Move the docs off CloudFlare and move the bug tracker off MS Github

[bruceleerabbit]

Please consider severing Linux Mint's dependence on assets of the most evil and restrictive MACFANG walled-gardens.

Get the docs out of readthedocs.io

I've stopped installing Mint on people's PCs because most of the essential documentation is jailed in the walled-garden of readthedocs.io -- a CloudFlare website. CloudFlare is a vigilante extremist organization that takes the decentralized web and centralizes it under one corporate power who dictates terms in the worlds largest walled-garden. A very large portion of the web (10%+) were once freely open to all but are now controlled and monitored by a single central authority who decides for everyone who may access what web content. This does serious damage to net neutrality, privacy, and has immediate serious consequences:

1. CloudFlare mounts mutlifaceted attacks on privacy
   1. CloudFlare is a man-in-the-middle who sees all traffic including usernames, unhashed passwords, and financial data within the HTTPS tunnel. This is done surreptitiously.
   2. Cloudflare has a policy to block all Tor users by default. It's a crude, reckless and unsophisticated (but cheap) way to create the illusion of security. Collateral damage is high. Privacy takes a global hit because Cloudflare has decided what best suits their business to the detriment of everyone else.
   3. CloudFlare helps spy orgs conduct illegal surveillance two ways:
      • damage to anonymity: CF deployed an anonymity compromising Google reCAPTCHA from 2009 to mid-2020. Apart from the direct compromise by the CAPTCHA, Tor users are also driven off Tor in droves as a consequence of access inequality of Tor/non-Tor users (which constitutes a network neutrality abuse as access equality is central to net neutrality).
      • centralization of copious data on this immeasurable scale within reach of any spy org will cause that spy org to foam at the mouth -- and they will get access to it one way or another.
   4. ISPs collect data on their own customers and exploit it for profit in the US. Under Obama it became illegal for an ISP to sell data collected on their customers without express consent. Trump reversed Obama's policy in 2017. In the absence of legal protections, Tor serves as a technical protection from ISP snooping. CloudFlare's attack on Tor users facilitates privacy abuse by ISPs.
   5. The gratis service also raises the question about how CF is monetizing all that data that's exposed to them (which Liberapay recklessly increases). They do not disclose to the public how they monetize that data, but what CF cannot hide is that they seek to hire a machine learning data scientist with big data expertise for their marketing department.
   6. A CF customer who became increasingly concerned with CF's unchecked power deleted their account. Two months after CF confirmed that the account was deleted, the customer received an email from CF, proving the account had not been deleted.
   7. CF imposes execution of javascript, and javascript cannot be generally trusted. E.g., eBay has been caught sending javascript that snoops on their own customers by port scanning the LAN and reporting back to eBay. Streetwise users disable j/s. Yet it's impossible to solve CF's CAPTCHA with j/s disabled. So people are forced into vulnerability by CloudFlare (who has proven to be untrustworthy).
   8. When a user solves a CAPTCHA, CF is paid a cash reward via Paypal, a privacy abuser who shares customer data with 600 companies.
2. CloudFlare takes away software freedom
   1. CF imposes CAPTCHAs that require the user to execute non-free javascript.
      • CF restricts how users may use their software by rendering the web dysfunctional for some browsers.
3. CloudFlare diminishes network neutrality -- Access Equality is the centerpiece of net neutrality, while CF yields widespread access inequality.
   1. CloudFlare took a seat on the FCC's Open Internet Advisory Committee, and serves its own interest (to influence legislation against net neutrality).
   2. CloudFlare discriminates against connections coming from developing countries.
   3. CloudFlare discriminates unfairly against Tor users, those who use non-graphical browsers, and those who deploy beneficial robots.
   4. CloudFlare also discriminates against people with impairments and disabilities (details in the human rights section)
4. CloudFlare's detriment to human rights
   1. CAPTCHAs put humans to work for machines when it is machines who should be working for humans. The labor violates the 13th amendment of the US Constitution due to involuntary servitude. The most perverse manifestation is when a citizens attempts to access a government service such as voter registration, and they're forced to solve a puzzle, the labor of which compensates CloudFlare instead of the laborer.
   2. CF discriminates against people with impairments and disabilities by imposing a proprietary "hCAPTCHA," which violates several WCAG 2.0 principles:
