Not great that on the homepage you're greeted with "IMPORTANT SECURITY NOTICE" with a massive security vulnerability in previous versions. Obv. that stuff happens but not a good start.
Kallithea is a fork of an existing codebase (RhodeCode) ... so this is not exactly a "start", although to be fair I'm not sure if the issue on the homepage existed before the fork or was introduced afterwards. At least one other security issue was discovered and fixed that existed (exists?) in RhodeCode as well: https://kallithea-scm.org/security/cve-2015-0260.html
At least they are quite upfront about the issues, and IMHO I'd rather see this kind of thing in a 0.1 version than a 1.0
Especislly since the real security is that you can apparently change your email address without a validation email being sent. All they did was add CSRF protection but this still is very bad practice.
At least they are quite upfront about the issues, and IMHO I'd rather see this kind of thing in a 0.1 version than a 1.0