GForge How-To: Navigating GForge

Hello and welcome to our first article in a new series called “GForge How-Tos” where we share short, compact tips on getting the most out of GForge. Whether you are using GForge in our Cloud or on-premises we are confident you will find new ideas for getting the most out of GForge.

This week we want to cover how you get around in GForge using either the Mega-menu or by using the Project menu.


The GForge Mega-menu is the primary way for navigating everything GForge has to offer. The mega-menu is context sensitive which means users will only see projects and features you have access to. Additionally the mega-menu will also give project and site administrators access to their specialized administrative features.

The mega-menu

For the impatient, here’s a quick video we did on navigating your projects in GForge.

Project Menu

Once inside a project, you will have access to the GForge Project Menu which is a subset of the mega-menu that allows you to quickly access different features within the current project. Don’t worry, the mega-menu is always there in case you need to navigate away from the current project.

Now, whether you are using the mega-menu or the project menu, there are some icons you should become familiar with since doing so means you will be able to quickly switch between the features within your project:

This icon is for your Project Homepage. Choose this option to view your project homepage which, by default, includes the name, description and team of your project along with some additional summary information.
This icon links you to your source code. If you’re not in Git, it will say CVS or SVN, depending on your specific version control system. This page provides information about accessing your repository , integrating into your commits, and general info about your repository. 
The Standup allows you to browse team members and see exactly what they’re up to, according to their To-Do list. Each person can drag-and-drop between what they want to do and what they’re doing, and everyone else can view this. Finally, you can see what each person has committed and changed lately. 
Sprints are a very useful tool for your team to create and follow through on their plans. Each team member commits to complete certain tickets within a set time, and GForge keeps track of it all.
Releases is where you can manage and publish all of your project’s releases. There is a list of all releases and you can see basic information about each release and package.
Your project’s Builds page allows you to keep track of your CICD pipeline in Jenkins.
The Wiki is great for publishing anything you want your customers or team members to know. All wiki pages are fully versioned and can be locked or monitored by users.
In Docs, you can view a list of documents for each folder in the project. You can also open and download any unlocked document in the project, create new folders within the project, upload new files (as independent files, whole folders or even ZIP files), download whole folders, and monitor the project documents. 
On your Discussions page, you can participate in all the forums and chat rooms attached to your project.
This is a Tracker page. Of course, you may have multiple trackers; they will all have this icon in the Project Menu. You can hover over the icon to see the name of each tracker. The tracker page is the central location of all tickets in a tracker. You can view, add, and delete tickets within the tracker, as well as edit tickets you have access to
Assuming you have proper access, Tracker Admin page allows you to quickly administer trackers. This is where you can add, delete or change existing trackers including the defining of custom fields and workflows.
My Reports gives you the ability to see all your projects from a distance. Here you can create and share reports about the tickets in the projects you have access to.
This symbol is for the Teams page, which is available for project admins. There, you can view and filter a list of all team members, manage requests to join the project, and invite new team members to your project.
This is the Project Admin page, where you can administer all aspects of your project.

As you can see, we’ve given you a couple of ways to quickly access all the great features GForge has to offer. If you have questions or feedback on how we can improve navigation drop us a note. Also, stay tuned because next week our second How-To installment will take a deeper dive into the features available within the mega-menu.

Securing GForge on Apache httpd Server

It’s a series of tubes, you know.

Secure connections are integral to keeping your important information safe, on the Internet or your private company network. For years it’s been fairly simple — turn on SSL, buy a certificate and let the browsers ensure that your data stays private. Unfortunately, it’s no longer that simple.

Over the last 15 years, computing power, virtual servers and good, old-fashioned software bugs have all conspired to make much of the encryption plumbing from the last 15 years obsolete. In fact, it’s very likely that if you’re running Apache httpd and mod_ssl, you’re allowing protocols and ciphers that expose your server (and your data) to needless risk of compromise.