      • "1.1: Provide text alternatives for any non-text content so that it can be changed into other forms people need, such as large print, braille, speech, symbols or simpler language." <= hCAPTCHA wholly relies on graphical images. There is no option for a text or audible puzzle.
      • "1.2: Time-based media: Provide alternatives for time-based media." <= hCAPTCHA has an invisible timer that the user cannot control.
      • "1.3: Create content that can be presented in different ways (for example simpler layout) without losing information or structure." <= When a user attempts to use lynx, w3m, wget, cURL, or any other text-based tool, the CAPTCHA is inaccessible and thus unsolvable. The website's content is thus also inaccessible.
      • "2.1: Make all functionality available from a keyboard." <= The hCAPTCHA does not accept answers from the keyboard.
      • "2.2: Provide users enough time to read and use content." <= If you don't solve the hCAPTCHA puzzle fast enough, the puzzle is removed and the user must start over. Some puzzles are vague and need time to ponder that exceeds the time limit.
      • "3.1: Make text content readable and understandable." <= When the CAPTCHA says "click on all squares with a motorcycle" and shows an image of an apparent motorcycle instrument panel, it's unclear if that qualifies (it could be a moped). Another image showed a scooter with a faring that resembled a sports bike. Some people would consider it a motorcycle. When the CAPTCHA said "click on all squares with a train", some of the images were the interior of a subway train or tram. Some people consider a subway to be a train underground, while others don't equate the two. The instructions are also sometimes given in a language the user doesn't understand.
      • "3.2: Make web pages appear and operate in predictable ways." <= It's unpredictable whether the IP reputation assessment will invoke a CAPTCHA and also unpredictable whether a CAPTCHA solution will be accepted. The time you have to solve the puzzle is also unpredictable.
      • "4.1.: Maximize compatibility with current and future user
        agents, including assistive technologies." <= When a user attempts to use lynx, w3m, wget, cURL or any other text-based tool, the blockade imposes tooling limitations on the user.
5. CloudFlare inflicts customers and web users with excessive vulnerabilty to exploits. Liberapay claims: "We will investigate legitimate reports and make every effort to quickly resolve any vulnerability." Of course the absurdity is LP's use of CloudFlare and Amazon which grows the attack surface out of control.
   1. CloudFlare's immense centralization becomes catastrophic when a single bug emerges. The degree of damage is acutely heightened when over 10% of the web is subject to vulnerabilities on CloudFlare. The enticement for malicious hackers to find a zero-day is also greatly heightened as a result of the widespread scale of impact. Cloudbleed was a vulnerability that had serious widespread consequences. Even a simple accident at CloudFlare like a one-line erroneous regular expression brought down a huge segment of the web on July 17th, 2020.
   2. A tragedy of the commons has manifested. Website owners are baited to act independantly in their own self interest by using CloudFlare at no charge-- but each website that becomes part of CloudFlare shrinks the ethical decentralized web while incrementing the size of the centralized walled-garden which inflicts harm to everyone collectively. Each website owner only perceives CloudFlare as solving their problem but unwittingly they create a host of new problems for everyone else. It's a selfish move that occurs on a much larger scale than the quantity of selfish personalities because most of CloudFlare's patrons are kept in the dark as to the harm they're contributing to.
6. CloudFlare is detrimental to availability
   1. The CAPTCHAs are often broken.
      1. E.g.1: some browsers that block j/s always report errors communicating with the captcha server on all CF-pushed CAPTCHAs
      2. E.g.2: the CAPTCHA server itself refuses to give the puzzle saying there is too much activity.
   2. The CAPTCHAs are often unsolvable.
      1. E.g.1: the CAPTCHA puzzle is broken by ambiguity (is one pixel in a grid cell of a pole holding a street sign considered a street sign?)
      2. E.g.2: the puzzle is expressed in a language the viewer doesn't understand.
   3. The CAPTCHAs block all robots indiscriminately causing collateral damage to beneficial (non-malicious) robots.
   4. GUI CAPTCHAs deny service to users of text-based web browsers. E.g. CloudFlare's GUI CAPTCHA breaks torsocks lynx 'https://www.simplyrecipes.com/recipes/buffalo_wings'. CloudFlare effectively dictates that all Tor users must use a GUI browser and in many cases it must also be javascript capable.
   5. CloudFlare uses punitive collective judgement as a consequence of mislabeling Tor traffic.
      1. "Experts say that group punishment is ineffective, counterproductive, lazy and unethical"
