(re-)evaluation of notabug.org

[bill-auger]

i could not find nearly as much information in the archives as i
thought was there; so i re-evaluated it entirely myself

in summary, i see only two criteria which are clearly failing:
B0 and A+5 (i dont now how to check for some of the A+ class
criteria) - it is very likely that B0 could be made to pass very
easily - librejs support has been a design goal for years - as a
side note: pagure is the only forge i know of which would pass A+5

except for the A+ class criteria, i left only A2 and A3
undecided - those really deserve some clarification; but
probably notabug passes those too - i was only expecting a B
grade; but if B0 were fixed, it is likely that notabug would rank
at the A level

more eyes on this would be great; but notabug is clearly a very
strong candidate for inclusion


--------------------------------
ERC Checklist for notabug.org

PASS - C0 - Freely licensed JS for essential features
       passes, by default of also passing the stronger A4
       this is obviously a vague and subjective criteria -
       IMHO, the essential features are:
       * registration and login
       * initializing/populating/publishing a repository
       * downloading the repository
       * filing a ticket, responding to tickets, managing ticket state

PASS - C0-0 - 'C0, and either of 'B0' or 'A0'
       passes, by default of also passing the stronger A4 -
       if B0 were passing, i believe that notabug could pass this
       criteria via B0 also; for the same justification as B1
       (no connections to third-parties, nothing is withheld,
       and nothing can be withheld by any third-party)

PASS - C0-1 - Libre interpreters, "trans-pilers", and input sources
       i dont believe that it has any
  
PASS - C1 - No non-free client requirements
       during the initial review, notabug required flash player for one
       trivial feature - that requirement was removed ~5 years ago

PASS - C2 - No discrimination
       no discrimination to my eyes https://notabug.org/tos

PASS - C3 - Tor access
       i remember that a few years ago, tor access was restricted to
       some degree, due to abuse which rendered the service completely
       unusable to anyone - from the perspective of the admin who must
       thwart DoS attempts, and cleanup the trash left by anonymous
       users, C3 is an unreasonable expectation - IMHO, it should be at
       the 'A' level - at any rate, the website again claims that tor
       access is open https://notabug.org/tor

PASS - C4 - Non-odious TOS
       nothing odious to my eyes https://notabug.org/tos

PASS - C5 - Recommends GPLv3-or-later
       it has been previously determined on this mailing list, that
       this requirement does not apply to most forges - most forges do
       not recommend _any_ licenses - they simply offer (optionally) to
       install a license file, from a pre-defined set, upon
       initialization of an empty repo - "-or-later" does not apply to
       the GPL license file - it is a maintenance task for the code
       maintainer - for that reason, all known forges pass C5, trivially,
       by not recommending any license

PASS - C6 - HTTPS access

FAIL - B0 - Compatible with LibreJS (or equivalent tool)
       according to the same essential feature-set, as i used in C0
       (almost) - i found that only one script that was rejected -
       presumably this could be fixed easily - missing web-label?
       https://notabug.org/assets/librejs/librejs.html

PASS - B1 - No tracking
       i seem to remember a good deal of effort was made (patches to
       the upstream code) to ensure that all website files are
       downloaded directly from the forge host - that was done
       specifically to eliminate any calls to third-parties - i believe
       that is still a design goal

PASS - B2 - Does not encourage unclear licensing
       as with C5, i am not aware of any forge which encourages or
       discourages _any_ specific licensing practices - in the most
       extreme interpretation, all forges that i am aware of
       (including savannah) would fail B2 technically; because they
       allow publishing a poorly-licensed repo or one with no license - 
       none that i know of actually have license-related features,
       beyond the trivial one mentioned in C5 - ironically any could
       pass B2, simply by avoiding to mention anything about licensing
       practices - surely, one can not "encourage" something without
       mentioning it - most do not mention it - they simply permit it,
       but so does savannah, technically

PASS - B3 - Does not recommend non-free licenses
       by default of also passing the stronger A4

PASS - A0 - Fully-functional without client-side scripts
        to the same essential feature-set, as i used in C0

PASS - A1 - Freely-licensed server-side code
       freely licensed and published on the same host
       https://notabug.org/hp/gogs

???? - A2 - Prefers GPLv3-or-later projects
       not sure what this entails - is this a stronger 'C5'?
       (Recommends GPLv3-or-later _more_than_others_?) -
       if so, why not: "Prefers AGPLv3-or-later projects"
       at the A+ level?

???? - A3 - Offers AGPLv3-or-later
       for the reason described in C5, no forge does this (not even
       savannah) - in practice, the most that 'C5' and 'A3' pertain to,
       is that the all licenses _files_, which are offered to be
       installed into an empty repo, are offered with equal stature - i
       am not aware of any forge which actively manages licensing in
       any way; so this criteria can not yet be applied to any in
       existence - perhaps someday, some new forge software may
       forcefully and perpetually manage the licensing of each file in
       all repositories - i suspect that the intention of 'A3' is
       simply "offers AGPL"

PASS - A4 - Does not permit non-free licenses
       the notabug (gogs) software does not have a mechanism to
       enforce this (no forge that i am aware of does, not even
       savannah); but the ToS makes it clear that it is provided "for
       Free/Libre software projects as defined by the Free Software
       Foundation" - the admin will revoke public access to (or delete)
       any repo found to be non-free - it is not feasible to police
       private repos in that way; so i would hold this criteria as
       applicable only to publicly accessible repos

PASS - A5 - Does not recommend SaaSS

PASS - A6 - Does not mention “Open Source”

PASS - A7 - Clearly endorses software freedom
       by default of also passing the stronger A4

PASS - A8 - Refers to GNU/Linux, wherever applicable
       there is no part of the website where it would be applicable

PASS - A+0 - Registration not required
       in practice, this criteria reduces to "C2: no discrimination"
       (not a private member-only service) - all forges that i have
       ever seen, allow public downloads without registration - it
       lacks the smell of an A+ feature - it is the expected norm

???? - A+1 - No logging
       impossible to know - impossible to prevent - irresponsible to
       promise - this criteria is misleading, at best - even if this
       were absolutely certain WRT the forge admins, still the host's
       ISP, and the physical host machine (to which the forge admins
       may likely have no access), probably logs everything - a 'PASS'
       here is only giving false sense of privacy to the naive - i
       would remove this criteria entirely

???? - A+2 - Follows EFF guidelines
       TBD:

???? - A+3 - Conforms to WCAG standard
       TBD: 

???? - A+4 - Conforms to WAI-ARIA standard
       TBD:
  
FAIL - A+5 - Complete data exportability

--------------------------------

the actual checklist is on the libreplanet wiki, editable by
anyone (i have not filled it with my results yet)
https://libreplanet.org/wiki/Notabug