The FSF write: > Today, the FSF and GNU project announced the first version of > criteria for evaluating services that host free software source > code repositories for distribution and collaborative > development. Developed with the leadership of Richard Stallman > and GNU volunteers, the criteria provide a framework for code > repositories to ensure that they respect their users in a manner > consonant with the values of the free software movement, and for > users to hold these crucial institutions accountable. > > The criteria emphasize protection of privacy (including > accessibility through the [Tor > network](https://www.torproject.org)), functionality without > [nonfree JavaScript](https://www.fsf.org/campaigns/freejs), > compatibility with copyleft licensing and philosophy, and equal > treatment of all users' traffic. > > [Published on > gnu.org](https://www.gnu.org/software/repo-criteria.html), the > criteria are directed at services hosting parts of the GNU > operating system, but they're recommended for anyone who wants to > use a service for publicly hosting free source code (and > optionally, executable programs as well). Moving forward, we will > update the criteria in response to technological and social > changes in the landscape of code hosting.
I took a look at these and many of these seem to be the kind of things that Debian would care about too. I don't know if we want to adopt some set of principles like this and if so where we would document that. If we did, I think my personal view would be as follows. Scope: Services provided or endorsed by Debian. Including, but not necessarily limited to: - official Debian services; - services which are presently unofficial but intended to become official Debian services; - services hosted on Debian infrastructure; - services recommended by official Debian documentation (including documentation from packaging teams); - services which host official Debian resources including team packaging repos, etc. Requirements Server code and all of its dependencies are Free Software (by Debian's definition). [A1; implies most of C0] Ideally, server code is in Debian main. Read-only access available to the public [A+0] except for the kinds of cases where we already make an exception to our principles of openness. Data exportable in a machine-readable format. [A+5] All important functions work without JS. [A0] Any software required to use the service must be in Debian main. [implies C1] No discrimination against classes of users or countries. [C2] Access permitted via Tor. [C3] No odious terms of service conditions. [C4] Sensible recommendations and defaults for licensing; all default and primarily-recommended licence(s) should be GPLv3+-compatible. [~C5] Support for https strongly recommended but not mandatory. [C6] No reporting of site visitors to third parties, so no third-party tracking tags or images. [B1] No per-user tracking of non-logged in users. No cookies or equivalent, except as required for the site to function (eg for login, and recording preferences of anonymous users). (And no stupid cookie popup banners.) [related to B1] Limit logging to what is required for audit and debugging. [Related to A+1, A+2] As accessible as possible [A+3, A+4 are relevant; I'm not qualified to say whether those exact standards are sensible]. (Notes in [ ] are references to the paragraphs in the FSF's criteria list.) Ian.