      2. CloudFlare's use of this technique is acutely and perversely abusive because they harm potentially as many as 70,000 users in the course of countering just one single bad actor. And worse, unlike typical uses of collective punishment this is not in the slightest a situation where the other 70,000 have any shred of influence over the one malicious user.
      3. A study finds that collective punishment is strictly counterproductive.
7. CloudFlare's detriment to democracy
   1. CF impedes petition signing on change.org, moveon.org, and actionnetwork.org. Voters who are blocked by CF's access restrictions are effectively denied participation in democratic processes.
   2. Voter suppression: CF impedes voter registration in 8 US states (16% of voter registration sites).
8. CloudFlare's censorship
   1. CloudFlare restricts access to scientific papers.
      1. Universities outsource ebooks to Proquest, a Tor-hostile CloudFlare site. RUC is an example of a university that closed their library during the pandemic, while online access to books is subject to CloudFlare's terms and privacy abuses.
      2. ACM's Digital Library is jailed in CloudFlare's exclusive walled-garden despite ACM's intent to be "open" during a pandemic. The perverse affect is that privacy-seekers are subject to CF's privacy abuses when attempting to access a paper about privacy abuse.
   2. CloudFlare attacks freedom of expression.
   3. When a review exposed CloudFlare's doxxing of whistle blowers, CF censored the review.
9. CloudFlare is a burden on the environment
   1. Images account for the most significant burden on Internet bandwidth. Naturally the most ecological web users are those who do not download images (robots, users of text browsers, and users who disable image retrieval). Because robots tend not to download images, anti-robot algorithms target all image-free sessions as robotic. CloudFlare consequently attacks the most ecological users on the web.
   2. CF forces transmission of copious bandwidth-wasting images in order to supply CAPTCHAs.
   3. hCAPTCHA uses 4 levels of nested javascript. So users with j/s disabled are often forced to reload the CAPTCHA page 4 times just to see the puzzle.
10. False statements, deceptive practices, and poor character of CloudFlare
    1. No transparency: as Cloudflare performs a DoS attack on Tor users they obviously do not inform web owners. Web owners are usually unaware that legitimate patrons are being blocked from accessing their site. These businesses are all damaged so that one business can profit.
    2. False errors when j/s is disabled.
    3. CloudFlare deceives website visitors into believing their connection is secure (HTTPS & browser padlock) when in fact the user is MitMd.
    4. CloudFlare has been caught making false statements to the public. CF said in their FaQ: "Why should I trust Cloudflare? You don’t need to. The Cloudflare Onion Service presents the exact same certificate that we would have used for direct requests to our servers," the first part of which is incorrect. CloudFlare sees all traffic traversing their servers in the clear, regardless of how secure the tunnel to them is. So of course CloudFlare requires your trust. The second statement about certificates is non-sequitur and irrelevant to the question of trust.
    5. CloudFlare deceives users about what the problem is, causing users to blame Tor or their browser. CloudFlare suggests to Tor users who reach the CAPTCHA "If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware."
    6. Lack of human decency -- CF's mean-spirited CEO displays schadenfreude amid the grief his company has caused innovative people who use the web non-maliciously.
    7. CloudFlare asks those who anonymously report illegal conduct on their websites to reveal their true identity. Yet CF has a history of doxxing whistle blowers and making them into victims. Instead of apologizing in the child porn case, the CEO (Matthew Prince) said the whistle blowers should have used fake names. (see "CloudFlare shelters criminals")
    8. Ironically, CloudFlare spams people (despite their spam-mitigation purpose). Customers (former and current) as well as people who never used CF are receiving spam from CloudFlare. Customers receive spam from CF without express consent and possibly contrary to privacy policies.
    9. When a large profit-driven tech giant uses a non-profit fund raising platform to solicit donations to feed their own staff at events, it's clear that professionalism is in short supply at CloudFlare Inc.
11. CloudFlare shelters criminals
    1. CF protects pro-ISIS websites from attack.
    2. CF protected a website that distributed child pornography. When a whistle blower reported the illegal content to CF, CF actually doxxed the people who reported it. CloudFlare revealed the whistle blowers identities directly to the website owner, who then published their names and email addresses to provoke retaliatory attacks on the whistle blowers! Instead of apologizing, the CEO (Matthew Prince) said the whistle blowers should have used fake names.

