savannah-hackers-public
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Quote from Savannah regarding GNU Ethical


From: Andrew Ferguson
Subject: Re: [Savannah-hackers-public] Quote from Savannah regarding GNU Ethical Repository Criteria for Announcement
Date: Thu, 14 Apr 2016 20:46:40 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.7.0

Hi Karl,

Thanks for the info, as well as your query regarding the criteria. It is unlikely that this will cause any changes to the criteria before the evaluations are published (I believe the timeline is for release in the next few days) but they definitely are valid concerns and certainly warrant discussion (the criteria can of course be changed after the release of the evaluations) - would you be able to email your thoughts to the repo-criteria-discuss list, as it would be great if you could be involved in the discussion as well?

Kind regards,
Andrew

On 13/04/16 00:15, Karl Berry wrote:
Hi Andrew,

     Could you just confirm that it is OK for release

Seems fine to me.

     and representative of your goals?

Just for the record, I wouldn't say "we" have goals in this regard.  The
rules for Savannah are ultimately defined by the FSF, not Savannah
developers.  It is, one might say, a "wholly owned" GNU projectj.  None of
the three most active maintainers involved with Savannah now until
relatively recently (a couple years); obviously we, like any
Savannah contributor, agreed to support and work within the existing goals.

Regarding the criteria:
   http://www.gnu.org/software/repo-criteria.en.html

1) It's unclear to me what "visitor" means to me -- whether it means only
an anonymous visitor, or either anonymous or authenticated.

2) Criteria A+1, "Does not log anything about visitors." is draconian,
and, so far as I can see, directly conflicts with A+2, "Follows the
criteria in the [EFF's best practices]".  The EFF recommends keeping
logs for a short time, but not no logs at all.  Thus there will be the
standard web server access_log / error_log stuff even for anonymous
visitors.  (I doubt it is feasible to 100% turn off *all* logging at
every level, even aside from whether it is desirable.)

Furthermore, if "visitors" includes those who have logged in, it is an
unavoidable aspect of hosting to log many actions, and this is not bad.
Simple example: make a commit -> write repository history.
Another example: update password -> writes database -> database records
transaction.

These too could be construed as logging <something> "about visitors".
Presumably not what A+1 intends, but as written, I wouldn't have a clue
how one could comply with A+1 and still provide standard hosting services.

(If desired, feel free to pass this on to your list, of course.)

Happy hacking,
Karl




reply via email to

[Prev in Thread] Current Thread [Next in Thread]