Re: LibreJS (was Re: CodeBerg addition)

2024-01-08 Thread Yuchen Pei 
On Sat 2024-01-06 23:31:33 -0500, Richard Stallman wrote:

> [[[ To any NSA and FBI agents reading my email: please consider]]]
> [[[ whether defending the US Constitution against all enemies, ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]

>   > Suggestions on how to improve librejs to make site administrators life
>   > easier to comply are welcome :)
> All else being equal, we would like to make it easier -- but not by
> eviscerating the checking it is supposed to do.

Absolutely. Any change should not reduce the coverage/recall which is
targeted at 100%. There may be false positives, but there should be no
false negatives.

Best,
Yuchen

--
Dr Yuchen Pei | https://ypei.org | Timezone: UTC+11
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
https://ypei.org/assets/ypei-pubkey.txt

Re: LibreJS (was Re: CodeBerg addition)

2024-01-05 Thread Yuchen Pei 
On Fri 2024-01-05 08:24:53 -0800, Aaron Wolf wrote:

> The one thought on LibreJS improvement I was imagining so far:

> Some sort of crowdsourced list of recognized free JS, like the way
> that adblocking lists are put together to block ads. I imagine a
> whitelist that just knows that Codeberg's JS is free, so it is
> whitelisted not by individual local users of LibreJS but by a
> collected list everyone gets by default.

For such a list to be authoritative enough to be used for forge
evaluation, it needs to be maintained and vetted. What would be the best
way to do that? A natural idea would be to draw from the Free Software
Directory, which FSF staff maintains by evaluating and approving entries
on weekly meetings. Does this process already evaluate javascript
libraries and applications? Are there already js projects in the FSD? I
see a submission of forgejo[1], but that may not be sufficient because
presumably codeberg has its own url under its own domain for the js
files, so naively either there needs to be a correspondence between
forgejo (possibly minified) js files and codeberg js urls. Technically
there should be hashes to the files also in case they get updated.

[1] https://directory.fsf.org/wiki/Forgejo

> On 2024-01-05 4:08, Yuchen Pei wrote:
>> On Thu 2024-01-04 13:49:00 -0800, Aaron Wolf wrote:

>>> Note that there's also this issue at Gitea:
>>> https://github.com/go-gitea/gitea/issues/13393
>>> Anyway, I think it is not okay to downgrade Codeberg for not
>>> functioning with LibreJS when it is 100% free software anyway.
>>> Insisting on this particular tooling needs to not be such a strong
>>> requirement.
>>> I think LibreJS needs some improved options for operating and should
>>> not be a blocker to Codeberg getting a higher grade.
>>> In practice, if sites that are 100% free software are not being
>>> recognized by LibreJS, and the way modern sites are put together makes
>>> doing this non-trivial, then the problem is LibreJS's approach, not
>>> the site.
>> Suggestions on how to improve librejs to make site administrators life
>> easier to comply are welcome :)

>>> [... 33 lines elided]
>> Best,
>> Yuchen
>> --
>> Dr Yuchen Pei |https://ypei.org  | Timezone: UTC+11
>> PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
>> https://ypei.org/assets/ypei-pubkey.txt


Best,
Yuchen

--
Dr Yuchen Pei | https://ypei.org | Timezone: UTC+11
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
https://ypei.org/assets/ypei-pubkey.txt

Re: LibreJS (was Re: CodeBerg addition)

2024-01-05 Thread Yuchen Pei 
On Thu 2024-01-04 13:49:00 -0800, Aaron Wolf wrote:

> Note that there's also this issue at Gitea:
> https://github.com/go-gitea/gitea/issues/13393

> Anyway, I think it is not okay to downgrade Codeberg for not
> functioning with LibreJS when it is 100% free software anyway.
> Insisting on this particular tooling needs to not be such a strong
> requirement.

> I think LibreJS needs some improved options for operating and should
> not be a blocker to Codeberg getting a higher grade.

> In practice, if sites that are 100% free software are not being
> recognized by LibreJS, and the way modern sites are put together makes
> doing this non-trivial, then the problem is LibreJS's approach, not
> the site.

Suggestions on how to improve librejs to make site administrators life
easier to comply are welcome :)

> [... 33 lines elided]

Best,
Yuchen

--
Dr Yuchen Pei | https://ypei.org | Timezone: UTC+11
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
https://ypei.org/assets/ypei-pubkey.txt

Re: Notabug.org should be moved to B tier

2023-11-04 Thread Yuchen Pei 
On Fri 2023-11-03 19:09:18 -0400, bill-auger wrote:
> [... 18 lines elided]

> so the problem with 'semantic-2.2.13.min.js' is the weblabels file, which has
> drifted out-of-date - IIRC, that was the original problem in 2021 - the new
> problem with 'highlight.pack.js' appears to be a short-coming of librejs - 
> that
> file is listed in the weblabels file, and librejs did not reject it in 2021,
> IIRC

> from the weblabels file:
>> semantic-2.2.10.min.js   Expat   semantic-UI-2.2.10.tar.gz
>> highlight.pack.jsBSD 3 Clausehighlight.js-9.6.0.tar.gz

LibreJS is working as intended here: it checks the license label ("BSD 3
Clause" here) and the link
(https://github.com/isagalaev/highlight.js/blob/master/LICENSE here).
Neither could be found in the license_definitions.json file (it has
"BSD-3-Clause" and "http://opensource.org/licenses/BSD-3-Clause";). So it
rejects the script.

Do you have an Internet Archive snapshot of the 2021 version that
librejs did not reject?

Best,
Yuchen

--
Timezone: UTC+11
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0

Re: Notabug.org should be moved to B tier

2023-10-31 Thread Yuchen Pei 
On Mon 2023-10-30 23:02:43 -0400, Richard Stallman wrote:

> [[[ To any NSA and FBI agents reading my email: please consider]]]
> [[[ whether defending the US Constitution against all enemies, ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]

>   > https://notabug.org/js/semantic-2.2.13.min.js seems to be still used in
>   > the homepage  for me.

> I wonder what is going on here.
> Is the JS code in that page marked as free?
> Is it in fact free?

The only librejs-noncompliant script, located at
, has the following
header. So it seems to be free.

