Re: Announcing GNU ethical criteria for code repositories
The FSF write:
> Today, the FSF and GNU project announced the first version of
> criteria for evaluating services that host free software source
> code repositories for distribution and collaborative
> development. Developed with the leadership of Richard Stallman
> and GNU volunteers, the criteria provide a framework for code
> repositories to ensure that they respect their users in a manner
> consonant with the values of the free software movement, and for
> users to hold these crucial institutions accountable.
> The criteria emphasize protection of privacy (including
> accessibility through the [Tor
> network](https://www.torproject.org)), functionality without
> compatibility with copyleft licensing and philosophy, and equal
> treatment of all users' traffic.
> [Published on
> gnu.org](https://www.gnu.org/software/repo-criteria.html), the
> criteria are directed at services hosting parts of the GNU
> operating system, but they're recommended for anyone who wants to
> use a service for publicly hosting free source code (and
> optionally, executable programs as well). Moving forward, we will
> update the criteria in response to technological and social
> changes in the landscape of code hosting.
I took a look at these and many of these seem to be the kind of things
that Debian would care about too. I don't know if we want to adopt
some set of principles like this and if so where we would document
If we did, I think my personal view would be as follows.
Services provided or endorsed by Debian.
Including, but not necessarily limited to:
- official Debian services;
- services which are presently unofficial but intended to
become official Debian services;
- services hosted on Debian infrastructure;
- services recommended by official Debian documentation
(including documentation from packaging teams);
- services which host official Debian resources
including team packaging repos, etc.
Server code and all of its dependencies are Free Software (by
Debian's definition). [A1; implies most of C0] Ideally, server
code is in Debian main.
Read-only access available to the public [A+0] except for the kinds
of cases where we already make an exception to our principles of
Data exportable in a machine-readable format. [A+5]
All important functions work without JS. [A0]
Any software required to use the service must be in Debian main.
No discrimination against classes of users or countries. [C2]
Access permitted via Tor. [C3]
No odious terms of service conditions. [C4]
Sensible recommendations and defaults for licensing; all default and
primarily-recommended licence(s) should be GPLv3+-compatible. [~C5]
Support for https strongly recommended but not mandatory. [C6]
No reporting of site visitors to third parties, so no third-party
tracking tags or images. [B1]
No per-user tracking of non-logged in users. No cookies or
equivalent, except as required for the site to function (eg for
login, and recording preferences of anonymous users). (And no
stupid cookie popup banners.) [related to B1]
Limit logging to what is required for audit and debugging.
[Related to A+1, A+2]
As accessible as possible [A+3, A+4 are relevant; I'm not qualified
to say whether those exact standards are sensible].
(Notes in [ ] are references to the paragraphs in the FSF's criteria