So private didn't mean you had to know the secret handshake. Forgejo did a hard-fork[1] in 2024 and this bug is four years old so probably also affected.
Can we link to something less self-congratulatory? This is an ad for noscope and not security report.
Also, authors of related code contest this [0]:
> When packages are uploaded to Forgejo, they are uploaded to a user or organization that owns the packages. Their visibility to other users is directly tied to the visibility of their owner -- a public owner infers a public package, and a private owner infers a private package. When a package is private because of the privacy of the owner, we know of no vulnerabilities that allow access to the package contents.
> This tying together of owner visibility and package visibility isn't as flexible as some Forgejo users would like it to be. And, it can be surprising to users as they can get the impression that package visibility should follow repository visibility when packages are linked to repositories. However, these are desired functional enhancements, not security vulnerabilities.
Yo this is crazy. I am on GitHub today but always open to hearing other options. This probably delays that consideration for me for a few more weeks at least.
[1]: https://forgejo.org/2024-02-forking-forward/