026-2779 , CVE-2026-2780 , CVE-2026-2782 , CVE-2026-2783 , CVE-2026-2784 , CVE-2026-2785 , CVE-2026-2786 , CVE-2026-2787 , CVE-2026-2788 , CVE-2026-2789 , CVE-2026-2790 , CVE-2026-2791 , CVE-2026-2792 , CVE-2026-2793 Description Incorrect boundary conditions in the WebRTC: Audio/Video component. (CVE-2026-2757) Use-after-free in the JavaScript: GC component. (CVE-2026-2758) Incorrect boundary conditions in the Graphics: ImageLib component. (CVE-2026-2759) Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. (CVE-2026-2760) Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761) Integer overflow in the JavaScript: Standard Library component. (CVE-2026-2762) Use-after-free in the JavaScript Engine component. (CVE-2026-2763) JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2764) Use-after-free in the JavaScript Engine component. (CVE-2026-2765) Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766) Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767) Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768) Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770) Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771) Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772) Incorrect boundary conditions in the Web Audio component. (CVE-2026-2773) Integer overflow in the Audio/Video component. (CVE-2026-2774) Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775) Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. (CVE-2026-2776) Privilege escalation in the Messaging System component. (CVE-2026-2777) Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. (CVE-2026-2778) Incorrect boundary conditions in the Networking: JAR component. (CVE-2026-2779) Privilege escalation in the Netmonitor component. (CVE-2026-2780) Privilege escalation in the Netmonitor component. (CVE-2026-2782) Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. (CVE-2026-2783) Mitigation bypass in the DOM: Security component. (CVE-2026-2784) Invalid pointer in the JavaScript Engine component. (CVE-2026-2785) Use-after-free in the JavaScript Engine component. (CVE-2026-2786) Use-after-free in the DOM: Window and Location component. (CVE-2026-2787) Incorrect boundary conditions in the Audio/Video: GMP component. (CVE-2026-2788) Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789) Same-origin policy bypass in the Networking: JAR component. (CVE-2026-2790) Mitigation bypass in the Networking: Cache component. (CVE-2026-2791) Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2792) Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793) References SRPMS 9/core
  • thunderbird-140.8.0-1.mga9
  • thunderbird-l10n-140.8.0-1.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0052 - Updated rootcerts, nss & firefox packages fix security vulnerabilities