--8<---cut here---start->8---
 /*
 * # Semantic UI - 2.2.12
 * https://github.com/Semantic-Org/Semantic-UI
 * http://www.semantic-ui.com/
 *
 * Copyright 2014 Contributors
 * Released under the MIT license
 * http://opensource.org/licenses/MIT
 *
 */
--8<---cut here---end--->8---


Best,
Yuchen

--
Timezone: UTC+11
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0

Re: Notabug.org should be moved to B tier

2023-10-29 Thread Yuchen Pei 
On Sun 2023-10-29 12:16:12 +0200, GMD Ephir wrote:

> Dear GNU,
> notabug.org has fixed it's problems with javascript. Now
> https://notabug.org/js/semantic-2.2.13.min.js isn't used and all

https://notabug.org/js/semantic-2.2.13.min.js seems to be still used in
the homepage  for me.

> web-labels are up to date. See
> https://notabug.org/assets/librejs/librejs.html

Nice! They are recognised by LibreJS.

Best,
Yuchen

--
Timezone: UTC+11
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0

Re: Review codeberg.org and git.disroot.org

2022-05-23 Thread Yuchen Pei 
On Mon 2022-05-23 10:24:17 -0400, Greg Farough wrote:

> On Mon, May 23 2022, Ian Kelling  wrote:
>
>> Akib Azmain Turja  writes:
>>
>>> [[PGP Signed Part:Undecided]]
>>> Ian Kelling  writes:
>>>
 Wuzzy  writes:

> Hello! I like to suggest adding reviews for https://codeberg.org and
> https://git.disroot.org, two instances of Gitea .

 Good idea. Someone should do an evaluation and post it. It is just a
 comment what they found with respect to each point in the criteria.

>>>
>>> I use Codeberg and also have an account at Disroot's Gitea.  Can someone
>>> tell me about the evaluation process?
>>
>> Here is the process as far as I know:
>>
>> First, anyone does the evaluation by going through all the points, and
>> documenting what they find. Then post it here. Also, at that point or
>> later, they should post a patch to the website that has the changes
>> based on their evaluation, or at least what the text should say. Then
>> people on the list review the evaluation, comment on it, it may need
>> changes, and when there are no more changes to make, someone with access
>> to update the site does it.
>
> There was a partial evaluation of Codeberg sometime last year. A good
> place to start would be reviewing this thread from the list, and
> seeing if everything still applies.
>
> 
>

There's also  but this link is
included in that thread too.

> -g


Best,
Yuchen

-- 
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
  


signature.asc
Description: PGP signature

Re: [PATCH] Updating homepage to point people to pagure for development.

2021-12-03 Thread Yuchen Pei 
On Thu, Dec 02 2021, bill-auger wrote:

> On Wed, 13 Oct 2021 14:32:54 +1100 Yuchen wrote:
>> based on the ethical 
>> repository criteria[1] it would probably get an F for failing C0, 
>> because with LibreJS on I couldn't register a new account, nor 
>> could I create a pull request.
>
> pagure deserves some defense - the pagure devs have stated
> willingness to accept any and all patches for librejs -
> pagure.io logins are managed by fedora though - those are the
> folks who would need to be convinced to adapt for librejs, if
> pagure.io fails C0 for that reason
>
> the C0 question is essentially:
> * does any important functionality require non-free software?
>   strictly speaking, a complete API satisfies C0, naturally;
>   but not for the registration process
>
> example of important functionality:
>
> * can i register with librejs? No.

In fact, I can.  I was able to register it in eww (the emacs built-in
browser without any javascript capacity), but then I couldn't log out.
One can probably register with noscript on.  This is why I think LibreJS
should have a noscript mode, like the opposite of whitelisting, where
the user can block all javascript (trivial or not) on a website.
Without more research I'm not sure if this is doable though, as I
observe in the case of noscript there's a "disable noscript for this
tab" button, but not "enable it for this tab".  It is a pain to have
both librejs and noscript on, so whenever I want to test whether a site
works better noscript than with librejs, I would test it in EWW.
Discourse forums are another example.

>
> IMHO, C0 is satisfied if either of the following such questions
> are true of each important feature (register, open a PR, etc)
>
> * can i ___ without JS, or without a web browser? Yes.
>   the pagure API supports authenticated pull-requests
>   it is a (non-web) interface to all important features
>   (using the 'curl' web browser)
>   https://pagure.io/api/0/#pull_requests-tab

Thanks, I will test the API.

>
> * can i ___ with librejs in a web browser? No.
>   normally, the cause can be upgraded remote dependencies,
>   but the librejs licenses table(s) were neglected - a routine
>   maintenance task - the fixes would be tiny and accepted
>
> in short, i dont believe that C0 requires all important
> features to be exposed via the web interface - a complete API
> makes C0 a moot point, naturally

Perhaps this has been discussed in the repo-criteria-discuss, but I can
see why this argument makes sense, in that a user seeking freedom has
the means not to give it up while still being able to use the service.

>
> a trivial example: the VCS server - the VCS server is an
> important feature (if not THE most important) - the forge is not
> expected to expose all functionality of the VCS server via the
> web inteface, nor to mimic a VCS client - i interpret C0
> broadly, enough to allow any of all important functionalities
> to be satisfied by any mechanism operated by the same host -
> it is not important to me if all functionality is supported via
> the web interface, as long as it is possible, using some libre
> tool (eg: the 'git' or 'curl' programs)
>

Best,
Yuchen

-- 
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
  


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-10-10 Thread Yuchen Pei 
On 11 October 2021 10:26:00 GMT+11:00, Richard Stallman  wrote:
>[[[ To any NSA and FBI agents reading my email: please consider]]]
>[[[ whether defending the US Constitution against all enemies, ]]]
>[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>  > > ☐B0 - Compatible with LibreJS (or equivalent tool)
>  > > NOTES: some scripts are not labeled, uses the name "MIT" for 
>  > > expat license.
>
>  > I don't see changes in this, at least some scripts at codeberg.org 
>  > are still blocked by librejs.
>
>The crucial question is not whether some scripts are blocked
>but whether the page's operations do their jobs,
>Sometimes there are scripts which do unimportant things,
>so that the page is usable even though they are blocked.
>
>We can judge those pages as ok.
>

Isn't this the distinction between B0 and C0?  OK for C0 but not OK for B0.

