Re: (re-)evaluation of notabug.org

[Hein-Pieter van Braam-Stewart]

Hello,

First of all I want to thank you for considering NAB (Notabug.org) for
inclusion once more. NAB was created specifically to conform as closely
to GNU's ethical forge requirements as possible. However, previously
any attempts to get it evaluated were ignored.

At this current time I, however, have my own ethical dilemma: When Mr.
Stallman stepped down from the FSF leadership in 2019 I applauded the
move and I considered it to be a very courageous step. While Mr.
Stallman's moral compass as it pertains to software has always been,
and continues to be, spot on, his moral compass as it pertains to other
societal issues has not kept up with the times.

Mr. Stallman's return has been particularly difficult for me personally
as his writings have informed a large part of the person who I am today
. When I saw him taking the difficult step of putting the movement
ahead of himself I considered this a vindication of my trust in him
personally that Free software is more important than one person. His
desire to get back in a position of power thus fills me with a deep
sense of betrayal. Free software cannot continue to be under Mr.
Stallman's leadership and expect to survive.

While I cannot claim to have lived up to my beliefs as they are today
regarding sexism, amblism, homophobia, and transphobia, I strive to do
better, and I believe I have made some personal progress here. I was
under the impression that the FSF and GNU were making similar steps
towards making Free software a more accepting place for everyone. The
re-installing of Mr. Stallman suggests that no personal lessons have
been learned.

Thus I find myself in a position where I am worried that accepting a
listing on GNU.org can be construed as an endorsement of the current
situation. So I feel that, should notabug.org get listed, I need to
install a new webpage on notabug.org to express my condemnation of the
current situation.

- HP (Administrator of notabug.org)