Mageia Security - 9 Marzo, 2026 - 18:48
Publication date: 09 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2757 , CVE-2026-2758 , CVE-2026-2759 , CVE-2026-2760 , CVE-2026-2761 , CVE-2026-2762 , CVE-2026-2763 , CVE-2026-2764 , CVE-2026-2765 , CVE-2026-2766 , CVE-2026-2767 , CVE-2026-2768 , CVE-2026-2769 , CVE-2026-2770 , CVE-2026-2771 , CVE-2026-2772 , CVE-2026-2773 , CVE-2026-2774 , CVE-2026-2775 , CVE-2026-2776 , CVE-2026-2777 , CVE-2026-2778 , CVE-2026-2779 , CVE-2026-2780 , CVE-2026-2781 , CVE-2026-2782 , CVE-2026-2783 , CVE-2026-2784 , CVE-2026-2785 , CVE-2026-2786 , CVE-2026-2787 , CVE-2026-2788 , CVE-2026-2789 , CVE-2026-2790 , CVE-2026-2791 , CVE-2026-2792 , CVE-2026-2793 Description Incorrect boundary conditions in the WebRTC: Audio/Video component. (CVE-2026-2757) Use-after-free in the JavaScript: GC component. (CVE-2026-2758) Incorrect boundary conditions in the Graphics: ImageLib component. (CVE-2026-2759) Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. (CVE-2026-2760) Sandbox escape in the Graphics: WebRender component. (CVE-2026-2761) Integer overflow in the JavaScript: Standard Library component. (CVE-2026-2762) Use-after-free in the JavaScript Engine component. (CVE-2026-2763) JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2764) Use-after-free in the JavaScript Engine component. (CVE-2026-2765) Use-after-free in the JavaScript Engine: JIT component. (CVE-2026-2766) Use-after-free in the JavaScript: WebAssembly component. (CVE-2026-2767) Sandbox escape in the Storage: IndexedDB component. (CVE-2026-2768) Use-after-free in the Storage: IndexedDB component. (CVE-2026-2769) Use-after-free in the DOM: Bindings (WebIDL) component. (CVE-2026-2770) Undefined behavior in the DOM: Core & HTML component. (CVE-2026-2771) Use-after-free in the Audio/Video: Playback component. (CVE-2026-2772) Incorrect boundary conditions in the Web Audio component. (CVE-2026-2773) Integer overflow in the Audio/Video component. (CVE-2026-2774) Mitigation bypass in the DOM: HTML Parser component. (CVE-2026-2775) Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. (CVE-2026-2776) Privilege escalation in the Messaging System component. (CVE-2026-2777) Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. (CVE-2026-2778) Incorrect boundary conditions in the Networking: JAR component. (CVE-2026-2779) Privilege escalation in the Netmonitor component. (CVE-2026-2780) Integer overflow in the Libraries component in NSS. (CVE-2026-2781) Privilege escalation in the Netmonitor component. (CVE-2026-2782) Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component. (CVE-2026-2783) Mitigation bypass in the DOM: Security component. (CVE-2026-2784) Invalid pointer in the JavaScript Engine component. (CVE-2026-2785) Use-after-free in the JavaScript Engine component. (CVE-2026-2786) Use-after-free in the DOM: Window and Location component. (CVE-2026-2787) Incorrect boundary conditions in the Audio/Video: GMP component. (CVE-2026-2788) Use-after-free in the Graphics: ImageLib component. (CVE-2026-2789) Same-origin policy bypass in the Networking: JAR component. (CVE-2026-2790) Mitigation bypass in the Networking: Cache component. (CVE-2026-2791) Memory safety bugs fixed in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2792) Memory safety bugs fixed in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. (CVE-2026-2793) References SRPMS 9/core
  • rootcerts-20260206.00-1.mga9
  • nss-3.121.0-1.mga9
  • firefox-140.8.0-1.mga9
  • firefox-l10n-140.8.0-1.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0051 - Updated coturn packages fix security vulnerability

Mageia Security - 9 Marzo, 2026 - 18:48
Publication date: 09 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-27624 Description IPv4-mapped IPv6 (::ffff:0:0/96) bypasses denied-peer-ip ACL. (CVE-2026-27624) References SRPMS 9/core
  • coturn-4.6.2-1.1.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0050 - Updated python-django packages fix security vulnerability

Mageia Security - 6 Marzo, 2026 - 04:01
Publication date: 06 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-25674 Description Potential incorrect permissions on newly created file system objects. (CVE-2026-25674) References SRPMS 9/core
  • python-django-4.1.13-1.11.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0049 - Updated vim packages fix security vulnerabilities

Mageia Security - 6 Marzo, 2026 - 04:01
Publication date: 06 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-28417 , CVE-2026-28418 , CVE-2026-28419 , CVE-2026-28420 , CVE-2026-28421 , CVE-2026-28422 Description OS Command Injection in netrw affects Vim < 9.2.0073. (CVE-2026-28417) Heap-based Buffer Overflow in Emacs tags parsing affects Vim < 9.2.0074. (CVE-2026-28418) Heap-based Buffer Underflow in Emacs tags parsing affects Vim < 9.2.0075. (CVE-2026-28419) Heap-based Buffer Overflow and OOB Read in :terminal affects Vim < 9.2.0076. (CVE-2026-28420) Multiple Vulnerabilities in Swap File Recovery affect Vim < 9.2.0077. (CVE-2026-28421) Stack-buffer-overflow in build_stl_str_hl() affects Vim < 9.2.0078. (CVE-2026-28422) References SRPMS 9/core
  • vim-9.2.106-1.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0048 - Updated rsync packages fix security vulnerability

Mageia Security - 6 Marzo, 2026 - 04:01
Publication date: 06 Mar 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-10158 Description Out of bounds array access via negative index. (CVE-2025-10158) References SRPMS 9/core
  • rsync-3.2.7-1.3.mga9
Categorías: Actualizaciones de Seguridad

