SourceHut Battles DDoS Attacks and Spam Waves While Pushing GraphQL Infrastructure
Table of Contents
Infrastructure Under Pressure
SourceHut, the minimalist, open-source alternative to monolithic code hosting platforms, spent much of the second quarter of 2026 in a defensive crouch. In a candid quarterly update, the team revealed they have been weathering a series of coordinated DDoS attacks designed to exhaust network resources. While the team remained cautious about disclosing the full technical specifics of the incursions, they confirmed that the spikes in traffic were targeted specifically at SourceHut services rather than general network noise.
The attacks, however, provided an accidental diagnostic benefit. By stressing the system to its limits, the team identified critical bottlenecks where internal inter-service requests were being routed over public, saturated interfaces. SourceHut has since rerouted this internal traffic, ensuring that legitimate requests can still reach the servers even during periods of high external volatility.
Alongside the network attacks, the platform faced a surge in automated spam. The team reported a campaign that generated over 300 fake accounts in a single month, primarily used for ‘link farming’—profiles created solely to host advertisements in their bios. Because many of these accounts utilized Gmail, traditional domain-blocking was ineffective. In response, SourceHut implemented a keyword-based abuse detection system that automatically suspends accounts based on specific markers commonly found in spam profiles.
Expanding the API Surface
Despite the security headwinds, SourceHut is making a concerted push toward a more programmable infrastructure. A significant portion of recent development has focused on the project hub’s GraphQL APIs. Led by contributor Simon Martin, the platform now features a writable GraphQL API, allowing developers to manage projects and resources programmatically rather than relying solely on the web UI.
The roadmap for the coming quarter involves further standardizing these designs, specifically moving toward the ‘connections specification’ for resource enumeration. This shift is intended to make the API more uniform and predictable for third-party integrations. These backend improvements are expected to unlock long-awaited user-facing features, including the ability to link individual resource pages—such as specific git repositories—directly back to their parent projects on the project hub.
Developer Tooling and Technical Debt
On the functional side, SourceHut has introduced a highly requested feature for git.sr.ht: deploy keys. Users can now add SSH keys within the Access tab of their repository settings. Unlike standard user keys, deploy keys are scoped to a single repository and can be configured as read-only or read-write, making them ideal for CI/CD pipelines and automation scripts that require isolated access.
This rollout was accompanied by a necessary cleanup of the meta.sr.ht SSH handling. In a move to align with modern security standards, the platform has officially transitioned from legacy MD5 fingerprints to SHA256 fingerprints across the board.
The team is also looking to optimize the performance of builds.sr.ht. A first patch has been floated to replace the current Python-based shell with an implementation written in Go. While still in the RFC (Request for Comments) phase, the move signals a broader effort to reduce the platform’s Python footprint in high-performance areas of the stack.
Financial and Regulatory Shifts
Behind the scenes, SourceHut is navigating the administrative complexities of operating as a lean, open-source entity. The team is currently finalizing a migration of its billing system to the European Union, which will eventually move all customers into an EU-based billing framework. Additionally, the organization has spent the quarter preparing a joint grant proposal with other open-source forges to secure funding from the EU, the results of which are expected in the next quarterly cycle.
The updates were rounded out by community contributions, including PGP key improvements from CismonX and ongoing maintenance of build images, including the update of FreeBSD to version 14.4 and the decommissioning of the EOL 13.x branch.