Re: Please review codeberg.org

2021-10-10 Thread Yuchen Pei 


bill-auger  writes:


On Sat, 09 Oct 2021 21:44:04 +1100 Yuchen wrote:
Do you mean the reason for B0 and B2 failing are no longer 
true?


i dont know - i have not reviewed codeberg - it was a very long
review and was difficult to find where/how B0 or B2 were
resolved - i found one post, which indicates that B0 was
resolved, and that the wiki checklist was updated to reflect 
that


https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-07/msg00016.html


That was about C0, not B0/B2, see the context of that message 
e.g. 





On Sat, 09 Oct 2021 21:44:04 +1100 Yuchen wrote:
I don't see changes in this, at least some scripts at 
codeberg.org 
are still blocked by librejs.


the wiki checklist still indicates that it is failing though; so
there is conflicting information between the wiki and the
mailing list


B0 is still failing, C0 was no longer failing and the wiki was 
updated accordingly:






what i8 remember, is that the codeberg team was working to
satisfy the 'B' criteria; and i presented it as such,
assuming that those changes were relatively simple, and could be
accomplished in the short time while waiting for final approval

now that the review was accepted and ready to publish, it is not
obvious that B0 and B2 were ever satisfied as expected - so i
suppose that codeberg should enter the list at the 'C' level,
rather than the 'B' level as proposed

if someone can demonstrate otherwise, then the wiki should be
updated - i would want to do that now; to remove this confusion
for the future



--
Best,
Yuchen

PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
  


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-10-09 Thread Yuchen Pei 


bill-auger  writes:


On Fri, 30 Jul 2021 13:53:42 +1000 Yuchen wrote:

I've updated the libreplanet checklist.


the checklist shows B0 and B2 failing - which passing? - should
codeberg get a 'C' for now; and possibly upgrade it later - or
is it the complete 'B' set now (checklist should be updated)?


Do you mean the reason for B0 and B2 failing are no longer true?

Below I copy the wiki descriptions at 
:



☐   B0 - Compatible with LibreJS (or equivalent tool)
NOTES: some scripts are not labeled, uses the name "MIT" for 
expat license.


I don't see changes in this, at least some scripts at codeberg.org 
are still blocked by librejs.



☐   B2 - Does not encourage unclear licensing
NOTES: no diff between GPLv3 and GPLv3-or-later repositories 
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg00022.html


--
Best,
Yuchen

PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
  


signature.asc
Description: PGP signature

Re: Ethical repository criteria rating for Sourcehut

2021-08-22 Thread Yuchen Pei 


Yuchen Pei  writes:


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]

[[[ foreign or domestic, requires you to follow Snowden's
example. ]]]

  > it has ben evaluated
  > https://libreplanet.org/wiki/Sourcehut

Would someone like to turn this into a patch ready to install
in https://www.gnu.org/software/repo-criteria-evaluation.html?


There was a patch[1] from bill-auger.  We later had a discussion 
on
SaaSS (C5) and whether CI/CD count as SaaSS[2][3].  I would 
answer
"not sure" to C5 for sr.ht.  Otherwise that patch looks good to 
me.


I meant A5, not C5, sorry.



[1]:
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg00036.html 
(Mon, 14 Jun 2021 19:33:09 -0400)

[2]:
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg00060.html 
(Mon, 21 Jun 2021 23:13:51 +1000)

[3]:
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg00064.html 
(Thu, 24 Jun 2021 20:19:46 -0400)



--
Best,
Yuchen

PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
  <https://ypei.me/assets/ypei-pubkey.txt>


signature.asc
Description: PGP signature

Re: Ethical repository criteria rating for Sourcehut

2021-08-22 Thread Yuchen Pei 


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


  > it has ben evaluated
  > https://libreplanet.org/wiki/Sourcehut

Would someone like to turn this into a patch ready to install
in https://www.gnu.org/software/repo-criteria-evaluation.html?


There was a patch[1] from bill-auger.  We later had a discussion 
on SaaSS (C5) and whether CI/CD count as SaaSS[2][3].  I would 
answer "not sure" to C5 for sr.ht.  Otherwise that patch looks 
good to me.


[1]: 
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg00036.html 
(Mon, 14 Jun 2021 19:33:09 -0400)
[2]: 
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg00060.html 
(Mon, 21 Jun 2021 23:13:51 +1000)
[3]: 
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg00064.html 
(Thu, 24 Jun 2021 20:19:46 -0400)

--
Best,
Yuchen

PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
  


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-07-29 Thread Yuchen Pei 


Yuchen Pei  writes:



Looks like they decided to wait for some migration which 
presumably

would fix the docs librejs compliance:

https://codeberg.org/Codeberg/Documentation/issues/145#issuecomment-210498



https://docs.codeberg.org is now librejs compliant:

https://codeberg.org/Codeberg/Documentation/issues/145#issuecomment-244292

I've updated the libreplanet checklist.

OTOH not sure if there's a bug with librejs, but for me it did not 
detect the deferred script:


<tt>src="<a  rel="nofollow" href="https://design.codeberg.org/design-kit/codeberg.js"">https://design.codeberg.org/design-kit/codeberg.js"</a>;>


Though that script is properly labelled, but if librejs can not 
detect all deferred scripts then it is a loophole and bug.


Thus I'm ccing bug-librejs.

Best,
Yuchen
--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: how much of a forge is SaaSS?

2021-07-04 Thread Yuchen Pei 


bill-auger  writes:


On Wed, 30 Jun 2021 19:59:51 -0400 Richard wrote:
If a project operates the forge, and its participants use it 
for

working on that project, that is not SaaSS.  In this case, _the
project_ is using the forge.


i agree; but none of the forges on this list are of that case -
perhaps savannah.gnu.org is, because all projects are GNU
projects; but savannah.nongnu.org is not

thats why Yuchen's essential question is: how much of the
functionality of forges would qualify as SaaSS, in cases where 
it

is operated by "someone else"

IMHO, projects are using these freebies only because the are
popular, and for the convenience of someone else maintaining
their infrastructure for gratis - nothing prevents projects from
operating their own forge, or to competently manage their
projects without any forge - even if they must pay for hosting,
it would be only a few bucks per month, for most projects -
IMHO, that qualifies all but savannah.gnu.org as SaaSS


Judging from rms' response, there are basically two criteria to 
determine whether a service is SaaSS:


1. Whether it does communications only
2. Whether it is operated by people / project using it

And the service is SaaSS if and only if the answer to both 
questions are no.