MGAA-2026-0016 - Updated libsolv packages fix bug

Mageia Security - 26 Febrero, 2026 - 18:58
Publication date: 26 Feb 2026
Type: bugfix
Affected Mageia releases : 9
Description The update includes a patch from Fedora which allows the production of metadata for python3-libsolv. References SRPMS 9/core
  • libsolv-0.7.35-1.1.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0047 - Updated gegl packages fix security vulnerabilities

Mageia Security - 23 Febrero, 2026 - 17:45
Publication date: 23 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2049 , CVE-2026-2050 Description ZDI-CAN-28618: New Vulnerability Report at rgbe.c. (CVE-2026-2049) ZDI-CAN-28266: New Vulnerability Report at rgbe.c. (CVE-2026-2050) References SRPMS 9/core
  • gegl-0.4.42-1.1.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0046 - Updated freerdp packages fix security vulnerabilities

Mageia Security - 22 Febrero, 2026 - 01:53
Publication date: 22 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-23530 , CVE-2026-23531 , CVE-2026-23532 , CVE-2026-23533 , CVE-2026-23534 , CVE-2026-23948 , CVE-2026-24491 , CVE-2026-24675 , CVE-2026-24676 , CVE-2026-24677 , CVE-2026-24678 , CVE-2026-24679 , CVE-2026-24680 , CVE-2026-24681 , CVE-2026-24682 , CVE-2026-24683 , CVE-2026-24684 Description FreeRDP has heap-buffer-overflow in planar_decompress_plane_rle. (CVE-2026-23530) FreeRDP has heap-buffer-overflow in clear_decompress. (CVE-2026-23531) FreeRDP has heap-buffer-overflow in gdi_SurfaceToSurface. (CVE-2026-23532) FreeRDP has heap-buffer-overflow in clear_decompress_residual_data. (CVE-2026-23533) FreeRDP has heap-buffer-overflow in clear_decompress_bands_data. (CVE-2026-23534) FreeRDP has a NULL Pointer Dereference in rdp_write_logon_info_v2(). (CVE-2026-23948) FreeRDP has a heap-use-after-free in video_timer. (CVE-2026-24491) FreeRDP has a Heap-use-after-free in urb_select_interface. (CVE-2026-24675) FreeRDP has a heap-use-after-free in audio_format_compatible. (CVE-2026-24676) FreeRDP has a heap-buffer-overflow in ecam_encoder_compress_h264. (CVE-2026-24677) FreeRDP has a Heap-use-after-free in cam_v4l_stream_capture_thread. (CVE-2026-24678) FreeRDP has a heap-buffer-overflow in urb_select_interface. (CVE-2026-24679) FreeRDP has a heap-use-after-free in update_pointer_new(SDL). (CVE-2026-24680) FreeRDP has a heap-use-after-free in urb_bulk_transfer_cb. (CVE-2026-24681) FreeRDP has a Heap-buffer-overflow in audio_formats_free. (CVE-2026-24682) FreeRDP has a heap-use-after-free in ainput_send_input_event. (CVE-2026-24683) FreeRDP has a Heap-use-after-free in play_thread. (CVE-2026-24684) References SRPMS 9/core
  • freerdp-2.11.7-1.2.mga9
Categorías: Actualizaciones de Seguridad

MGAA-2026-0015 - Updated webkit2 packages fix bug

Mageia Security - 22 Febrero, 2026 - 01:53
Publication date: 22 Feb 2026
Type: bugfix
Affected Mageia releases : 9
Description The updated packages fix several crashes and rendering issues. References SRPMS 9/core
  • webkit2-2.50.5-1.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0045 - Updated gnutls packages fix security vulnerability

Mageia Security - 20 Febrero, 2026 - 18:27
Publication date: 20 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-14831 Description Denial of service via excessive resource consumption during certificate verification. (CVE-2025-14831) References SRPMS 9/core
  • gnutls-3.8.4-1.4.mga9
Categorías: Actualizaciones de Seguridad

MGASA-2026-0044 - Updated libvpx packages fix security vulnerability

Mageia Security - 20 Febrero, 2026 - 18:27
Publication date: 20 Feb 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-2447 Description Heap buffer overflow in libvpx. (CVE-2026-2447) References SRPMS 9/core
  • libvpx-1.12.0-1.5.mga9
Categorías: Actualizaciones de Seguridad

