Hello everyone.

I'll begin by saying that I feel this was probably discussed already, but I couldn't find anything in the archive. If I missed anything, sorry for asking again - I'd appreciate if someone could just point me to relevant threads.

I see that Salsa requires reCAPTCHA resolution to sign up, and it also embeds reCAPTCHA code in most or all pages - or at least so it looks to me as an absolute Javascript ignorant.
I feel it's a contradiction that Debian relies on a non-free service, and especially that its forge is dedicated to DFSG-compliant software but forces its users to use a third-party, non-DFSG-compliant service to sign up and
to connect to it whenever they load a page.
I know reCAPTCHA is built-in in GitLab, but is there any specific reason for the choice of using it, ease apart?

Thanks,


--
Ceppo

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEdITIc+KDsfJi9wdlzV8M+/K0eFUFAmbbLjAACgkQzV8M+/K0 eFW1kA/7B3fc9i434Hth2JkDe+HpghJfj04yg9A5um258m28gA/gsxqSHLxSEZQC Idamg6aHqqT2PhHyvKHzy3zZ4ZLMvKjI9myFoOV5uj91M4ULuWgREU98hzqHgcHc PVU3iNrrzDvxPKcQqGYbmG+tet1WWsE3X6GIeKJ1HVJVDCyMBAoWsoA/LYo1vGoR 5j0UohkqqVlfQz6dsj3zc0WryO40uB56CEpkZ7ht6EsL/haIFJoVpdVnsSoqw5As Na50rmvFS7Ob96C2ZfETwfaJeNkVXbvkKCSUeo3oz64UnZNOiE3B8D0TimAoRsef tG5HVl2Fsya1cwuer7WtE28UgJkZW0h0Yp4pFiDF5Cv+ZYktg6uKt/EuGyN8tL0Q GVO5V0UkpcN1txOOENvshFVrMxTcSJGh7ZGeZPwlqGMrbTaMF8tL8wf4/vUJnZiu Y4F9M6QSZIJVONa2l0tgNVHkGATMXEkcCPtdB5q6C0y+m+YENQPr06IXRXhjzbTv 4fWf4dbohFyVU/f7P/fajrVL8dnPNGrwaZBqSHAVXY+w+uYp4nT/nzx/xzvMYx7A q117DWGSa10Jn6PHXDFgI1LIOta1bTd5pcaQe8NnWy47KJeU0He4XDD8F7JrWvO+ RghK/DLr0Nc+ZkoMwE83dSuj5w54TLH4btnoxjEG1W5AEYctVeM=
=V1h4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, 6 September 2024 11.30.44 CDT Ceppo wrote:

I feel it's a contradiction that Debian relies on a non-free service, and especially that its forge is dedicated to DFSG-compliant software but forces its users to use a third-party, non-DFSG-compliant service to sign up and
to connect to it whenever they load a page.

There are also Free software CAPTCHA solutions available that we may be able to use if we want to keep CAPTCHAs on Salsa, e.g. [mCaptcha]. I strongly agree that we shouldn't be requiring running non-Free software to use any Debian development tools.

[mCaptcha]: https://mcaptcha.org/

--
Piper McCorkle (~pmc)
they/them
contact@piperswe.me
https://piperswe.me/

PGP fingerprint:
47EA 31C6 C718 6273 1A21
81F8 BDD8 9B35 FBA0 CD06
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEER+oxxscYYnMaIYH4vdibNfugzQYFAmbbMhsACgkQvdibNfug zQZ/BQ//eAn+PkGcsK18C7r2S5fiTOyzHfvfznM/BBtIAHm38OT5fgH8mw4AHNYA lMceQFFNFanZBnS+SmwvqFZmja+d68mgHthq8MU3Pgpv0fuqoAEGNU6unjjnA42I Nj2/WlB2Hjo9HNv/bxeqWfWmAe3NBnDDZGMlUA+6Af1BMypTaUC/0eMq3uXvRSlb jFT8rFwJ0jtxjZ0qGbHVUjxCz2qvuzv2EdexHh1C0DibicOiKteE/RkiphZK50C+ s+3VkVNXuGnxebugTKRSZva2Rdq1mC+0ObWsFLSAwKDPqC6mGFHgTHLgX/a0pt5W dhna8eA9E8PEbkf1gaJ34JKkV7W3eaAMGmo/bRDegjUcb4LkjlRpK0aNqUhiZNJT hWUQed7aO2rclAUhjaD3eD84XzwaG/zw7lrjMORcEfOb9IG0C38DJ3XrWbjITgTj vRDdZn3W4mnMnjpuDvaYnXU+gl91otwNFviq3nzfK1LuT9jqELVxYKXRtLiMdFjX 1TtmA0NZHutAP44czTC/plseDEykX8JYJGyBsKTpXwcUBFcEc8sjweJ9O0aEY1Uv oGQY5cTNg46aAtTOchOlFaqqS67UQ4xtKG4GtgWfjSpMWOfMu6g45cSr0xL/I7qm z0pGZDc0Gy5NeX2LMdpsA0uz2BD/ypKTAKuCobEqysxegZLQDo4=
=9MgX
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Branden, and other fellow Debianites,

