repo-criteria-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A+ 0


From: Aaron Wolf
Subject: Re: A+ 0
Date: Mon, 15 Apr 2024 21:46:19 -0700


On 2024-04-15 9:33, bill-auger wrote:
On Thu, 21 Dec 2023 19:17:32 -0800 wolftune@riseup.net wrote:
I don't like the phrase "operate on projects", I don't think that is the key point. I think the key point is to access the projects at all.
Maybe something like this: "Access to any public parts of projects is not limited by any form of authentication of visitors." ?
i think i and aaron basically agree - i would not even bother specifying
"public parts of projects" so verbosely - the only "parts" that is important is
the source code - unauthenticated git access alone, would satisfy this; and
every forge that i have ever seen allows that - any other "parts" are the ones
that should require authentication (write access - eg: posting tickets,
offering patches, etc) - even "reading" tickets and patches is not so essential
to software freedom

to swing to that the extreme, one could suggest that people should be able to
send patches and report bugs without authentication; but even savannah does not
allow that

IMHO, my version is concise and adequate

Allows viewing and downloading source code without authenticating. (A+0)  
bearing in mind that this proposal is to elevate A+0, and bearing in mind that
every public forge satisfies A+0 and would not conceive to do otherwise,
because to do so is effectively to make the forge private, what other "public
parts of projects" does that exclude, which are important enough at the B level?


On Thu, 21 Dec 2023 19:17:32 -0800 wolftune@riseup.net wrote:
Also, I still think "authentication" seems not specific enough. Is it "authentication" when GitLab.com does some cloudflare check that blocks the entire site from loading upon failure?
yes, that is part of their authentication procedure - that is a separate issue
- that is suggesting "what of the website does not allow some users to login",
which is C2 (Does not discriminate) - the point of A+0 is simply "must you
login?", regardless of how (password, API token, whatever - the form of the
auth is irrelevant

I'm not sure you understand my point. GitLab does the Cloudflare "authentication" when someone visits a public listing of a project with no logging in at all. It is a cloudflare-verification-wall to even loading the normal public website. And if someone visits with a generic browser with JS functioning and typical cookies etc. whatever, they don't do any logging in, they don't see the verification wall, they just see the regular public project and do not know that the verification was even happening. And despite it happening, they are not logged in, there's no account involved.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]