With that it looks like NonGNU is not SaaSS because it the answer 
to the first question seems to be yes. And it is not unrealistic 
for a forge to satisfy criterion 1 without satisfying criterion 2.


Best,
Yuchen

--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: [PATCH]: add new criteria A+7

2021-06-30 Thread Yuchen Pei 


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


  > > Helps or reminds users to put license notice in their 
  > > source 
  > > files.


  > Judging from the face value, I'd say minimally a forge can 
  > satisfy 
  > this by stating in the docs that there should be a copyright 
  > notice in each source file.


That _informs_ some of the users, those who read the docs,
but it does not _help_ them put in license notices.
And it does not _remind_ them.  To remind them means
to tell them that some files lack notices.


Makes sense. Attached is a screenshot of how the nongnu savannah 
does it when creating a new project.






THis is a very important feature that forges should implement.



--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: [PATCH]: add new criteria A+7

2021-06-29 Thread Yuchen Pei 


bill-auger  writes:


the most significant factor, regarding this criteria, is that i
do not know of any forge which would satisfy it, including
savannah - i believe that moving A+7 to the 'A' level, would
demote savannah to a 'B'

my interpretation of A+7 is that it would require some technical
mechanism to parse source files, upon each change, deduce if a
license header is missing, and "remind" or "help" to add it, or
correct it


Here's the criterion

Helps or reminds users to put license notice in their source 
files.


Judging from the face value, I'd say minimally a forge can satisfy 
this by stating in the docs that there should be a copyright 
notice in each source file.


Another simple thing to do is to display a link to the reminder in 
the doc somewhere on each repo page (like "license checklist").




its a very nice wish; but i doubt that any forge will do that in
the foreseeable future



--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: how much of a forge is SaaSS?

2021-06-28 Thread Yuchen Pei 


bill-auger  writes:


i started a new thread for this discussion, to avoid steering
the codeberg thread off-track


On Tue, 29 Jun 2021 10:33:00 +1000 Yuchen wrote:

> i think that the "gist" of the SaaSS definition, is that it
> covers any computing task, which could be done on one local
> machine, or at least one controlled by the user  

and which does not require communications with someone else's 
computers.


using a forge (or a web browser), does not require communication
with any other computer - it is a perfectly valid use-case, to
operate ones own forge for private, local, use


Using a forge as a means of publishing and communication does 
require communication with other people's computer, either to view 
someone else's repos, or to let others view your repos.




in any use-case, the use of a forge, certainly does not require
all communications to be mediated through a third-party, who has
no obligation nor stake in the project


SaaSS is less about mediation through a third-party than what kind 
of activities is mediated through a third party, whether it is 
doing computing on your behalf.





On Tue, 29 Jun 2021 10:33:00 +1000 Yuchen wrote:
Code review, forum and mailing lists are all communications so 
should not count as SaaSS.


the fact that communication is involved, does not exempt it from
being SaaSS - when those communication are mediated by a forge,
there is much more happening than simple "communication" - there
is code being executed on a machine, which _none_ of the users
control, but which could be executed on a machine that one (or
all) of the users _could_ control


It is not about who controls the execution of the code, but what 
kind of functionality such execution does.





On Tue, 29 Jun 2021 10:33:00 +1000 Yuchen wrote:
Take mentions for example. Say the functionality is you get an 
notification when someone @you in an issue tracker. Is this 
SaaSS?


likely no; because the computation is so trivial - but the task
itself is also trivial - a forge and a web browser are absurdly
complicated tools for that trivial task - that same task could
be accomplished, using only simpler, local software (email,
XMPP, etc)



Again, whether a service counts as SaaSS has less to do with the 
complexity of the computation, but the functionality.




On Tue, 29 Jun 2021 10:33:00 +1000 Yuchen wrote:
because there's no way of 
getting the notification without communicating with the server.


yes there is - you could operate the server yourself on a
machine that you control - other contributors would get
notifications from your server; but at least one of the team
members controls that server



Who controls the server is less relevant. If it is SaaSS, the fact 
you / your project control it does not mean it is no longer SaaSS, 
as people with no control to the server will still be harmed when 
using your service.




On Tue, 29 Jun 2021 10:33:00 +1000 Yuchen wrote:

Clearly Forge A gives users more control than Forge B


Forge A may give users more _options_ than Forge B, regarding
which computations happen, and when; but none of the users have
any _control_, over any of the computations, on either forge


On Tue, 29 Jun 2021 10:33:00 +1000 Yuchen wrote:
Perhaps the SaaSS essay needs an update to cover the 
bells-and-whisles.


i agree - most policies should be reviewed/revised periodically,
to stay current with the technologies that people use

likewise, these repo-criteria are showing their age, by ignoring
self-hosting forges as a viable (if not the preferred) option,
and indeed, the general solution to the SaaSS issue


Quote from the essay 
(https://www.gnu.org/philosophy/who-does-that-server-really-serve.en.html):


Rejecting SaaSS does not mean refusing to use any network 
servers run by anyone other than you. Most servers are not SaaSS 
because the jobs they do are some sort of communication, rather 
than the user's own computing.


--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-28 Thread Yuchen Pei 


bill-auger  writes:


On Mon, 28 Jun 2021 17:03:45 +1000 Yuchen wrote:
A forge defined this way does hosting / publishing and 
communication only, not computation, thus it should not be 
considered SaaSS.


its a valid point - i believe there was an unwritten implication
in that quote though - it was implied that the those tasks could
not be accomplished on ones own computer


I was also under the impression that whether a task counts as 
SaaSS depends on the significance of the computation in the tasks, 
but re-reading the essay I don't think that is true.


