Re: Ethical repository evaluation of SourceHut

[Aaron Wolf]

On 2020-01-23 8:22 a.m., Drew DeVault wrote:
> Hello! I would like to request an evaluation of SourceHut under the GNU
> ethical repository criteria. SourceHut was already almost there, and I
> spent some time in the past couple of days shoring up our weak points.
> 
> Note: I've Cc'd the sr.ht-discuss mailing list.
> 
> I've done a self-evaluation, here are my conclusions:
> 
> # Criteria C
> 
> SourceHut passes criteria C1, C2, C3, C5, and C6.
> 
> C0: SourceHut mostly passes, but there is one case of nonfree JavaScript
> that I can't do anything about: payment processing is handled by Stripe
> and I am required to use their nonfree JavaScript for this purpose. I
> would like to request an exception. Nonfree JavaScript is not required
> for daily use of the services (in fact, JavaScript isn't required at
> all). Additionally, I have occasionally accepted payment for the service
> in cash for users who are concerned about this issue, at events like
> FOSDEM.
> 

If simply blocking Stripe doesn't interfere with the use of SourceHut by
GNU and other free software projects, then it could be seen as not "an
important site function".

I'm sure that GNU will accept that interpretation (SourceHut with no
Stripe) rather than grant any exception to the non-free Stripe JS.

As for handling the Stripe issue, there are two things we can suggest to
SourceHut:

A) step in the right direction (but not fully ideal in GNU terms): make
sure to sandbox the Stripe JS and provide a disclaimer. That's what
Snowdrift.coop currently does. So, acknowledging the problem and
apologizing is a step in the right direction. Making sure the JS only
loads where absolutely necessary for the function helps too.

B) do the handling of payment info on the server side, passing to Stripe
through their API without using the client-side JS. That's what
CrowdSupply does, and that's the approach that can get full GNU
endorsement. This takes more hassle and some liabilities, but it's
doable. It doesn't require SourceHut to actually store any payment info,
so it's not that level of liability. Incidentally, Snowdrift.coop hopes
to go this way in the long run once there's enough resources to handle
setting that up.

> C1: Passes
> 
> C2: Unfortunately, SourceHut is a business which is based in the United
> States, and I am required to follow US laws including trade sanctions. I
> don't think that criteria C2 is a reasonable criteria to include in this
> list, because it's not legally possible for most hosting providers to
> overcome - in fact I think that any of the current evaluees which are
> currently receiving marks for this criterion are not in fact able to make
> this guarantee. SourceHut would pass if the criteria were a bit more
> reasonable: "Does not discriminate against classes of users or against
> any country, except where required by law, such as obeying sanctions."
> 

I agree with the gist, but GNU wants to be sure that all GNU source is
available as widely as possible. I personally support more nuance than
pass/fail here. If the service itself does no active discrimination, we
might say that it passes this even though legal impositions on it have
the potential to interfere. I'm not sure here.

> C3: Passes
> 
> C4: This is subjective and not a good criteria for that reason. However,
> subjectively, I think our terms are pretty reasonable:
> https://man.sr.ht/terms.md
> 
> C5: Passes: https://man.sr.ht/license.md
> 
> C6: Passes
> 
> # Criteria B
> 
> B0: I just added these to our scripts yesterday (which are very few in
> number), I think I got them all. Please let me know if you notice
> anything missing and I'll quickly correct them.
> 
> B1: Passes
> 
> B2: Passes: https://man.sr.ht/license.md; projects without a license see
> the following message: https://sr.ht/s5pU.png
> 
> B3: Passes: https://man.sr.ht/license.md
> 
> # Criteria A
> 
> A0: Passes, with flying colors.
> 
> A1: Passes: https://git.sr.ht/~sircmpwn/?search=sr.ht 100% free
> software!
> 
> A2: Passes, A3: Passes: https://man.sr.ht/license.md
> 
> A4: Fails. I disagree with this in principle, however. SourceHut
> stresses the importance of licenses and offers recommends free software
> licenses. However, it also offers private (personal) repositories and
> unlisted repositories, for which the choice of license is basically
> moot. I also reckon that source-available software is better than
> proprietary software, so de-platforming source-available software would
> just increase the amount of proprietary software out there.
> 

There's a mix of political/philosophical and factual claims here.