Quoting G. Branden Robinson (2024-09-07 05:47:17)

On a less sarcastic note, I am taken aback by the fact that this
project can have a ~100 message thread proposing a DEP

"Enable true open collaboration on all Debian packages"

without either the proponents or the detractors finding the blatant
thumb on the scale in the proposal's very _title_ a cause for
embarrassment.

Thank you for rehashing(!) this point, in your famously sharp tongue.

In case you really didn't notice the previous objections to the title,
and to others that might have missed it, here are some quotes:

Quoting Jonas Smedegaard (2024-07-28 01:48:10)

Sorry, but I disagree that the only true collaboration is Salsa-rich collaboration.

Quoting Shengjing Zhu (2024-08-03 08:43:14)

I also feel uncomfortable with this proposal that pushes the use of
Gitlab in the name of true collaboration.

Quoting Simon Richter (@sjr) (2024-08-04 07:14:07)

Simon Richter started a new discussion on web/deps/dep18.mdwn: https://salsa.debian.org/dep-team/deps/-/merge_requests/8#note_512536

[...]

"true open source" is marketing drivel (as is most of this document).

Please educate yourself on the political aspects of the free software movement, and why the term "open source" has a negative connotation
for many. You might also understand why building on top of an overly
complex framework that requires non-transferable knowledge to operate
is not seen as desirable for many.

Quoting Louis-Philippe Véronneau (@pollo) (2024-08-11 15:15:45)

Louis-Philippe Véronneau commented on a discussion on
web/deps/dep18.mdwn: https://salsa.debian.org/dep-team/deps/-/merge_requests/8#note_514421

[...]

I'd propose to remove `which severely stifles the true open source
process from progressing` from that sentence. IMO it doesn't make the
point clearer and brings in additional controversy to this DEP.

Quoting Simon Richter (@sjr) (2024-08-08 05:05:56)

Simon Richter commented on a discussion on web/deps/dep18.mdwn: https://salsa.debian.org/dep-team/deps/-/merge_requests/8#note_513638

[...]

The argument against this DEP is that it doesn't take a step closer to collaboration, it just claims that what we had before was not
collaboration. Which is frankly offensive to people collaborating long
before git was introduced.

Quoting Jonas Smedegaard (2024-08-28 12:43:08)

Quoting Guido Günther (@agx) (2024-08-28 11:51:44)

Guido Günther commented on a discussion on web/deps/dep18.mdwn:

https://salsa.debian.org/dep-team/deps/-/merge_requests/8#note_520426

[...]

Or maybe put on the tin what's inside:

"Encourage Continuous Integration and Merge Request based
Collaboration for Debian packages"

I like this suggestion a lot: I find it quite distracting that the
title implies other workflows to be "untrue", and this avoids such distraction.

Yeah, the second half of the above quotes are arguably not from *this*
thread, as they appeared in the tightly related discussion spawned on
Salsa. I I included them here out of respect for those considering the
Salsa tooling more "true" than other collaboration, including this dusty
old email conversation (who uses email nowadays anyway, right? Please
stop using email: It is a dinosaur tool doscouraging new developers, so
is slowly killing Debian!).


- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones

[x] quote me freely [ ] ask before reusing [ ] keep private --==============w01732821795108183=MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Description: signature
Content-Type: application/pgp-signature; name="signature.asc"; charset="us-ascii"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmbb9LYACgkQLHwxRsGg ASFbxA//YKT+nbUnunRWqWQNHojZx+0WtFnzoEBnxkiEk3bRaZ+GqRrUZGmI4VrB rC+ujVwIQGOHf30z/VZ6H7v4sOnI6rxHs4Qk8+cKVRj+G5N4ViTmVKZC/wTZrtXB QdH0grtUvLFswA938RiEcVEYa00tjEUoE6mhOarAgpOKXy6drNJmlAS35ATNZjMR OjF6OrZfisr2zSr/YqBBpRWdS6Wgm/zXbWOYWe+thqs/NM0zg7fhjrsXQy/7p+I0 vcWvsO456YMj6W6nX0oe0TSn+58QHwHx7PQer5SK/6ZywcK7pTqJnTguBt66LE9H K7MLyjO639QyRM0PUZpg7x+ZKON7dFBifeLABrTrPDYkd5Zsz+6FZUC2Hxbhw455 8YuaaQFd4Q8f0hheVjLv0MYk+0+Ulsb2X9raB2jQb1tmRO6zr0orSrBhtYDT2H2f 5XJi9Q/8uH/ag7gaZcWcP0jFZWDSHb7BOwsIguWK

On Thu, Sep 12, 2024 at 12:13:50AM +0200, Preuße, Hilmar wrote:

Am 06.09.2024 um 18:30 schrieb Ceppo:

Hi,

I see that Salsa requires reCAPTCHA resolution to sign up, and it
also embeds reCAPTCHA code in most or all pages - or at least so it
looks to me as an absolute Javascript ignorant.

When looking at my QA page [1] I currently notice that vcswatch runs into a "401 Unauthorized at /srv/qa.debian.org/data/vcswatch/vcswatch" for all
salsa based projects.

I guess here is a correlation.

I guess thats just wrong. I would guess for an expired token. Tokens in
general don't need captcha.

Alex


-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEbjlmweHRXblz0FtJHkX4yp3iOxYFAmbioXcACgkQHkX4yp3i OxYeTxAAjozOb+5aGuiyC5SA/QXEV0+WmgMovp7h6XNeGcSdnbqBWcs1H5zmDaNM osolTuUUHtDQ0QlrVJqjCIJsGb/vpJEhKkm3LPxw/Dmi68W0zfHT9m32Cc4ahoML uz2iFFkLWR9o5k0jzzgBihwG+iB0FEMp5ynFiHsvFqXVzrI/C+kO78i68vYGdmVp D4aTLUJsvK5B6DlcXfJbnQ4fMQ+FVUwmauhq7RGGAxqVvUDqTY+yPkHGTESIOWgH wvdfR5Gjse8E4FFDv+9Tbz25K+0JelaTvkPSj8ya3atB+Vn6dT4a8nJUVgXZekNM flBhr2HsA9U1KsHytmtVGg/cDeXVzHi05/z9XhS04GnQq8C8RyzWAXmt6Gq13KIk S79qHw2L83hmYExLzusQaJVMYVdOPWiVlK64OCfgNzTJD08qxWhWOiMdP5d2AqF/ aNRTQxUB0dDMu9I/wQccs8tjG9zK0GQ2UaeUzYRidDUyeV43FYernoWKoxXq9qys PZYq4IiknRL22MNloK4AdLd4z7j+YH95z3ypfg61TfOm43+sFtTVMT1JpEQGpfgi nIad4OgIC7PeosMGk2qzini+QoLep/gtk+I4JbcvurfM5TIos1t+Upi5bzMcoYVV a1RpVMSEeNb/s1OkA0GiG7FeTIoqCdzlmWUfI6NaByRGg5xgBYI=
=sNbc
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 14.09.24 15:07, Preuße, Hilmar wrote:

Currently an example page [1] reports

Error: https://salsa.debian.org/api/v4/projects/hilmar%2Fwp2latex API
request failed: 401 Unauthorized at /srv/qa.debian.org/data/vcswatch/ vcswatch line 408.

But the "Debian changelog in Git:" below is recent, although the
phenomenon now exists for 1-2 weeks. So, it seems there is no issue
except the bogus error message.

Hilmar

[1] https://qa.debian.org/cgi-bin/vcswatch?package=wp2latex

That's a qa code problem. I fixed it. (Although I need to still figure
out how to commit the change.)

Kind regards
Philipp Kern

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)