On Tue, 2021-03-23 at 06:25 -0400, bill-auger wrote:
> i could not find nearly as much information in the archives as i
> thought was there; so i re-evaluated it entirely myself
> 
> in summary, i see only two criteria which are clearly failing:
> B0 and A+5 (i dont now how to check for some of the A+ class
> criteria) - it is very likely that B0 could be made to pass very
> easily - librejs support has been a design goal for years - as a
> side note: pagure is the only forge i know of which would pass A+5
> 
> except for the A+ class criteria, i left only A2 and A3
> undecided - those really deserve some clarification; but
> probably notabug passes those too - i was only expecting a B
> grade; but if B0 were fixed, it is likely that notabug would rank
> at the A level
> 
> more eyes on this would be great; but notabug is clearly a very
> strong candidate for inclusion
> 
> 
> --------------------------------
> ERC Checklist for notabug.org
> 
> PASS - C0 - Freely licensed JS for essential features
>        passes, by default of also passing the stronger A4
>        this is obviously a vague and subjective criteria -
>        IMHO, the essential features are:
>        * registration and login
>        * initializing/populating/publishing a repository
>        * downloading the repository
>        * filing a ticket, responding to tickets, managing ticket
> state
> 
> PASS - C0-0 - 'C0, and either of 'B0' or 'A0'
>        passes, by default of also passing the stronger A4 -
>        if B0 were passing, i believe that notabug could pass this
>        criteria via B0 also; for the same justification as B1
>        (no connections to third-parties, nothing is withheld,
>        and nothing can be withheld by any third-party)
> 
> PASS - C0-1 - Libre interpreters, "trans-pilers", and input sources
>        i dont believe that it has any
>   
> PASS - C1 - No non-free client requirements
>        during the initial review, notabug required flash player for
> one
>        trivial feature - that requirement was removed ~5 years ago
> 
> PASS - C2 - No discrimination
>        no discrimination to my eyes https://notabug.org/tos
> 
> PASS - C3 - Tor access
>        i remember that a few years ago, tor access was restricted to
>        some degree, due to abuse which rendered the service
> completely
>        unusable to anyone - from the perspective of the admin who
> must
>        thwart DoS attempts, and cleanup the trash left by anonymous
>        users, C3 is an unreasonable expectation - IMHO, it should be
> at
>        the 'A' level - at any rate, the website again claims that tor
>        access is open https://notabug.org/tor
> 
> PASS - C4 - Non-odious TOS
>        nothing odious to my eyes https://notabug.org/tos
> 
> PASS - C5 - Recommends GPLv3-or-later
>        it has been previously determined on this mailing list, that
>        this requirement does not apply to most forges - most forges
> do
>        not recommend _any_ licenses - they simply offer (optionally)
> to
>        install a license file, from a pre-defined set, upon
>        initialization of an empty repo - "-or-later" does not apply
> to
>        the GPL license file - it is a maintenance task for the code
>        maintainer - for that reason, all known forges pass C5,
> trivially,
>        by not recommending any license
> 
> PASS - C6 - HTTPS access
> 
> FAIL - B0 - Compatible with LibreJS (or equivalent tool)
>        according to the same essential feature-set, as i used in C0
>        (almost) - i found that only one script that was rejected -
>        presumably this could be fixed easily - missing web-label?
>        https://notabug.org/assets/librejs/librejs.html
> 
> PASS - B1 - No tracking
>        i seem to remember a good deal of effort was made (patches to
>        the upstream code) to ensure that all website files are
>        downloaded directly from the forge host - that was done
>        specifically to eliminate any calls to third-parties - i
> believe
>        that is still a design goal
> 
> PASS - B2 - Does not encourage unclear licensing
>        as with C5, i am not aware of any forge which encourages or
>        discourages _any_ specific licensing practices - in the most
>        extreme interpretation, all forges that i am aware of
>        (including savannah) would fail B2 technically; because they
>        allow publishing a poorly-licensed repo or one with no license
> - 
>        none that i know of actually have license-related features,
>        beyond the trivial one mentioned in C5 - ironically any could
>        pass B2, simply by avoiding to mention anything about
> licensing
>        practices - surely, one can not "encourage" something without
>        mentioning it - most do not mention it - they simply permit
> it,
>        but so does savannah, technically
> 
> PASS - B3 - Does not recommend non-free licenses
>        by default of also passing the stronger A4
> 
> PASS - A0 - Fully-functional without client-side scripts
>         to the same essential feature-set, as i used in C0
> 
> PASS - A1 - Freely-licensed server-side code
>        freely licensed and published on the same host
>        https://notabug.org/hp/gogs
> 
> ???? - A2 - Prefers GPLv3-or-later projects
>        not sure what this entails - is this a stronger 'C5'?
>        (Recommends GPLv3-or-later _more_than_others_?) -
>        if so, why not: "Prefers AGPLv3-or-later projects"
>        at the A+ level?
> 
> ???? - A3 - Offers AGPLv3-or-later
>        for the reason described in C5, no forge does this (not even
>        savannah) - in practice, the most that 'C5' and 'A3' pertain
> to,
>        is that the all licenses _files_, which are offered to be
>        installed into an empty repo, are offered with equal stature -
> i
>        am not aware of any forge which actively manages licensing in
>        any way; so this criteria can not yet be applied to any in
>        existence - perhaps someday, some new forge software may
>        forcefully and perpetually manage the licensing of each file
> in
>        all repositories - i suspect that the intention of 'A3' is
>        simply "offers AGPL"
> 
> PASS - A4 - Does not permit non-free licenses
>        the notabug (gogs) software does not have a mechanism to
>        enforce this (no forge that i am aware of does, not even
>        savannah); but the ToS makes it clear that it is provided "for
>        Free/Libre software projects as defined by the Free Software
>        Foundation" - the admin will revoke public access to (or
> delete)
>        any repo found to be non-free - it is not feasible to police
>        private repos in that way; so i would hold this criteria as
>        applicable only to publicly accessible repos
> 
> PASS - A5 - Does not recommend SaaSS
> 
> PASS - A6 - Does not mention “Open Source”
> 
> PASS - A7 - Clearly endorses software freedom
>        by default of also passing the stronger A4
> 
> PASS - A8 - Refers to GNU/Linux, wherever applicable
>        there is no part of the website where it would be applicable
> 
> PASS - A+0 - Registration not required
>        in practice, this criteria reduces to "C2: no discrimination"
>        (not a private member-only service) - all forges that i have
>        ever seen, allow public downloads without registration - it
>        lacks the smell of an A+ feature - it is the expected norm
> 
> ???? - A+1 - No logging
>        impossible to know - impossible to prevent - irresponsible to
>        promise - this criteria is misleading, at best - even if this
>        were absolutely certain WRT the forge admins, still the host's
>        ISP, and the physical host machine (to which the forge admins
>        may likely have no access), probably logs everything - a
> 'PASS'
>        here is only giving false sense of privacy to the naive - i
>        would remove this criteria entirely
> 
> ???? - A+2 - Follows EFF guidelines
>        TBD:
> 
> ???? - A+3 - Conforms to WCAG standard
>        TBD: 
> 
> ???? - A+4 - Conforms to WAI-ARIA standard
>        TBD:
>   
> FAIL - A+5 - Complete data exportability
> 
> --------------------------------
> 
> the actual checklist is on the libreplanet wiki, editable by
> anyone (i have not filled it with my results yet)
> https://libreplanet.org/wiki/Notabug
>