Private and unlisted repositories do not make licensing moot
necessarily, only in the case where the software stays totally private
(not distributed to anyone other than the copyright holders). Free
software licensing becomes relevant as soon as the software gets copied
for anyone, even if the project does not provide a way for the general
public to get access. So, in the cases where Person A with a private
repo who grants access or makes a copy for Person B.

But there could be a qualifier considered for A4 around private repos.
Again, my personal (not the GNU project) view is that the grades should
not be all-or-nothing, so I'd rather see a percentage score for how much
of A is passing rather than just tagging something with B because it
doesn't meet 100% of A. In my view, any repo that won't meet 100% then
has no incentive to meet the requirements they can, and I think better
is better even if not complete.

Source-available software *is* still proprietary, but I know what you
meant. Source-available proprietary software is arguably better than
no-source proprietary software. I don't think the GNU position
acknowledges that in any meaningful way though.

> A5: Passes
> 
> A6: Kind of passes, kind of fails? We use both terms throughout. I
> disagree with this on principle, however, because it seems to be
> evaluating the platform in terms of "does it advance GNU's private
> agenda" rather than "does it match the GNU ideas of ethical hosting",
> the latter being the ostensible purpose of these criteria.
> 

We had debates about such things when forming the criteria. I wanted
this bit to be in the A+ section and to focus on *saying* "free" and
"freedom" more than on *not* saying "open source". But in the end, these
criteria are not decided by consensus or popular vote. They reflect GNU
leadership with the assistance of volunteers like me.


> A7: This is too vague, but I think we pass.

This passes as long as the political / ethical idea that software
freedom matters is unambiguously included.

> 
> A8: Fails, but this is another one which is clearly favoring GNU's
> private agenda rather than its ethical principles. It's also false - for
> the most part, SourceHut runs on Linux without GNU, mainly Alpine Linux.
> 

When you are referring to Linux without GNU, there's no expectation of
acknowledging GNU. The criterion says "when referring to GNU/Linux".

> A9: Fails, but I also disagree with this on principle. This is a best
> practice, not an ethical obligation. The purpose of including a license
> summary in every file is to prevent the file from being mistakenly
> reused in contradiction of the license terms, but even without this the
> files are still licensed under their license terms.
> 
> On the whole, section A is where the criteria seems to get off the rails
> for me. This should focus on evaluating ethical principles, don't get
> distracted with "GNU/Linux" or what kind of comments source files have.
> 
> ## Criteria A+
> 
> A+0: Passes
> 
> A+1: Fails, but this is also unreasonable. We need to collect logs for
> security reasons. We detect things like when someone is failing to log
> into your account, or registering accounts in bulk, etc - then blackhole
> their IP. We monitor important account activity and allow you to review
> it to detect unauthorized account access, and we can't let you delete it
> because then the attacker could, too (these are automatically deleted
> after 30 days). A more measured approach to addressing user data
> collection would be better here.

I think this criterion needs clarification. I think the intent is about
not logging anything for *visitors**i.e. people that come to the site
and don't register an account or anything. I'm not sure about this.

> 
> A+2: We're mostly there, but not entirely. We're working on it.
> 
> A+3: Passes
> 
> A+4: Passes
> 
> A+5: In progress. This is a high-priority item.
> 
> Curious to hear your thoughts. Thank you for all of your hard work in
> evaluating hosting options and helping people choose ethical providers
> for their services!
> 

Thanks for making such honorable efforts to do the right things here! I
hope we can push things forward to make sure we can add SourceHut with
at least a passing grade. Regardless of the specifics and debates around
the GNU criteria, it's clear you care about the ethics as a real value.

Cheers,
Aaron Wolf