Ethical repository evaluation of SourceHut

[Drew DeVault]

Hello! I would like to request an evaluation of SourceHut under the GNU
ethical repository criteria. SourceHut was already almost there, and I
spent some time in the past couple of days shoring up our weak points.

Note: I've Cc'd the sr.ht-discuss mailing list.

I've done a self-evaluation, here are my conclusions:

# Criteria C

SourceHut passes criteria C1, C2, C3, C5, and C6.

C0: SourceHut mostly passes, but there is one case of nonfree JavaScript
that I can't do anything about: payment processing is handled by Stripe
and I am required to use their nonfree JavaScript for this purpose. I
would like to request an exception. Nonfree JavaScript is not required
for daily use of the services (in fact, JavaScript isn't required at
all). Additionally, I have occasionally accepted payment for the service
in cash for users who are concerned about this issue, at events like
FOSDEM.

C1: Passes

C2: Unfortunately, SourceHut is a business which is based in the United
States, and I am required to follow US laws including trade sanctions. I
don't think that criteria C2 is a reasonable criteria to include in this
list, because it's not legally possible for most hosting providers to
overcome - in fact I think that any of the current evaluees which are
currently receiving marks for this criterion are not in fact able to make
this guarantee. SourceHut would pass if the criteria were a bit more
reasonable: "Does not discriminate against classes of users or against
any country, except where required by law, such as obeying sanctions."

C3: Passes

C4: This is subjective and not a good criteria for that reason. However,
subjectively, I think our terms are pretty reasonable:
https://man.sr.ht/terms.md

C5: Passes: https://man.sr.ht/license.md

C6: Passes

# Criteria B

B0: I just added these to our scripts yesterday (which are very few in
number), I think I got them all. Please let me know if you notice
anything missing and I'll quickly correct them.

B1: Passes

B2: Passes: https://man.sr.ht/license.md; projects without a license see
the following message: https://sr.ht/s5pU.png

B3: Passes: https://man.sr.ht/license.md

# Criteria A

A0: Passes, with flying colors.

A1: Passes: https://git.sr.ht/~sircmpwn/?search=sr.ht 100% free
software!

A2: Passes, A3: Passes: https://man.sr.ht/license.md

A4: Fails. I disagree with this in principle, however. SourceHut
stresses the importance of licenses and offers recommends free software
licenses. However, it also offers private (personal) repositories and
unlisted repositories, for which the choice of license is basically
moot. I also reckon that source-available software is better than
proprietary software, so de-platforming source-available software would
just increase the amount of proprietary software out there.

A5: Passes

A6: Kind of passes, kind of fails? We use both terms throughout. I
disagree with this on principle, however, because it seems to be
evaluating the platform in terms of "does it advance GNU's private
agenda" rather than "does it match the GNU ideas of ethical hosting",
the latter being the ostensible purpose of these criteria.

A7: This is too vague, but I think we pass.

A8: Fails, but this is another one which is clearly favoring GNU's
private agenda rather than its ethical principles. It's also false - for
the most part, SourceHut runs on Linux without GNU, mainly Alpine Linux.

A9: Fails, but I also disagree with this on principle. This is a best
practice, not an ethical obligation. The purpose of including a license
summary in every file is to prevent the file from being mistakenly
reused in contradiction of the license terms, but even without this the
files are still licensed under their license terms.

On the whole, section A is where the criteria seems to get off the rails
for me. This should focus on evaluating ethical principles, don't get
distracted with "GNU/Linux" or what kind of comments source files have.

## Criteria A+

A+0: Passes

A+1: Fails, but this is also unreasonable. We need to collect logs for
security reasons. We detect things like when someone is failing to log
into your account, or registering accounts in bulk, etc - then blackhole
their IP. We monitor important account activity and allow you to review
it to detect unauthorized account access, and we can't let you delete it
because then the attacker could, too (these are automatically deleted
after 30 days). A more measured approach to addressing user data
collection would be better here.

A+2: We're mostly there, but not entirely. We're working on it.

A+3: Passes

A+4: Passes

A+5: In progress. This is a high-priority item.

Curious to hear your thoughts. Thank you for all of your hard work in
evaluating hosting options and helping people choose ethical providers
for their services!