It does solve that problem, but then creates a huge spam problem. Over at gitlab.xfce.org we are constantly fighting new spam accounts that get created daily. We've done all the recommended/paranoid things, like not allowing new accounts to fork or create repos until we manually give them permission (among other things), and we have a script that runs hourly to shut down suspicious accounts. But it's still nuts.

If anyone with an account on any other gitlab instance could automatically do things on our gitlab instance, it would be a nightmare. We'd probably disable federation if gitlab offered it.

> If anyone with an account on any other gitlab instance could automatically do things on our gitlab instance

I think the idea is the exact opposite, no? People wouldn't be able to do anything on your forge. They would only initiate actions on their own server and then send you notifications of PR requests to the ActivityPub inbox of your repository, and spammers would have no incentive to do this because nothing would end up in public view.

The only way to do it is disable registration and have people contact you to allow registration.

We do this in Arch Linux. It requires someone handling the registrations which isn't great either.

Seems like something LLMs should be good at. Take the new user info and ask it to vet the account or raise it to a human.

Umm, why does a spammer bother with getting a Gitlab account in the first place?

Because it's $0 access to eyeballs.

I do hope that Forgejo Federation is implemented, but it seems to me progress has stalled on it?