Note: If you’re a customer, and GForge Group manages your server, these security updates are already in place. Get in touch if you have any other questions.

Check Yourself

It’s actually pretty easy to test your system, and it can be done in production, without affecting your current users.

For servers that are on the Internet, you can use an online scanner. Here’s SSLLabs, from Qualys:

Enter your site’s URL and click Submit. After a minute or two, you’ll get output like this:

SSLLabs Scan Results (yikes!)

In the report details, you will find explanations of anything marked as a problem from your server, including how to close security holes that were found.

If your server isn’t on the Internet (i.e., on your internal network), then you’ll need to download and run scanning tools yourself. Here are some popular ones:

  • TLS Observatory — An open-source scanner from Mozilla, written in Go. You’ll need the Go runtime to run this on your server or desktop, or you can use the Docker image. Performs scanning for both the SSL/TLS version and cipher suite(s) in use.
  • Cipherscan — Another tool from Mozilla, written in Python.

Get With The Times

After running your scans, you’ll need to decide what changes (if any) to make to your SSL configuration. It’s important to understand that choosing the most up-to-date settings will leave out some older clients. Fortunately, Mozilla also has a great online tool to help you balance security with compatibility.

Give this tool your current version of Apache httpd and OpenSSL, and you’ll get various choices for maximum security versus maximum compatibility.

Our Recommended Configuration

In the end, we went with the Modern configuration, but added the AES256-SHA256 cipher back to the list. This allows only TLS 1.2 (the most secure), but adding that one cipher back keeps compatibility with older non-browser clients like curl, so that existing SVN and git over HTTPS are not broken.

Here’s the configuration snippet we recommend for GForge servers:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile /path/to/private/key
    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile /path/to/ca_certs_for_client_authentication

   # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"

# modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Real-World Scenarios, Episode 1: Changecause

The folks at Changecause were good enough to publish a blog post about their efforts to make bug reporting easier for people outside their team.  It was a clever solution for gathering issues from end-users, but there are also a few trade-offs at work.  GForge satisfies the same requirements in a much more elegant (and supportable) way.

Third-Party Integration, Squared

The first anti-pattern is integrating two third-party tools to each other.  Yes, it’s neat, and it’s fun, and I’ve done it, too.  Heck, github has dozens of third-party integrations – so cool.  But what happens when one endpoint changes its behavior, its API signature, or just goes away?  Who do you get help from?

kid pointing both waysHey kid, where’s the trouble?

It’s trivially easy to get caught by a problem like this.  In fact, I’d say it’s inevitable.  And it’s outside your control.  At my last job, this happened to us three times in about six months, with some A-list players.

You may be paying (probably too much !) for your task-management tool, in which case at least you will have a defined service level – that is, someone you’re paying to help you out when things don’t work.  But most small and medium-size software shops rely primarily on free tools, which usually means you’re on your own.  Even if you have an SLA with both (or all) involved vendors, it is extremely likely that they won’t agree on the source of the problem, or its solution.

The Core Competency Question

One of the reasons that these ad-hoc integrations happen in the first place is that it’s software, which is probably your personal core competency anyway.  You spend an hour building something, and it works.  You get a good amount of value out of a minimal amount of your time, and you exercise some control over your otherwise frantic and unpredictable startup experience.

Except that this integration is not your company’s core competency.  Neither is bug tracking, or version control, or DBMS, or any of the other foundational tools that you use to build, e.g., Changecause.  So that hour you spent may have saved some other hours of distraction, handling complaint emails, but it didn’t add a new feature to your actual product.  And, over the next couple of weeks you’ll spend another eight hours tinkering with the integration to add a field, to handle an API change, or to update the API key again.  At that point, you may still be breaking even but it’s clearly not a big win.

Edit: While waiting for my other GForgers to give me their feedback, I happened across this pretty relevant blog post.  I’ve bookmarked it for yet another blog post in the future.

Okay, Smarty Pants

…how would you do it with GForge, then?  I thought you’d never ask.

