Re: Announcing GNU ethical criteria for code repositories

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

The FSF write:
> Today, the FSF and GNU project announced the first version of
> criteria for evaluating services that host free software source
> code repositories for distribution and collaborative
> development. Developed with the leadership of Richard Stallman
> and GNU volunteers, the criteria provide a framework for code
> repositories to ensure that they respect their users in a manner
> consonant with the values of the free software movement, and for
> users to hold these crucial institutions accountable.
> 
> The criteria emphasize protection of privacy (including
> accessibility through the [Tor
> network](https://www.torproject.org)), functionality without
> [nonfree JavaScript](https://www.fsf.org/campaigns/freejs),
> compatibility with copyleft licensing and philosophy, and equal
> treatment of all users' traffic.
> 
> [Published on
> gnu.org](https://www.gnu.org/software/repo-criteria.html), the
> criteria are directed at services hosting parts of the GNU
> operating system, but they're recommended for anyone who wants to
> use a service for publicly hosting free source code (and
> optionally, executable programs as well). Moving forward, we will
> update the criteria in response to technological and social
> changes in the landscape of code hosting.

I took a look at these and many of these seem to be the kind of things
that Debian would care about too.  I don't know if we want to adopt
some set of principles like this and if so where we would document
that.

If we did, I think my personal view would be as follows.

Scope:

  Services provided or endorsed by Debian.

  Including, but not necessarily limited to:
    - official Debian services;
    - services which are presently unofficial but intended to
      become official Debian services;
    - services hosted on Debian infrastructure;
    - services recommended by official Debian documentation
      (including documentation from packaging teams);
    - services which host official Debian resources
      including team packaging repos, etc.

Requirements

  Server code and all of its dependencies are Free Software (by
  Debian's definition).  [A1; implies most of C0]  Ideally, server
  code is in Debian main.

  Read-only access available to the public [A+0] except for the kinds
  of cases where we already make an exception to our principles of
  openness.

  Data exportable in a machine-readable format. [A+5]

  All important functions work without JS. [A0]

  Any software required to use the service must be in Debian main.
  [implies C1]

  No discrimination against classes of users or countries. [C2]

  Access permitted via Tor. [C3]

  No odious terms of service conditions. [C4]

  Sensible recommendations and defaults for licensing; all default and
  primarily-recommended licence(s) should be GPLv3+-compatible.  [~C5]

  Support for https strongly recommended but not mandatory. [C6]

  No reporting of site visitors to third parties, so no third-party
  tracking tags or images.  [B1]

  No per-user tracking of non-logged in users.  No cookies or
  equivalent, except as required for the site to function (eg for
  login, and recording preferences of anonymous users).  (And no
  stupid cookie popup banners.)  [related to B1]

  Limit logging to what is required for audit and debugging.
  [Related to A+1, A+2]

  As accessible as possible [A+3, A+4 are relevant; I'm not qualified
  to say whether those exact standards are sensible].

(Notes in [ ] are references to the paragraphs in the FSF's criteria
list.)

Ian.