GNU ethical repository criteria - proposed updates

We developed these criteria to judge services for hosting parts of the GNU operating system, but we recommend them to everyone that wants to use a service for publicly hosting free source code (and optionally executable programs too). The criteria emphasize protection of privacy, functionality without nonfree JavaScript, compatibility with copyleft licensing and philosophy, and not rejecting any users.

GNU also maintains evaluations of code-hosting sites by the standards of these criteria. If you'd like to help us evaluate more sites or update existing evaluations as sites improve (or worsen) their scores, join the repo-criteria-discuss mailing list.

Please note that this is the proposed update to the current, existing criteria, and not the final version.

Substantive changes

• Add criterion B1.0, to help users make an informed decision when choosing between "only" and "or-later" for different versions of the GPL.
• Add criterion B2.0, to help users understand the need to include a license notice in every nontrivial source file.
• Add "extra credit" criterion A+6, to specifically encourage use of AGPLv3-or-later.
• Add "extra credit" criterion A+7, which encourages code-hosting sites to remind or help users put license notices in their source files.

Clarifying changes

• Simplify criterion C5.
• Simplify criterion A2.
• Add explanatory note to criterion A+1.

F — Unacceptable

C — Acceptable hosting for a GNU package

• All important site functionality that's enabled for use with that package works correctly (though it need not look as nice) in free browsers, including IceCat, without running any nonfree software sent by the site. (C0)

  • Regarding sending code that runs on the JavaScript platform, any such code used by an important site function either (1) is free software, and labeled properly for LibreJS to recognize as free, or (2) isn't necessary, so that the function works properly even if JavaScript is disabled in the browser.

    See The JavaScript Trap for more explanation.

    Note that free software must come with the real source code. Minified JavaScript code, and code generated by translation from some other language, are not source code. They are a kind of object code. (C0.0)

  • Regarding sending code that executes based on a platform other than JavaScript, those conditions apply, mutatis mutandis. In addition, a free implementation of that platform, and a free program to check for free licensing (comparable to LibreJS for JavaScript), must be available for the principal GNU browser IceCat, and the site must work adequately with them.

    Using JavaScript code to interpret some other language counts as using the JavaScript platform. Translating another language into JavaScript code and sending that JavaScript code also constitutes use of the JavaScript platform. In the former case, free JavaScript-platform code means that the interpreter and the programs it interprets are free software. In the latter case, free JavaScript-platform code means that the code people maintain, which is input to the translator, is free software; we also require that a free translator exist which is adequate for the translation job. (C0.1)

• No other nonfree software is required to use the site (thus, no Flash). (C1)

• Does not discriminate against classes of users, or against any country. (C2)

• Permits access via Tor (we consider this an important site function). (C3)

• The site's terms of service contain no odious conditions. (C4)

• No other license is recommended over GPL-3-or-later. (C5)

• Support HTTPS properly and securely, including the site's certificates. (C6)

B — Good enough to recommend

The above criteria, plus:

• All code sent to the user's browser must be free software and labeled for LibreJS or other suitable free automatic license analyzer, regardless of whether the site functions when the user disables this code. (B0)

• Does not report visitors to other organizations; in particular, no tracking tags in the pages. This means the site must avoid most advertising networks. (B1)

  • Explains each of the licensing options, distinguishing between GPL 2 only and GPL 2-or-later, as well as between GPL 3 only and GPL 3-or-later. Makes recommendations about whether and when to use each option. (B1.0)

• Does not encourage bad licensing practices (no license, unclear licensing, GPL N only). (B2)

  • In particular, explains the importance of including a license notice in all nontrivial source files, not just in a few places. (B2.0)

• Does not recommend nonfree licenses for works of practical use. (B3)

A — Excellent

The above criteria, plus:

• All important site functions work correctly (though may not look as nice) when the user disables execution of JavaScript and other code sent by the site. (A0)

• Server code released as free software. (A1)

• Recommends GPL 3-or-later over other licensing options. (A2)

• Offers use of AGPL 3-or-later as an option. (A3)

• Does not permit nonfree licenses (or lack of license) for works for practical use. (A4)

• Does not recommend services that are SaaSS. (A5)

• Says “free software,” not “open source.” (A6)

• Clearly endorses the Free Software Movement's ideas of freedom. (A7)

• Avoids saying “Linux” without “GNU” when referring to GNU/Linux. (A8)

• Insists that each nontrivial file in a package clearly and unambiguously state how it is licensed. (A9)

A+ — Extra credit

The above criteria, plus:

• Allows visitors to look and download without authenticating. (A+0)

• Does not log anything about visitors. Note that this criterion is based solely on the good faith of the forge's administrator. There is no way to be certain that the forge refrains from logging connections. (A+1)

• Follows the criteria in The Electronic Frontier Foundation's best practices for online service providers. (A+2)

• Follows the Web “Content” Accessibility Guidelines 2.0 (WCAG 2.0) standard. (A+3)

• Follows the Web Accessibility Initiative — Accessible Rich Internet Applications 1.0 (WAI-ARIA 1.0) standard. (A+4)

• All data contributed by the project owner and contributors is exportable in a machine-readable format. (A+5)

• Encourages use of AGPL 3-or-later as a preferred option. (A+6)

• Helps or reminds users to put license notices in their source files to go with whatever license they have chosen. (A+7)

Acknowledgements

The following individuals have helped as evaluators or otherwise contributed ideas, suggestions and improvements to this document.

• Aaron Wolf
• Bill Auger
• Bruno Félix Rezende Ribeiro <[email protected]>
• Greg Farough
• Josh Triplett
• Mike Gerwitz <[email protected]>
• Richard Stallman
• Zak Rogoff

If you are interested in helping with the evaluation or have any corrections, please contact [email protected].

If you are interested in helping to make code hosting sites LibreJS compliant (C0.0 and B0 criteria), please contact Mike Gerwitz at <[email protected]>.