Rather it is about computing tasks where the activity does not 
inherently involve anyone else (see the section "How Service as a 
Software Substitute Takes Away Your Freedom" in the SaaSS 
essay). An example would be editing a photo, and a non-example 
would be publishing like posting blogposts and communications like 
mailing lists.




surely, some people do not have a reliable internet connection
- for those people, a freebie service may be the only option; 
but

self-hosting is possible, and hosting is affordable

i think that the "gist" of the SaaSS definition, is that it
covers any computing task, which could be done on one local
machine, or at least one controlled by the user


and which does not require communications with someone else's 
computers.




perhaps publishing is not a significant computation; but forges
do much more than publishing - they are complete applications -
they actually simulate several discrete applications (bug
tracking, code review, signature verification, forum, mailing
lists) - also live alerts / web-hooks / @mentions, third-party
API integrations, and other webby bells-and-whistles


Code review, forum and mailing lists are all communications so 
should not count as SaaSS. Not sure about bug tracking, signature 
verifications, live alerts, web-hooks, mentions, as that depends 
on the definition of these functionalities.


Take mentions for example. Say the functionality is you get an 
notification when someone @you in an issue tracker. Is this SaaSS?


Suppose Forge A sends an email to the user for every issue message 
like most forges do, then you can set up the notification by you 
own using the mail client. So it is SaaSS.


Suppose Forge B does not offer the service of sending an email for 
every message in the issue tracker and it does not offer an API 
for clients to grab messages? The user will then need to write a 
parser and have to be mindful about the rate of requests sent to 
the forge service. But assuming the user has no way of getting 
these messages without using the forge web service, then it is not 
considered SaaSS by the definition, because there's no way of 
getting the notification without communicating with the server. So 
the mention functionality is not considered SaaSS.


Clearly Forge A gives users more control than Forge B, so it feels 
wrong to fail Forge A on SaaSS criterion because of this.


What do you think?

Perhaps the SaaSS essay needs an update to cover the 
bells-and-whisles. For one thing, the FSF Member Forum (a 
discourse forum) has the mention notification functionality.


I think the general problem with deciding or ensuring that a 
service is not SaaSS, is that it is much harder to do so than 
deiciding or ensuring a piece of software is free, because for the 
latter we just need to check the license or stamp it with a free 
license and let the license and the copyright law do the heavy 
lifting, but for the former we have to do detailed analysis of the 
functionalities of the service.


Best,
Yuchen

--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-28 Thread Yuchen Pei 


bill-auger  writes:


On Sun, 27 Jun 2021 20:33:59 -0400 Richard wrote:
  >   Does not recommend SaaSS services, operated by other 
  >   hosts. (A5)  

  >   Any recommended SaaSS services operated by the same host, 
  >   also
  >   pass all 'C' criteria. (C7)  


Why make this distinction?  I just don't see the reason to.


that was to illuminate, that all forges on this list, and under
review, are SaaSS, without exception - the entire purpose of 
this

list is to recommend SaaSS - that may not have been so obvious
when this list was created; but it is today


I'm not sure if this is true. Assuming a forge is a service that 
hosts your git repositories / publishes commits and provides a 
space for communication through issue trackers which are glorified 
mailing lists. Then it is almost the same as a blogging site for 
people to host their blogs with the following (loose) analogies:


- Blogposts <-> commits
- Comments <-> issues

The essay defining SaaSS argues that blogging or microblogging 
services are not SaaSS:


The original idea of web servers wasn't to do computing for you, 
it was to publish information for you to access. Even today this 
is what most web sites do, and it doesn't pose the SaaSS 
problem, because accessing someone's published information isn't 
doing your own computing. Neither is use of a blog site to 
publish your own works, or using a microblogging service such as 
Twitter or StatusNet. (These services may or may not have other 
problems, depending on details.) The same goes for other 
communication not meant to be private, such as chat groups.


A forge defined this way does hosting / publishing and 
communication only, not computation, thus it should not be 
considered SaaSS.


Best,
Yuchen

--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: repo criteria changes

2021-06-24 Thread Yuchen Pei 


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


I think you are right about "publicly accessible".

It is important to rule out lack of license.

I don't want to make the requirement more strict by requiring 
works of
art and opinion to have free licenses.  So I would like to use 
this

text.

  Does not permit nonfree licenses (or lack of 
  license)

  for works for practical use, in publicly accessible
  repos. (A4)

  Does not permit nonsharing licenses (or lack 
  of

  license) for any works in publicly accessible
  repos. (A4-1)


What is a nonsharing license? I assume nonsharing licenses are 
nonfree, but not the other way around.


I find this difficult to read to have both A4 and A4-1, and I 
think that just A4 itself is sufficient, as (given the above 
assumption) cases covered by A4-1 but not A4 (does not permit 
nonsharing licenses for nonpractical works) is out of scope of 
free software. 


Best,
Yuchen

--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-23 Thread Yuchen Pei 


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


  > I don't know saass well enough to improve this answer ("not 
  > sure"). A concise definition would certainly help. For 
  > example, 
  > does CI / CD (something codeberg is planning to provide) 
  > count as 
  > SaaSS?


What does "CI / CO" mean?  And can someone tell me what 
activities it
consists of?  It may very well be SaaSS.  If so, the question of 
what

we should say about it may be difficult.


CI / CD is continuous integration / continuous deployment (or 
development). But I mainly see CI, rather than CD with 
codeberg.org / sr.ht. Wikipedia says "In software engineering, 
continuous integration (CI) is the practice of merging all 
developers' working copies to a shared mainline several times a 
day.", but it may also involve compiling and testing code 
(https://en.wikipedia.org/wiki/Continuous_integration) on a 
server. I don't know what kind of CI is run on sr.ht, or even 
ci.guix.gnu.org and whether these services count as SaaSS.


--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-21 Thread Yuchen Pei 


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


  > > Only A5 and A+3 are marked as 
  > > TODO. Let me know if I have missed anything.


  > it is probably acceptable to omit some criteria, at a level
  > beyond which the forge meets fully - that is the assumption 
  > is

  > made when reviewing notabug.org

In principle, it is acceptable, but is there really any 
uncertainty left
in those two answers?  I think we can settle them now.  Or 
perhaps

we already have done so in this discussion.


A5: here's the latest discussion about it afaik:

 > 16. Does it make sure not to recommend services that are 
 > SaaSS

 > ?
 > >Yes, because they avoid using proprietary software as part 
 > >of their

 > infrastructure to be completely independent.