MGAA-2026-0014 - Updated mariadb packages fix bug

Mageia Security - 20 Febrero, 2026 - 18:27
Publication date: 20 Feb 2026
Type: bugfix
Affected Mageia releases : 9
Description Updated mariadb package fix crashes when not using grant tables. The latest update introduced a bug which makes mariadb crash in case it was started with skip-grant-tables. E.g. akonadi uses mariadb as a backend and does not use the rights management. This update fixes the issue. References SRPMS 9/core
  • mariadb-11.4.10-1.1.mga9
Categorías: Actualizaciones de Seguridad

MGAA-2026-0013 - Updated sddm-theme-coffee-ng packages fix bug

Mageia Security - 20 Febrero, 2026 - 18:27
Publication date: 20 Feb 2026
Type: bugfix
Affected Mageia releases : 9
Description Minor fixes to our alternative sddm theme. References SRPMS 9/core
  • sddm-theme-coffee-ng-2.0-1.2.mga9
Categorías: Actualizaciones de Seguridad

CI and LLM review on Fedora Forge with Forgejo Actions

AdamW on Linux and more - 20 Enero, 2026 - 00:19

Hi folks! Over the last couple of weeks, we have migrated nearly all the quality team's repositories from Pagure (the old Fedora forge) to the new, Forgejo-based Fedora Forge. As part of this, I've figured out a process for doing CI with Forgejo Actions. I also came up with a way to do automated LLM pull request reviews, for those interested in that.

For the impatient, you can just look at / copy the two workflows in python-wikitcms, but you'll at least need to read the stuff about runners below, and set up the necessary API key secret.

Forgejo Actions works very similarly to GitHub Actions, by design. You create a .forgejo/workflows directory in your project and define workflows in it. The syntax is almost entirely compatible with GitHub Actions, but with several missing features.

Some very commonly-used shared actions, like actions/checkout, are ported to Forgejo so you can use them directly. Other shared and third-party actions can be used by giving a full URL to them - e.g. uses: https://github.com/actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0 - but whether a given action will work or not depends on whether it's written to assume it's running on public GitHub, and whether Forgejo has all the features it needs.

Probably the most noticeable difference with using GitHub Actions is runner availability and environment. If you have a public GitHub project you can define workflows with something like runs-on: ubuntu-latest; behind the scenes, GitHub maintains a farm of runners with various labels, of which ubuntu-latest is one, and your jobs will run on any available runner with that label. The available environments for public GitHub repos are a handful of Ubuntu, Windows and macOS versions.

The staging instance of Fedora Forge has a few universal runners you can use like this. Currently each has only one, unique, label, so you can't specify workflows with a label like fedora and have them run on any available runner; you have to just pick one of the labels, and your jobs will always run on that runner. Maybe this will get changed at some point. But the runners are available to all repos in the staging instance, so you can just define a workflow and get it run.

Currently the production instance has no universal runners like this; runners are limited to specific organizations. The releng and infra organizations have runners, and now I requested one, the quality organization has one too. If you want to run workflows for projects in a different organization, the first thing you'll need to do is file a ticket to request runner(s) for that organization. If you have admin access to an organization, you can see whether it has runners, and what labels they have, by visiting https://forge.fedoraproject.org/org/<organization>/settings/actions/runners.

Once your org has at least one runner, you can define workflows and they'll run, as long as you set the runs-on value to a label that at least one of the runners has.

However, you might be surprised by the default environment: it's currently Debian Bookworm. Until that gets fixed, you may be interested in the container directive for workflows, which lets you define any arbitrary container image to be used:

container: image: quay.io/fedora/fedora:latest

There is one little gotcha with this, though. Many GitHub actions, including checkout, are written in Node, but Fedora's stock container images don't have Node installed. So you have to install it before running checkout or anything else that uses Node.

