GitLab nonfree JS code
lists.gnu.org

(this is a reply to a mailing list that’s too restrictive to accept in-band replies)

Dr. Stallman said:

I’ve read that GitLab now requires nonfree software both to make an account (recaptcha) and to do various operations once you have an account. I’m told that gitlab.torproject.org makes it impossible to communicate with the developers from the free world.

Different Gitlab instances use different CAPTCHAs, and some have no CAPTCHA at all. Apparently the Gitlab CE code is written to use Google reCAPTCHA (the site admin apparently has control). However,the flagship instance (gitlab.com) is a CloudFlare site, and thus uses hCAPTCHA.

gnu.org is painfully ambiguous here, as it states that the eval is simply for “Gitlab”. Is that the Gitlab software, or the service?

I think it’s implied that the /service/ was evaluated, because Github was evaluated next to it and Github is only available as a service. So the next question is: which service? gitlab.com, or gitlab.torproject.org? The following page refers to “https://about.gitlab.com/”:

https://www.gnu.org/software/repo-criteria-evaluation.html#GitLab

So it seems the “C” rating was given to gitlab.com-- which I find revolting. Ethically they’re both quite controversial but gitlab.com is far more exclusive and odious than github.com. (I’ll give more details about that on my next post.)

Thos needs to be tested, but assuming it is true, we need to downgrade our evaluation of GitLab ASAP. For our evaluation to be incorrect in such an important way is an embarrassment as well as steering people wrong.

I first complained about the GitLab “C” rating over a year ago (back when it was still reCAPTCHA as opposed to hCAPTCHA). I think it’s fair to say the big component of the embarrassment is the length of time to address this over rating.

This post is here because gnu.org has started using “OpenSPF” to restrict inbound email. The email above was rejected by the mail server automatically because the domain of the envelope FROM header does not match the reverse lookup of the sending server’s IP address. In short, they are blocking contributors from using a forwarding email service to protect themselves. It’s a pre-emptive strike with collateral damage to legitimate participants. Anyone with access to repo-criteria-discuss@gnu.org: please forward this to that list (or people thereon).

  • freedomPusherOPM
    1·
    3 years ago

    (this is another reply to that thread)

    Ian Kelling said:

    Can you relay any details about the nonfree js other than recaptcha?

    Why does it matter? Forcing users to run just one non-free program is sufficient for criteria C0 to be unsatisfied, no?

    I’ll try to answer your question nonetheless. I get the impression you’re figuring it’s simply a matter of finding 3rd-party javascript. gitlab.com does not use Gitlab Community Edition. It uses the proprietary Gitlab Enterprise Edition. So I beleive that implies that we can’t assume any of the 1st-party javascript is free.