There may be a misunderstanding here.  SaaSS is NOT the same 
thing as

using nonfree software.
https://gnu.org/philosophy/who-does-that-server-really-serve.html
is supposed to explain what SaaSS means, but maybe it was not 
clear.


Anyway, for this please put down "not sure" as the answer; 
someone else

will determine the answer later.


I don't know saass well enough to improve this answer ("not 
sure"). A concise definition would certainly help. For example, 
does CI / CD (something codeberg is planning to provide) count as 
SaaSS? It certainly is doing computing on users' behalf, but sr.ht 
also offers it but passed the A5 criterion 
(https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-03/msg4.html, 
from Jack Pearson, date: Fri, 5 Mar 2021 13:12:32 -0800).


A3: here's what I could find in previous discussions about it:

2.Follows the Web “Content” Accessibility Guidelines 2.0 (WCAG 
2.0) standard.

-There are 230 errors using HTML_CodeSniffer.


I am not familiar with WCAG or HTML_CodeSniffer and I don't know 
what is the implication of having 230 errors using 
HTML_CodeSniffer (sounds like it failed the criterion?), so I 
marked it as todo. I can take another look later.


Best,
Yuchen

--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-17 Thread Yuchen Pei 


Yuchen Pei  writes:


Yuchen Pei  writes:


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please 
consider ]]]
[[[ whether defending the US Constitution against all enemies, 
]]]

[[[ foreign or domestic, requires you to follow Snowden's
example. ]]]

  > I filled in B2 based on answer to Q9 at   >
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg5.html. 
There's
> also Q13 but that is for A2.

I can't access messages easily using those URLs.  Would you 
please

identify the message by its From: field and its Date; field?
With those, I can find it quickly.


From: Adam Faiz



  > I'm not sure if the choice of licenses is discussed   >
elsewhere on   > the docs.

B2 is NOT just a matter of "choosing" the license.  Whichever 
form

of
licensing you choose, you must state it clearly _in the 
package
source_.  If a site doesn't tell people to do that, and give 
clear
directions to do it right, then it encourages unclear 
licensing

practices.


You are right, and after reading the forwarded discussions, I 
agree
codeberg failed B2. Updated 
https://libreplanet.org/wiki/Codeberg.




  > By the way I could not navigate the   >
https://docs.codeberg.org with   > librejs on:

  > > blocked scripts in https://docs.codeberg.org/:
  > >   > > https://docs.codeberg.org/assets/js/collapse.js:
  > >   > > External script with no known license
  > > https://docs.codeberg.org/assets/js/sidebar.js:
  > >   > > External script with no known license

  > Does that mean it fails C0?

I think so.  But I don't know what docs.codeberg.org/ 
does. What

does
it do?  Is it an important site function?  (That is a judgment
call,
not a mechanical decision.)


It is the documentation site of codeberg.org and the place 
where I
looked for answer to Q9. I think it is rather important for 
someone

unfamiliar with codeberg, but not so much for an experienced
user. Attached is a screenshot of the landing page with the toc 
on

and
librejs off. Turning on librejs, the toc seems to be only 
accessible

by inspecting the source of the webpage.

OTOH the blocked scripts seem rather simple:

https://docs.codeberg.org/assets/js/collapse.js
https://docs.codeberg.org/assets/js/sidebar.js

I think the way forward on this is to report the issue and / or 
send

a
pull request at the repo 
https://codeberg.org/Codeberg/Documentation


I've reported an issue
https://codeberg.org/Codeberg/Documentation/issues/145, and will 
work on a PR.


Looks like they decided to wait for some migration which 
presumably would fix the docs librejs compliance:


https://codeberg.org/Codeberg/Documentation/issues/145#issuecomment-210498

OTOH they also mentioned thir Terms of Use does not permit "no 
license" 
(https://codeberg.org/Codeberg/Documentation/issues/145#issuecomment-210324) 
(see below for the quoted message), so A4 
(https://www.gnu.org/software/repo-criteria.html#A4) is 
satisfied. If no one opposes I'm going to mark A4 as satisfied on 
the wiki page. Here I quote the message in the issue:


codeberg.org permits "lack of license" as the license field is 
optional

when creating a new repo.




That's not true. Although it's technically possible to create an 
empty repo, it's of course up to the user to choose a correct 
licence. Some people like to put licence files differently than 
creating a Markdown-formatted file, so creating empty repos will 
always be an option.
You can also push content locally via CLI, so having that option 
in the GUI does not prevent anyone from pushing unlicenced code, 
or code licenced in a way that is not considered free software.


But, the Terms of Use clearly reads in section "Service" ( 
https://codeberg.org/codeberg/org/src/branch/master/TermsOfUse.md#service 
) :






For Free and Open Software projects (FOSS) as defined by the 
Free Software
Foundation (FSF) and the Open Source Initiative (OSI), Codeberg 
provides
Repository and Version Control, Wiki, and Issue Tracker hosting 
under

certain terms and conditions
[...]
Our service is open for all projects working under a license 
compatible
with either the Open-Source-License definition of the Free 
Software

foundation (FSF) or the Open Source Initiative (OSI).




and later ( 
https://codeberg.org/codeberg/org/src/branch/master/TermsOfUse.md#repositories-wikis-and-issue-trackers 
) :






User-contributed content in all repositories, wikis and issue 
trackers:

[...]



* must only contain code and data compatible with the 
Open-Source license

requirements defined by FSF or OSI [...]





So every non-free code on our site is a clear violation of our 
Terms of Service, and since only content compatible with OSI / 
FSF definitions is accepted, code not covered by a licence 
violates our ToS, too.