Put it all together, and here's the workflow I've defined for doing CI on Python projects with Tox:

name: CI via Tox on: pull_request: types: [opened, synchronize] jobs: tox: runs-on: fedora container: image: quay.io/fedora/fedora:latest steps: - name: Install required packages run: dnf -y install nodejs tox git - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 with: fetch-depth: 0 - name: Install Python interpreters run: for py in 3.6 3.9 3.10 3.11 3.12 3.13; do dnf -y install python$py; done - name: Test with tox run: tox

That runs whenever a pull request is opened or pushed (the on section). It expects a runner with the fedora label (the runs-on setting). It uses the fedora:latest container image from quay.io (the container setting). From that image, we install packages we're going to need - including nodejs (the first step). Then we run actions/checkout to check out the PR (the second step, the uses one). Then we install all the Python interpreters we need, and run tox (the final two steps). Of course, if your project isn't Python or doesn't use Tox, you'll have to tweak this a bit, but hopefully you get the general idea.

If you're security-minded, you might notice there's no permissions setting in this workflow. That's because Forgejo currently does not support fine-grained permissions in the automatically-generated workflow tokens. In Forgejo, the automatically-generated token always has full read/write privileges unless it's operating on a pull request from a fork, in which case it has only read permissions. Nothing finer-grained is possible at present. If you need something finer-grained, you have to generate a token manually, save it as a repository secret, and adjust your workflow (somehow) to use that and hide the automatically-generated token as far as is practically possible (that's outside the scope of this post).

So that's CI! What about LLM pull request review? Well, if you dislike or are not interested in that, stop reading now. If you are interested, here's a recipe:

name: AI Code Review on: pull_request_target: types: [labeled] jobs: ai-review: if: forgejo.event.label.name == 'ai-review-please' runs-on: fedora container: image: registry.gitlab.com/redhat/edge/ci-cd/ai-code-review:v2.5.0 steps: - name: Run AI Review env: AI_API_KEY: ${{ secrets.GEMINI_API_KEY }} run: ai-code-review --platform forgejo --pr-number ${{ forgejo.event.pull_request.number }} --post # this has to be a separate job because ai-code-review container does not have nodejs in it # also note this does not work for PRs from forks because of a forgejo bug # https://codeberg.org/forgejo/forgejo/issues/10733 remove-label: runs-on: fedora steps: - uses: https://github.com/actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0 with: labels: ai-review-please

That will cause the ai-code-review tool to review the pull request and post its analysis as a comment.

If you trust me and the Fedora Quality organization, you can also just use this:

name: AI Code Review on: pull_request_target: types: [labeled] jobs: ai-review: runs-on: fedora if: forgejo.event.label.name == 'ai-review-please' uses: quality/workflows/.forgejo/workflows/ai-review.yml@main with: pr: ${{ forgejo.event.pull_request.number }} secrets: GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}

That uses a reusable workflow that does the same thing. We will update that workflow periodically to bump the version of ai-code-review that is used.

Just a couple of things to note here. I decided to have the LLM review happen only when a pull request is given a special label. LLM reviews are relatively expensive, and also quite verbose; you don't necessarily want one cluttering up the ticket any time a pull request is created or edited, and you may not want to make it possible for someone to charge some LLM usage to your account as often as they like just by creating or editing a pull request.

So, to use this recipe you have to create a label called ai-review-please in your repository. You can do this by going to "Issues", then clicking "Labels", then "New label". Give it whatever color and description you like. Any time you add that label to a PR, the review process will be triggered. Before adding the label to a PR you should probably make sure the PR is well-intentioned and not attempting any kind of prompt injection to get ai-code-review to disclose a secret or mess with the repository.

The other thing is you need an AI provider API key. In this recipe we have a Gemini API key saved as a repository secret called GEMINI_API_KEY. To create repository secrets, go to repository "Settings", then "Actions", then "Secrets", and click "Add secret". In the workflow, we make the repository secret called GEMINI_API_KEY (secrets.GEMINI_API_KEY) available in the container as the environment variable AI_API_KEY; ai-code-review reads it in from there. Gemini is the default LLM provider for ai-code-review. You can also use OpenAI or Anthropic by adding an --ai-provider argument to the ai-code-review call in the workflow (obviously, then, the secret you export as AI_API_KEY must be a valid key for that provider). I'm hoping that in the not-too-distant future, we'll have an LLM model provider in Fedora infra, running open source models, that we can use for this purpose; for now, unfortunately, we have to use the hyperscaler ones.

Finally, as noted in the comment, the workflow is intended to remove the ai-review-please label when it runs (so you don't have to remove it manually, then add it again, if you want another review later), but this does not currently work for pull requests from forks due to a Forgejo bug (because we're using pull_request_target the workflow token should have write permissions even for a fork PR, but it doesn't). If you use it on a fork PR, you'll have to remove the label manually once the workflow has triggered.

You can, of course, change the on block to be the same as the CI recipe if you want to have LLM review run automatically whenever a PR is created or edited - but do make sure whoever's paying the bills for the API key is OK with that, and monitor the repo to make sure nobody starts creating hundreds of PRs to try and blow your budget...and hope/pray nobody manages a successful prompt injection attack. On the whole I'd stick with the label (only repository admins can label PRs, so a non-admin attacker can't apply the label themselves to trigger the review).

Categorías: Otros Blogs

A half-assed assessment of open source AI code review tools

AdamW on Linux and more - 16 Diciembre, 2025 - 21:27
Introduction

Hi there, blog readers! For the last week or so I've been poking into AI code review tools. Yes, this is partly because of the Red Hat "you must do AI things!" policy. But also, to be honest, because they seem to be...actually good now. I set up AI reviews for pull requests to our openQA test repo as an experiment. But especially over the last couple of months, they've got to the point where well over half of the review notes are actually useful, and the writing style isn't so awful I want to stab myself in the eyeballs. So I'd quite like to keep doing them, but in a more open source-y way. So far I've simply been cloning the pull requests to a GitHub mirror of the repo that exists solely to get AI reviews done. That repo has Gemini Code Assist enabled so the PRs are reviewed by Gemini automatically, e.g. here. It's very simple, but entirely closed source, there's no control over it, and Google could take it away at any time.

We're in the middle of migrating Fedora projects from Pagure to our new Forgejo instance, so I decided to try and get some sort of AI review system integrated with Forgejo. And I kinda succeeded! I wrote a Forgejo integration for ai-code-review, a tool I found that was written by another Red Hatter, and managed to set up a proof-of-concept Forgejo Actions workflow using it on a repo I own that's hosted at Codeberg (since Codeberg has public Forgejo Actions runners available; we don't have Actions entirely set up in the Fedora instance yet). Right now it's using Gemini as the model provider just because that was the easiest thing to set up for a PoC, but ai-code-review's design makes the LLM provider easily pluggable, so it's trivial to swap it out. Long term I hope we'll get a Fedora LLM provider set up, serving open source models, and we can make it use that. There's an Ollama backend, and adding an OpenAI API backend should be pretty easy.

Before going any further with that, though, I decided to look around and see if there are other tools out there, and if so, which might be the best one. I poked around a bit and found a few, and wrote up a very half-assed comparative assessment. I figured this might interest others, so I've prettied it up a tiny bit and put it below. I make no claims that this is comprehensive, accurate or fair, please send all complaints to the happyassassin.net HR department! The takeaway is that I'll probably keep working on the ai-code-review approach and also experiment with forking Qodo's archived open-source pr-agent project and see if I can add Forgejo support to it, to compare it against ai-code-review.

If anyone knows of any I missed, please let me know! I briefly looked at RhodeCode but discounted it because it's a whole-ass forge, not just a review tool. ReviewBoard doesn't seem to have any LLM integration as best as I could tell.

The Contenders ai-code-review
  • Repo: https://gitlab.com/redhat/edge/ci-cd/ai-code-review
  • Author: Juanje Ojeda (Red Hat)
  • Language: Python (typed)
  • Architecture: Modular
  • Tests: Yes, LLM-generated, fairly comprehensive unit tests, very limited integration tests
  • Begun: August 2025
  • Status: Active
  • Forges: GitLab, GitHub, local changes (Forgejo supported submitted)
  • Model providers: Gemini, Anthropic, Ollama
  • Output: Console or PR/MR comment
  • Deployment: Local execution, GitLab CI, GitHub Actions (one-shot deployment via container image in CI job)
  • Prompts: Here
ai-codereview
  • Repo: Red Hat internal
  • Author: Tuvya Korol (Red Hat)
  • Language: Python (untyped)
  • Architecture: Monolithic
  • Tests: No
  • Begun: June 2025
  • Status: Active
  • Forges: GitLab, local changes
  • Model providers: RH-internal Claude, Gemini, Granite
  • Output: Console or MR comment
  • Deployment: Local execution, GitLab CI (ad hoc deployment via curl/pip in CI job)
  • Prompts: Red Hat internal
kodus-ai
  • Repo: https://github.com/kodustech/kodus-ai
  • Author: Kodus
  • Language: Typescript
  • Architecture: Modular
  • Tests: Yes, handwritten, unit and integration, not sure of coverage
  • Begun: April 2025
  • Status: Active
  • Forges: GitHub, GitLab, BitBucket
  • Model providers: OpenAI, Gemini, Anthropic, Novita, OpenRouter, any OpenAI-compatible
  • Output: MR/PR comment and/or review (seems to depend on configuration)
  • Deployment: Local via yarn (indicated as for development only), as containerized webapp (for prod) with own installer - looks complex
  • Prompts: Here
pr-agent
  • Repo: https://github.com/qodo-ai/pr-agent
  • Author: Qodo (formerly Codium)
  • Language: Python (untyped)
  • Architecture: Modular
  • Tests: Yes, handwritten, unit and integration, somewhat primitive, many commented out, 24% coverage (per codecov)
  • Begun: July 2023
  • Status: Archived (Nov 2025)
  • Forges: GitHub, GitLab, Gitea, Gerrit, BitBucket, AWS CodeCommit, Azure DevOps, local changes
  • Model providers: Any OpenAI-compatible (looks like some special handling for Azure), LiteLLM
  • Output: MR/PR comment and/or review, has interactive features
  • Deployment: Local execution or Forge CI. There's a custom GitHub action but it may be abandoned. Installable via pip, should be trivial to containerize for simple one-shot CI job deployment
  • Prompts: Here
ai-pr-reviewer
  • Repo: https://github.com/coderabbitai/ai-pr-reviewer
  • Author: CodeRabbit
  • Language: Typescript
  • Architecture: Modular
  • Tests: Barely any
  • Begun: Feb 2023
  • Status: Archived (Nov 2023)
  • Forges: GitHub
  • Model providers: OpenAI
  • Output: PR review/comment
  • Deployment: GitHub Action (no longer maintained). No generic or local deployment documented
  • Prompts: Here
Conclusions

ai-code-review (Juanje) and pr-agent (Qodo/Codium) seem the best options.

Of the RH-developed, greenfield projects, ai-code-review is more featureful and better architected than ai-codereview, and not tied to an RH-internal model provider.

Of the existing public projects, ai-pr-reviewer (CodeRabbit) was very tied to GitHub, has no documented standalone deployment ability, and was archived fairly early in development. Plus it's in TypeScript. Kodus is actively developed, but similarly is in TypeScript, deployment looks complex, and from what I've seen I don't love its review style. Hard to say why but the project overall gives me a sloppy vibe. pr-agent (Qodo) had the longest development history and seems the most mature and capable at the point where it was abandoned (well, they actually seem to have done a heel turn and gone closed source / SaaS). It has a documented standalone deployment process which looks relatively simple and subject to integration into generic CI workflows.

Categorías: Otros Blogs

mesa-24.2.3-1.mga9.tainted.src.rpm

Últimos RPMS para cooker y estable - 30 Septiembre, 2024 - 07:00
In Mageia/9/x86_64: Mesa is an OpenGL 4.6 compatible 3D graphics library.
Categorías: RPMs

mesa-24.2.3-1.mga9.tainted.src.rpm

Últimos RPMS para cooker y estable - 30 Septiembre, 2024 - 07:00
In Mageia/9/aarch64: Mesa is an OpenGL 4.6 compatible 3D graphics library.
Categorías: RPMs

mesa-24.2.3-1.mga9.tainted.src.rpm

Últimos RPMS para cooker y estable - 30 Septiembre, 2024 - 07:00
In Mageia/9/armv7hl: Mesa is an OpenGL 4.6 compatible 3D graphics library.
Categorías: RPMs
Feed