I would build that same bug submission form in your website, instead of embedding the Google Doc form.  Gather and validate the data using your existing web app framework, like you’re doing for the rest of your app (instead of a different technology, with a different set of quirks and bugs).  Then I’d pack it all up on your back-end server, and send an email to your GForge project.

GForge has really good integration with email.  You can create a bug/ticket/suggestion or whatever you want via email, by sending to the right email address.  By default, it’s [projectname]-[trackername]@[gforgehost], e.g.,  You can even customize the email address, e.g., which is what we do for customer support.  Customers can just send us an email to start a support request, and the GForge Support Tracker captures the entire conversation, including attachments (like screen shots, logs, etc.).

It’s still a minor diversion from your core competency.  But at least it’s a direct connection between your own technology (which you’re responsible for, anyway) and GForge, which we support every day, for some of the biggest companies in the world.  If you want to tweak the form, ask another question (or allow a screen shot), go for it – GForge will still capture everything you send in the e-mail, just the way you sent it.

If you’d like to try it out for yourself, start a free project at, or visit to download the installer and run it on your own server.  If you’re trying it out and have questions or comments, let us know!



PS – I also enjoyed another blog posting by Changecause, this one about their internal planning/task workflow.  It’s somewhat similar to where we’re going internally, and has inspired me to build a GForge template.  I’ll post an update about it sometime soon.

GForge AS Makes File Uploads Easy…

We’ve been hard at work improving much of GForge Advanced Server and some changes reach deep into our product.  One great example of this is the new way you can upload files to your GForge instance.  File uploads have always been possible in our Docman, File Release System (FRS), Wiki and Tracker.  When we gave Docman a much needed user interface overhaul, we included drag-n-drop support allowing you to upload files to your GForge projects by simply dragging a file from Windows Explorer, Mac OSX Finder, etc to the browser.  When we implemented this change we made the file upload  control a reusable widget that has been integrated everywhere we allow file uploads.

The video below shows just how easy this is now:

GForge Live Discussion (aka Chat)

One of the big new features in 6.2.1 was the Live view on our Discussions plugin.  It’s basically a chat room, about a project, a document, or just about any other object on your GForge site.  All of the conversations are automatically saved as Discussion Threads for later viewing, and are searchable along with everything else in your project.  They’re also access-controlled, so you can allow the right people in on your sensitive discussions.

The best part?  No installs, no widgets, no special ports to open or configure.  It’s all regular web traffic in a regular browser window.

We use Chat all day long at GForge – it’s a huge productivity tool for folks that can’t (or don’t want to) yell over a cube wall.

If you’re not already using Chat, you should definitely check it out.  Here are three short videos by our own Olivia, detailing three great features that make our Chat one of a kind.


Project Activity Feed

From any Chat tab, each user can choose to see project-related activity as it happens.  This is great for keeping up with what’s going on, without having to ask anyone what they’re doing.


Auto-Link, Auto-Preview

When you post through the Chat window (or via email, or directly in the Discussions web page), GForge automatically picks up on what you’ve entered.  We’ll pre-render graphics, embed the YouTube player, show a nice preview block for other URLs, and even provide links to other GForge objects that you mention by ID.  And when you mention something in GForge, we’ll also add a note to that item, tying back to the Discussion where it was discussed.


Emoticons, Sounds, Images

Aside from the very real productivity and team benefits, it’s also fun to make a little noise once in a while.  GForge has a huge set of emoticons that you can click on or type in to let others know what you think.  There’s also a sounds button, with an expandable set of sound clips you can play for everyone.

GForge in One Minute

So, Intern Olivia Treu recently headed back to school…but she left behind a whole raft of how-to screencasts about GForge features.  So many, in fact, that we had her created a YouTube channel to keep them all organized.

Since we’re rapidly wrapping up the 6.3 release, I’m going to highlight a new screencast or two every week for the next few weeks, starting with the original GForge In One Minute: