Discussion | Update Software Criteria #1020

jonah · 2019-07-08T00:45:19Z

jkhgvfgvsth commented

2019-07-08 00:45:19 +00:00

(Migrated from github.com)

The Issue: As privacytools.io has grown more criteria for products has been added,
For instance VPNs must be "outside the US, use encryption, accept Bitcoin, support OpenVPN and have a no logging policy."

The software criteria in the contributing guidelines has not updated with this.

What do you propose?

Main

Easy to use. Could your mother use that tool or service? Usability is most important.

Cross-platform / Accessible.

Privacy respecting.

Open Source / free software is preferred but not required.

Must list source code in source_code.md (if applicable)

Prioritize Products without Vendor Lock-in (decentralized/self-hostable) or data interoperability.

There can be exceptions if no software is available that meet the criteria.
Note: This criteria applies to all of privacytools.io

Basically the same, just renamed to "main" and added prioritize decentralization.
For instance, privacytools.io doesn't recommend social media it recommends Decentralized Social Networks.

I also added source_code.md (if applicable) line(s).

Proividers

Prioritize Products by privacy respecting nationality.

Example: https://www.privacytools.io/classic/#ukusa

VPN

Prioritize Products by privacy respecying nationality.

Cannot be based in USA or UK.

Must be acessable via free software (i.e OpenVPN, WireGuard)

Use Encryption

Accept Cryptocurrency

No logging policy

Basically the same as listed on the website.

Email

Outside of USA

Support SMTP SSL

Accessable Using Free Software (i.e IMAP)

Basically the same as listed on the website.

Hardware

Must be H-Node Class A or Equivlant (if applicable)

Must prioritize hardware certifications like RYF, OSHWA, and OSI when avalible.

Cannot lock users to a particular platform.

Hardware, sections aren't yet in use but there are many discussions for it.
Basically, it must work with any Linux-OS (+most BSD distros) and prioritize certified hardware.

Software

Must be able to download over encryted network (including mirrors)

Must be free software

Wasn't sure what privacytools.io stance on freedom is, but I assumed you follow the GNU Foundation.
Either way, basically all of the listed software is free software.

I also added must have a safe way to get stuff, users should be able to trust the connection.

Encryption

Only verifiable is encryption is to be trusted

I kinda added this one, but basically encryption should be verifiable.

OSes

Must state if recommends, depends on, or offers non-free software (contrib)

No Tracking Policy (opt-in analytics is ok)

Just kinda followed the website.

But what about____?
I take the belief that software can never be complete, feel free to throw ideas or debate my code.
Edits from maintainers are always welcome.

Edit: Edited main to add line for source_code.md.

**The Issue**: As privacytools.io has grown more criteria for products has been added, For instance VPNs must be "outside the US, use encryption, accept Bitcoin, support OpenVPN and have a no logging policy." The software criteria in the contributing guidelines has not updated with this. **What do you propose?** > ### Main > - Easy to use. Could your mother use that tool or service? Usability is most important. > - Cross-platform / Accessible. > - Privacy respecting. > - Open Source / free software is preferred but not required. > - Must list source code in [source_code.md](https://github.com/privacytoolsIO/privacytools.io/blob/master/source_code.md) (if applicable) > - Prioritize Products without Vendor Lock-in (decentralized/self-hostable) or data interoperability. > > There can be exceptions if no software is available that meet the criteria. > Note: This criteria applies to all of privacytools.io Basically the same, just renamed to "main" and added prioritize decentralization. For instance, privacytools.io doesn't recommend `social media` it recommends `Decentralized Social Networks.` I also added [source_code.md](https://github.com/privacytoolsIO/privacytools.io/blob/master/source_code.md) (if applicable) line(s). > ### Proividers > - Prioritize Products by privacy respecting nationality. Example: https://www.privacytools.io/classic/#ukusa > ### VPN > - Prioritize Products by privacy respecying nationality. > - Cannot be based in USA or UK. > - Must be acessable via free software (i.e OpenVPN, WireGuard) > - Use Encryption > - Accept Cryptocurrency > - No logging policy Basically the same as listed on the website. > ### Email > - Outside of USA > - Support SMTP SSL > - Accessable Using Free Software (i.e IMAP) Basically the same as listed on the website. > ### Hardware > - Must be H-Node Class A or Equivlant (if applicable) > - Must prioritize hardware certifications like RYF, OSHWA, and OSI when avalible. > - Cannot lock users to a particular platform. Hardware, sections aren't yet in use but there are many discussions for it. Basically, it must work with any Linux-OS (+most BSD distros) and prioritize certified hardware. > ### Software > - Must be able to download over encryted network (including mirrors) > - Must be free software Wasn't sure what privacytools.io stance on freedom is, but I assumed you follow the GNU Foundation. Either way, basically all of the listed software is free software. I also added must have a safe way to get stuff, users should be able to trust the connection. > ### Encryption > - Only verifiable is encryption is to be trusted I kinda added this one, but basically encryption should be verifiable. > ### OSes > - Must state if recommends, depends on, or offers non-free software (contrib) > - No Tracking Policy (opt-in analytics is ok) Just kinda followed the website. **But what about____?** I take the belief that software can never be complete, feel free to throw ideas or debate my code. Edits from maintainers are always welcome. Edit: Edited main to add line for [source_code.md](https://github.com/privacytoolsIO/privacytools.io/blob/master/source_code.md).

Vincevrp (Migrated from github.com) reviewed 2019-07-08 00:45:19 +00:00

blacklight447 (Migrated from github.com) reviewed 2019-07-08 00:45:19 +00:00

jonah reviewed 2019-07-08 00:45:19 +00:00

kewde (Migrated from github.com) reviewed 2019-07-08 00:45:19 +00:00

victorhck (Migrated from github.com) reviewed 2019-07-08 00:45:19 +00:00

netlify[bot] commented

2019-07-08 00:45:55 +00:00

(Migrated from github.com)

Deploy preview for privacytools-io ready!

Built with commit 01cac41f35

https://deploy-preview-1020--privacytools-io.netlify.com

Deploy preview for *privacytools-io* ready! Built with commit 01cac41f35f0c0d94fd3b5e411fa2453a4a68675 https://deploy-preview-1020--privacytools-io.netlify.com

Mikaela (Migrated from github.com) reviewed 2019-07-08 17:16:16 +00:00

Mikaela (Migrated from github.com) left a comment

This is a large problem and I don't currently have the capability to discuss this much more than I added review comments.

.github/CONTRIBUTING.md

Mikaela (Migrated from github.com) commented

2019-07-08 17:11:00 +00:00

Shouldn't this also include data portability?

Mikaela (Migrated from github.com) commented

2019-07-08 17:15:20 +00:00

Typo, "encryted". Would you require this ability out of the box or can it be opt-in? I think Debian still comes without apt-transport-https preinstalled and I have no idea on the deriatives.

Typo, "encryted". Would you require this ability out of the box or can it be opt-in? I think Debian still comes without `apt-transport-https` preinstalled and I have no idea on the deriatives.

.github/CONTRIBUTING.md

						
				@ -24,0 +28,4 @@

				- Prioritize Products by privacy respecting nationality.

				### VPN

				- Prioritize Products by privacy respecting nationality.

Mikaela (Migrated from github.com) commented

2019-07-08 17:11:51 +00:00

I think https://github.com/privacytoolsIO/privacytools.io/issues/914 should be discussed first.

.github/CONTRIBUTING.md

						
				@ -24,0 +41,4 @@

				- Accessable Using Free Software (i.e IMAP)

				### Hardware

				- Must be [H-Node Class A](https://h-node.org/wiki/page/en/compatibility-classes) or Equivlant (if applicable)

Mikaela (Migrated from github.com) commented

2019-07-08 17:13:20 +00:00

I am not very familiar with this subject, #904.

.github/CONTRIBUTING.md

						
				@ -24,0 +44,4 @@

				- Must be [H-Node Class A](https://h-node.org/wiki/page/en/compatibility-classes) or Equivlant (if applicable)

				- Must prioritize hardware certifications like [RYF](https://ryf.fsf.org/), [OSHWA](https://certification.oshwa.org/), and OSI when avalible.

				- Cannot lock users to a particular platform.

Mikaela (Migrated from github.com) commented

2019-07-08 17:13:47 +00:00

Aren't phones kind of doing that?

jkhgvfgvsth (Migrated from github.com) reviewed 2019-07-08 21:05:33 +00:00

.github/CONTRIBUTING.md

jkhgvfgvsth (Migrated from github.com) commented

2019-07-08 21:05:33 +00:00

Yes. I will add this.

jkhgvfgvsth (Migrated from github.com) reviewed 2019-07-08 21:10:58 +00:00

.github/CONTRIBUTING.md

jkhgvfgvsth (Migrated from github.com) commented

2019-07-08 21:10:58 +00:00

@Mikaela The key idea is that if one service becomes no longer private.
I made sure to state "easy" because, this was originally aimed at social services.

