New GNU ethical criteria for code repositories emphasize privacy, freedom, and copyleft

10 replies [Last post]
Calinou
Offline
Joined: 03/08/2014

http://www.fsf.org/news/gnu-ethical-repo-criteria

Place your bets. Will any of GitHub, GitLab, NotABug, git.framasoft.org be considered ethical?

jxself
Offline
Joined: 09/13/2010

From these criteria, GitHub will get an F.

pizzaiolo
Offline
Joined: 03/12/2015

NAB will get a good rating for sure. Savannah will probably be the highest ranked (big surprise).

lap4fsf
Offline
Joined: 10/12/2014

Hi pizzaiolo,

Do you mean Gna!? (http://about.gna.org/)

They stand very close to GNU Savannah. (Hosts only programs with GPL-compatible free software license, Supports GNU philosophy and has a strict stand on the terminology that developers should use etc.) Its main developer Loïc Dachary had secured the funds to buy hardware for the Free Software Foundation offices and moved to Boston to install GNU Savannah.

I remember reading an article about him, during my teen days, when I first came to know about St. IGNUcious from Church of Emacs. So, I have an emotional attachment with this gentleman.

risci_atom
Offline
Joined: 04/24/2011

I think that this is a really bad idea and will only make the centralization problem much worse. Projects should host their own code and not be dependent on services that might sell out, change their tune over time or experience long periods of downtime (I'm looking at you NotABug). By having a large number of projects entrusting their hosting to only a few, it only sets us up for failure because it puts us in a situation where we can't trust many core free software projects that we depend upon.

A prime example of this failure is sourceforge, where about 3% of core projects that the libreCMC project depends upon can't really be trusted due to the recent actions of sourceforge and because most of the projects that have source code there don't sign their packages. Gitorious, another large host of free software source code, let the community down when it chose to sell out to a company who has a record of not acting in the best interest of the free software community. By trusting these large hosts (or growing them), it gives them too much control and power to manipulate or act against those who trust or depend upon these free software projects. If we grow another gitorious or sourceforge, we will only be repeating the last two events yet again.

Instead, we should have a set of hosting standards that individual projects follow, advocate for the decentralization of hosting source code repositories and get developers to sign their source code. If anything, the GNU project and the FSF should *not* endorse any of these centralized hosting providers because they will grow and then a) sell out at some point or b) go broke then fall over due to the fact that no one wants to donate towards hosting costs. Having all the eggs in one or a few baskets just makes it easier to break all of the eggs.

Calinou
Offline
Joined: 03/08/2014

Many developers would rather not spend any money, this is why centralized hosting platforms are used. Also, with centralized platforms, you don't need to create an account for each project to report bugs or make pull requests, and the interface is the same. (Yes, I know, OAuth2 and similar software could be used. But still, you can't easily search for random free software projects like you would on GitHub.)

risci_atom
Offline
Joined: 04/24/2011

Yes, but at this point in time, I can't trust most of the free software that I use due to the fact that a) most developers don't sign their code b) centralized source code hosting providers have been known to remove or censor repositories c) most of us don't have time to do a full audit in these cases. This is a critical issue that is not being addressed and it has existed for a long time. The luxury features that Github and others have are not worth the censorship or the fact that these large hosts could manipulate these repositories in various ways. If a project can't afford to host their source code repositories, then they need to speak up and ask for donations or start going to the larger players in the free software community. We could also try to create or advocate for a set of tools that lets volunteers host repositories in a decentralized way (like gittorrent) and get developers to sign their source code.

Chris

I am a member!

Offline
Joined: 04/23/2011

I think the most critical thing is not who hosts it, as censored projects can move elsewhere already (even though there are also 'accidental' issues and issues with abandoned code/projects), but an educational campaign on how to sign commits.

That said this doesn't mean decentralization isn't important. I think we do need to decentralize more. I don't know if we really have the tools to do this in the best possible way right now. I think there are a lot of developers working on different tools for different scenarios. Be it decentralized and distributed market places (to buy and sell goods), decentralized distributed payment systems (bitcoins), or even just decentralized distributed data stores (ie maybe similar to 'cloud' storage systems). D

Decentralizing doesn't necessarily mean it can't be hosted by multiple parties either. What matters is it is reliable and can be authenticated.

I think http://maidsafe.net/ is a good example of this.

Here we have a project that aims to decentralize at least the storing of data in a safe and reliable way.

There are other projects to decentralize marketplaces. That's another good example. Not everything legal is permitted to be sold on eBay or Amazon.

Even legal non-profit foundations have been attacked by certain industries via the reliance on credit card and payment processors. This is why promoting bitcoin despite its flaws (lacking good anonymity) is important. The control is taken away from a few centralized entities and put into the hands of the masses (not that the masses always do whats right, but, it's still better in most cases then what we get from monopolies on power and the likes).

If we as individuals are going to be in control and remain safe we need the systems that give us that control. I don't think we should aim for centralized entities for everything. We should focus on funding efforts to decentralize, ease authentication, ease anonymization (as a default), and similar.

ADFENO
Offline
Joined: 12/31/2012

I do agree that this is an issue.

Centralized things in the Internet are always bad.

We must find a way to have decentralized (and preferably, federated)
software development. I prefer them to be federated because, that way, a
member of a project can join other projects without registration and
without creating a clone of his account/profile (0Auth and OpenID are
somehow a bad example, since they rely on existing profiles with such
capabilities and just replicate information from these existing profiles
to create another one, and they do not serve the purpose of pure
interaction).

Perhaps an identity/certificate, that is created for that person, and
has an unified resource identifier or a hash of some sort. And in his
very computer the user can change his profile information and send it to
the projects that he's already part of. His profile could also have
OpenSSH keys within it.

As for the projects' repositories, perhaps we could have something that
uses P2P, but which is also able to receive identity/certificate updates
from the projects' members, and which is able to receive other
maintenance related orders like: requests for a non-member to join the
project, permission management, and so on.

Chris

I am a member!

Offline
Joined: 04/23/2011

Yea- read my comment above. A decentralized and distributed equivalent to github could probably be developed. Some of the mechanisms are still in there infancy which would be needed for it to work in a reliable way. For example integrating a bitcoin-like system into distributed systems to reward people for participating in sharing resources (ie disk space, cpu usage, etc). A system of authentication would be needed (something dumb enough for 'lazy' developers, etc). The most important thing of all is this would all need to be extremely easy to setup.

I think it could work actually even without everybody running the software. If every person who ran the software could attach a traditional domain name to there instance you could even just share that instance so you'd end up with lots of different places that provide the ability to interact with the larger system without having to even install any software yourself. There might be implications to this and there might be solutions to those problems.

In any event it's something to think about. Ultimately though I don't know any of this is practical right now.

What we should probably be focused on (and something that Tails has been) is getting developers to simply sign there commits.