Best,
Yuchen

--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: [PATCH]: add sr.ht and notabug.org

2021-06-16 Thread Yuchen Pei 

The patch looks good to me.
bill-auger  writes:


attached is a patch to add entries for sr.ht and notabug.org

sr.ht and notabug.org are combined into a single patch, to
preserve the even/odd threading of the 'listing' table

in fact, most of these patches would be difficult to apply
individually, because of the close over-lapping of context; so
i may combine all of these patches to the
repo-criteria-evaluation.html file, and send that later



--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: [PATCH]: refer to hosts by their domain name

2021-06-16 Thread Yuchen Pei 
I haven't applied the patch and inspected the resulting html in a 
browser, but judging from the diff it looks good to me.

bill-auger  writes:


attached is a patch to refer hosts by their domain name
(gitlab.com vs GitLab) per:
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-04/msg00046.html

this was proposed in order to distinguish specific service
instances, from the self-hosting versions of the underlying 
forge

software, which may commonly be referred to by the same name

the other forge-specific patches (github.patch, gitlab.patch,
sourcehut-notabug.patch) already follow that naming
convention - this patch covers the remaining (unchanged) forges



--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-15 Thread Yuchen Pei 


Yuchen Pei  writes:


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]

[[[ foreign or domestic, requires you to follow Snowden's
example. ]]]

  > I filled in B2 based on answer to Q9 at   >
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg5.html. 
There's
> also Q13 but that is for A2.

I can't access messages easily using those URLs.  Would you 
please

identify the message by its From: field and its Date; field?
With those, I can find it quickly.


From: Adam Faiz



  > I'm not sure if the choice of licenses is discussed   >
elsewhere on   > the docs.

B2 is NOT just a matter of "choosing" the license.  Whichever 
form

of
licensing you choose, you must state it clearly _in the package
source_.  If a site doesn't tell people to do that, and give 
clear

directions to do it right, then it encourages unclear licensing
practices.


You are right, and after reading the forwarded discussions, I 
agree
codeberg failed B2. Updated 
https://libreplanet.org/wiki/Codeberg.




  > By the way I could not navigate the   >
https://docs.codeberg.org with   > librejs on:

  > > blocked scripts in https://docs.codeberg.org/:
  > >   > > https://docs.codeberg.org/assets/js/collapse.js:
  > >   > > External script with no known license
  > > https://docs.codeberg.org/assets/js/sidebar.js:
  > >   > > External script with no known license

  > Does that mean it fails C0?

I think so.  But I don't know what docs.codeberg.org/ 
does. What

does
it do?  Is it an important site function?  (That is a judgment 
call,

not a mechanical decision.)


It is the documentation site of codeberg.org and the place where 
I
looked for answer to Q9. I think it is rather important for 
someone unfamiliar with codeberg, but not so much for an 
experienced
user. Attached is a screenshot of the landing page with the toc 
on and
librejs off. Turning on librejs, the toc seems to be only 
accessible

by inspecting the source of the webpage.

OTOH the blocked scripts seem rather simple:

https://docs.codeberg.org/assets/js/collapse.js
https://docs.codeberg.org/assets/js/sidebar.js

I think the way forward on this is to report the issue and / or 
send a
pull request at the repo 
https://codeberg.org/Codeberg/Documentation


I've reported an issue 
https://codeberg.org/Codeberg/Documentation/issues/145, and will 
work on a PR.




Best,
Yuchen



--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Need for some guidelines to improve participation

2021-06-15 Thread Yuchen Pei 


Bert Van de Poel  writes:


Dear fellow repo-criteria-discuss members,

As some of you have remarked (including me), discussions here 
tend to
fizzle before things are properly finished. I would like to 
point to
an in my opinion clear explanation why this keeps happening and 
would
like to hear from others if their limited participation stems 
from the

same origins.

Specifically, I've noticed a tendency by some of the more active
members of this list to answer a single email in several 
steps. Either
splitting up a single email into several responses, or 
responding
first to the original and then to some of the other 
reactions. This
creates a thread structures that's far from linear and I would 
say
even makes it truly look like a nine headed hydra. For the past 
three
or so weekends I had planned to tackle my unread email from this 
list,
but found myself ever more demotivated by just even vaguely 
trying to
grasp who exactly has been responding to who and where 
discussions
were going. As the thread view of the codeberg thread (attached 
as a
screenshot to this email) illustrates, once you get behind a few 
days

it's far from easy to catch up.


I was able to keep track of the discussions by gathering info 
under an org mode headline. It worked wonderfully and I suspect a 
plaintext file could achieve the same effect though less 
convenient.


Best,
Yuchen



I fear that like me, many members here find it hard to motivate
themselves to wade through split up argumentation. I would 
personally 
much prefer if discussions were kept more linear. If people feel 
like
we should mix discussion of several criteria within a single 
thread,
then I suggest we start completely new threads with a separate 
subject
for each criteria, though I personally don't see why we couldn't 
all
discuss them in one, linear thread. Of course, in practice it's 
far
from realistic to always stay perfectly linear, but it is my 
belief
that more people would get involved and give their opinion on 
this

list if the discussions were more structured and linear.

I hope to hear from those members who have been less active, and 
see

what their take on the matter is. If of course I'm alone in this
concern I'll gladly keep my frustrations about this to myself, 
but if
others have these same problems, I suggest we should adhere 
certain
guidelines in the spirit of better participation and 
cooperation.


Kind regards,
Bert Van de Poel



--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-10 Thread Yuchen Pei 


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


  > I filled in B2 based on answer to Q9 at 
  > https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg5.html. There's 
  > also Q13 but that is for A2.


I can't access messages easily using those URLs.  Would you 
please

identify the message by its From: field and its Date; field?
With those, I can find it quickly.


I'll try this one more time (previous two messages removed the 
date field I included):


The From field was Adam Faiz and the date field was Thu, 3 Jun 
2021 19:35:07 +0800




  > I'm not sure if the choice of licenses is discussed 
  > elsewhere on 
  > the docs.


B2 is NOT just a matter of "choosing" the license.  Whichever 
form of

licensing you choose, you must state it clearly _in the package
source_.  If a site doesn't tell people to do that, and give 
clear

directions to do it right, then it encourages unclear licensing
practices.

  > By the way I could not navigate the 
  > https://docs.codeberg.org with 
  > librejs on:


  > > blocked scripts in https://docs.codeberg.org/:
  > > 
  > > https://docs.codeberg.org/assets/js/collapse.js:
  > > 
  > > External script with no known license

  > > https://docs.codeberg.org/assets/js/sidebar.js:
  > > 
  > > External script with no known license


  > Does that mean it fails C0?

I think so.  But I don't know what docs.codeberg.org/ does. 
What does
it do?  Is it an important site function?  (That is a judgment 
call,

not a mechanical decision.)