But services like Bitwarden which allow you to "easily" export data to other formats should also count.

@Mikaela The key idea is that if one service becomes no longer private. I made sure to state "easy" because, this was originally aimed at social services. But services like Bitwarden which allow you to "easily" export data to other formats should also count.

jkhgvfgvsth (Migrated from github.com) reviewed 2019-07-08 21:19:30 +00:00

.github/CONTRIBUTING.md

						
				@ -24,0 +44,4 @@

				- Must be [H-Node Class A](https://h-node.org/wiki/page/en/compatibility-classes) or Equivlant (if applicable)

				- Must prioritize hardware certifications like [RYF](https://ryf.fsf.org/), [OSHWA](https://certification.oshwa.org/), and OSI when avalible.

				- Cannot lock users to a particular platform.

jkhgvfgvsth (Migrated from github.com) commented

2019-07-08 21:19:30 +00:00

- Cannot lock users to a particular platform.

Most android phones now support Lineage OS.

Although, I personally recommend hardware with few non-free drivers like the ones sold by Technoethical.
Other upcoming manufacturers like Rufus Tech / ThinkPenguin, Purism, or Pine64 *should* also be compatible.

Apple Phones in most cases can run forced security updates. We don't know what the future IPhone will look like. Will it be secure? Will it be private?

` - Cannot lock users to a particular platform.` Most android phones now support [Lineage OS](https://www.wikipedia.org/wiki/LineageOS#Supported_devices). Although, I personally recommend hardware with few non-free drivers like the ones sold by [Technoethical](https://tehnoetic.com/mobile-devices). Other upcoming manufacturers like Rufus [Tech / ThinkPenguin](http://rhombus-tech.net/community_ideas/hybrid_phone/), [Purism](https://www.wikipedia.org/wiki/Librem#Librem_5_smartphone), or [Pine64](https://www.wikipedia.org/wiki/Pine64#Smartphone) `*`should`*` also be compatible. Apple Phones in most cases can run forced security updates. We don't know what the future IPhone will look like. Will it be secure? Will it be private?

jkhgvfgvsth (Migrated from github.com) reviewed 2019-07-08 21:27:46 +00:00

.github/CONTRIBUTING.md

jkhgvfgvsth (Migrated from github.com) commented

2019-07-08 21:27:45 +00:00

@Mikaela Thanks, I will fix the typo.

I believe Debian uses GPG encryption by default. If a mirror or something supports encryption, then it should be ok.
Although, you may want to consider adding a warning. The goal is that users will use encryption where possible.

TL;DR Opt-in would be compliant with the current wording.
For instance, I think PeaZip doesn't support HTTPS by default, you must use SourceForge.

@Mikaela Thanks, I will fix the typo. I believe Debian uses GPG encryption by default. If a mirror or something supports encryption, then it should be ok. Although, you may want to consider adding a warning. The goal is that users will use encryption where possible. **TL;DR** Opt-in would be compliant with the current wording. For instance, I think PeaZip doesn't support HTTPS by default, you must use SourceForge.

privacytoolsIO (Migrated from github.com) approved these changes 2019-07-09 11:38:33 +00:00

Mikaela (Migrated from github.com) reviewed 2019-07-09 17:00:17 +00:00

.github/CONTRIBUTING.md

Mikaela (Migrated from github.com) commented

2019-07-09 17:00:17 +00:00

No, Debian just signs updates with GPG by default, anyone can see what you are downloading and one argument against https protected updates is that from the package sizes it can be figured out what one is downloading. I still believe https should be used by default as there are those apt vulnerabilities coming out at times with http mirrors.

At the moment I am using https://onion.debian.org/ mirrors though.

No, Debian just signs updates with GPG by default, anyone can see what you are downloading and one argument against https protected updates is that from the package sizes it can be figured out what one is downloading. I still believe https should be used by default as there are those apt vulnerabilities coming out at times with http mirrors. At the moment I am using https://onion.debian.org/ mirrors though.

This repo is archived. You cannot comment on pull requests.

No reviewers

Vincevrp

blacklight447

kewde

victorhck

privacytoolsIO