--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-10 Thread Yuchen Pei 


Yuchen Pei  writes:


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]

[[[ foreign or domestic, requires you to follow Snowden's
example. ]]]

  > I filled in B2 based on answer to Q9 at   >
https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg5.html. 
There's
> also Q13 but that is for A2.

I can't access messages easily using those URLs.  Would you 
please

identify the message by its From: field and its Date; field?
With those, I can find it quickly.


From: Adam Faiz



  > I'm not sure if the choice of licenses is discussed   >
elsewhere on   > the docs.

B2 is NOT just a matter of "choosing" the license.  Whichever 
form

of
licensing you choose, you must state it clearly _in the package
source_.  If a site doesn't tell people to do that, and give 
clear

directions to do it right, then it encourages unclear licensing
practices.


You are right, and after reading the forwarded discussions, I 
agree
codeberg failed B2. Updated 
https://libreplanet.org/wiki/Codeberg.




  > By the way I could not navigate the   >
https://docs.codeberg.org with   > librejs on:

  > > blocked scripts in https://docs.codeberg.org/:
  > >   > > https://docs.codeberg.org/assets/js/collapse.js:
  > >   > > External script with no known license
  > > https://docs.codeberg.org/assets/js/sidebar.js:
  > >   > > External script with no known license

  > Does that mean it fails C0?

I think so.  But I don't know what docs.codeberg.org/ 
does. What

does
it do?  Is it an important site function?  (That is a judgment 
call,

not a mechanical decision.)


It is the documentation site of codeberg.org and the place where 
I
looked for answer to Q9. I think it is rather important for 
someone unfamiliar with codeberg, but not so much for an 
experienced
user. Attached is a screenshot of the landing page with the toc 
on and
librejs off. Turning on librejs, the toc seems to be only 
accessible

by inspecting the source of the webpage.

OTOH the blocked scripts seem rather simple:

https://docs.codeberg.org/assets/js/collapse.js
https://docs.codeberg.org/assets/js/sidebar.js

I think the way forward on this is to report the issue and / or 
send a
pull request at the repo 
https://codeberg.org/Codeberg/Documentation


Best,
Yuchen



--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-10 Thread Yuchen Pei 


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


  > I filled in B2 based on answer to Q9 at 
  > https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-06/msg5.html. There's 
  > also Q13 but that is for A2.


I can't access messages easily using those URLs.  Would you 
please

identify the message by its From: field and its Date; field?
With those, I can find it quickly.


From: Adam Faiz



  > I'm not sure if the choice of licenses is discussed 
  > elsewhere on 
  > the docs.


B2 is NOT just a matter of "choosing" the license.  Whichever 
form of

licensing you choose, you must state it clearly _in the package
source_.  If a site doesn't tell people to do that, and give 
clear

directions to do it right, then it encourages unclear licensing
practices.


You are right, and after reading the forwarded discussions, I 
agree codeberg failed B2. Updated 
https://libreplanet.org/wiki/Codeberg.




  > By the way I could not navigate the 
  > https://docs.codeberg.org with 
  > librejs on:


  > > blocked scripts in https://docs.codeberg.org/:
  > > 
  > > https://docs.codeberg.org/assets/js/collapse.js:
  > > 
  > > External script with no known license

  > > https://docs.codeberg.org/assets/js/sidebar.js:
  > > 
  > > External script with no known license


  > Does that mean it fails C0?

I think so.  But I don't know what docs.codeberg.org/ does. 
What does
it do?  Is it an important site function?  (That is a judgment 
call,

not a mechanical decision.)


It is the documentation site of codeberg.org and the place where I 
looked for answer to Q9. I think it is rather important for 
someone unfamiliar with codeberg, but not so much for an 
experienced user. Attached is a screenshot of the landing page 
with the toc on and librejs off. Turning on librejs, the toc seems 
to be only accessible by inspecting the source of the webpage.


OTOH the blocked scripts seem rather simple:

https://docs.codeberg.org/assets/js/collapse.js
https://docs.codeberg.org/assets/js/sidebar.js

I think the way forward on this is to report the issue and / or 
send a pull request at the repo 
https://codeberg.org/Codeberg/Documentation


Best,
Yuchen




--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-08 Thread Yuchen Pei 


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


We have a place to insert the answers: 
https://libreplanet.org/wiki/Codeberg.
Since you have found some answers, would you like to put them in 
there?


I've copied over answers there. Only A5 and A+3 are marked as 
TODO. Let me know if I have missed anything.


Thanks a lot Adam for the evaluation.

Best,
Yuchen

--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-03 Thread Yuchen Pei 


Richard Stallman  writes:

[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


  > I'm new to this list so I can't answer what the workflow is.

We haven't finished developing a workflow.  People worked on 
some
checklists in https://libreplanet.org/wiki/.  I don't know which 
of

them are carefully checked and which are not.

Some of them may be ready to install -- but they may need some
formatting to put them into the page
https://www.gnu.org/software/repo-criteria-evaluation.html.

Does this list have an archive?  If so, can you access it?


Yes and yes.


--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature

Re: Please review codeberg.org

2021-06-01 Thread Yuchen Pei 


Adam Faiz  writes:


Sure, I'd be happy to.


Great thanks.



Do I just evaluate codeberg.org based on the Ethical Repo 
Criteria and

report back based on that?


I'm new to this list so I can't answer what the workflow is.

But I like the libreplanet wiki checklists 
(https://libreplanet.org/wiki/Template:ERC_Checklist, example 
https://libreplanet.org/wiki/Notabug) so I added one for codeberg 
https://libreplanet.org/wiki/Codeberg.


If you report in the mailing list, I'll be happy to copy your 
evaluation to the lp wiki entry. Or you can do it yourself if you 
prefer.


Best,
Yuchen



On Wed, Jun 2, 2021, 11:15 AM Richard Stallman  
wrote:


[[[ To any NSA and FBI agents reading my email: please consider 
]]]
[[[ whether defending the US Constitution against all enemies, 
]]]
[[[ foreign or domestic, requires you to follow Snowden's 
example. ]]]


Would you like to start the review of codeberg.org?

This list was quite active a month ago, and we were making 
progress,
but everyone seems to have drifted away, without quite 
finishing any

of the reviews we were working on.

--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)






--
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0


signature.asc
Description: PGP signature