Direct practical problems with using Microsoft Github

It's particularly important to get the bug tracker off MS Github to encourage reports.

1. A survey shows that a significant number of bug reports are withheld when the bug tracker is inside a restrictive or politically controversial walled-garden like MS Github or gitlab.com.
2. Github is Tor-hostile according to Tor project. GH has started forcing Tor users through an extra email verification step that effectively discourages bug reports:
3. MS failed to secure Github, which was breached to the tune of 500gb of private projects. Security incompetence is further showcased by an MS-imposed requirement to create and account and sign in to report an MS security bug. And for those not discouraged by that, the sign-in page is also broken. Then security was breached again in July 2020 when OAuth tokens were stolen from both Github and Gitlab.com.
4. MS suppresses democracy by blocking Github access to a project that facilitates protests in Catalonia.

Ethical problems with using Microsoft products and services

5. Microsoft harms the environment by serving the two most destructive oil companies in the world: ExxonMobil and Chevron.
   1. (#ExxonKnew) Exxon notoriously knew about climate change since 1977. They not only kept it secret from the public, but they also financed a disinformation campaign.
   2. Microsoft and Chevron were caught each paying $100k to "the Cloakroom", a project to hide bribes going from large corporations to republican politicians.
   3. Chevron's right-leaning stance is further pushed through its membership with ALEC, which doubles as a superPAC and bill mill that lobbies and writes policy for U.S. republicans.
6. Microsoft is a notorious privacy abuser:
   1. MS is a PRISM corporation prone to mass surveillance.
   2. MS supported CISPA and collaborates with the NSA.
   3. MS paid $195k to fight the California Consumer Privacy Act (CCPA).
   4. MS drug tests its employees, thus intruding on their privacy outside the workplace.
   5. MS finances other privacy abusers:
      1. In 2012 Microsoft spent $35 million on Facebook ads and in 2015 Microsoft was the third biggest spender on Facebook ads in the world.
      2. MS proxies through Accenture to make Sweden cashless. The war on cash is war on privacy.
   6. MS supplies Bing search service which gives high rankings to privacy-abusing CloudFlare websites.
   7. MS owns and operates Outlook Email and the LinkedIn social media site, both of which are exclusive walled-gardens that limit participation to those who have a phone number and the will to share it with Microsoft.
      1. MS supplies hotmail.com email service, which uses vigilante extremist org Spamhaus to force residential internet users to share all their e-mail metadata and payloads with a corporate third-party.
   8. MS unlawfully used people's images without consent to train their facial recognition products
   9. MS distributes a nonfree operating system, Microsoft Windows, which is jam-packed with malicious functionalities, including surveillance of users, DRM, censorship and a universal back door.
   10. MS was caught surreptitiously recording Xbox users and paying contractors to listen to the recordings.
   11. Dutch government commissioned a study which found Microsoft to have several GDPR violations. E.g. Office 365 violates GDPR article 5 ¶ 1.c, GDPR article 17, and stores the data outside the EEA (may also be a GDPR breach).
7. Microsoft is detrimental to human rights and democracy
   1. Microsoft finances AnyVision to produce facial recognition technology that the Israeli military uses as a weapon against the Palestinian people who they oppress in their occupation. Note that Israeli snipers murdered an unarmed civilian Palestinian medic (in breach of the Geneva Convention) then edited the video to deceive the public for PR damage control.
   2. Microsoft supports ICE in a variety of ways in the course of ICE's implementation of Trump's xenophobic border policies. Microsoft services an ICE contract worth $19.4 million dollars despite protest from employees. In addition to MS Office products, Microsoft has renewed a Github contract and also supplies cloud computing through its Azure platform.
   3. MS partnered with FedEx, an NRA-supporting ALEC member as well as JP Morgan Chase, the most evil bank in the world.
   4. MS conceals US military contracts to bias PR and dodge social accountablity. They have a much bigger piece these contracts than the rest of MACFANG, they lack Googles AI principles, and unlike Google they ignore employee protest and petitions.
8. MS is among the top 15 recipients of Trump's corporate tax breaks, a benefit of $128 billion. Microsoft sacked hundreds of employees immediately after receiving the tax breaks in February 2018.
9. MS is anti-consumer and anti-competitive
   1. MS tricked users into "upgrading" to Windows 10, which sabotages users in a variety of ways, one of which is to prevent cloud-free accounts.
   2. MS strong-armed nearly all PC manufacturers charge every buyer for an MS Windows license regardless of whether the user actually wants Windows.
   3. MS hoards software patents and uses them to fight free software.

Bad alternative: gitlab.com service

The Gitlab.com SaaS is often considered an alternative to MS Github, but it's even worse--

for many reasons

* Sexist treatment toward saleswomen who are [told to wear](https://web.archive.org/web/20200309145121/https://www.theregister.co.uk/2020/02/06/gitlab_sales_women/) dresses, heels, etc. * Hosted by Google. * [Proxied](https://about.gitlab.com/blog/2020/01/16/gitlab-changes-to-cloudflare/) through privacy abuser CloudFlare. * [tracking](https://social.privacytools.io/@darylsun/103015834654172174) * Hostile treatment of Tor users trying to register. * Hostile treatment of new users who attempt to register with a `@spamgourmet.com` forwarding email address to track spam and to protect their more sensitive internal email address. * Hostile treatment of Tor users *after* they've established an account and have proven to be a non-spammer.

Regarding the last bullet, I was simply trying to edit an existing message that I already posted and was forced to solve a CAPTCHA (attached). There are several problems with this:

• CAPTCHAs break robots and robots are not necessarily malicious. E.g. I could have had a robot correcting a widespread misspelling error in all my posts.
• CAPTCHAs put humans to work for machines when it is machines that should work for humans.
• CAPTCHAs are defeated. Spammers find it economical to use third-world sweat shop labor for CAPTCHAs while legitimate users have this burden of broken CAPTCHAs.
• The reCAPTCHA puzzle requires a connection to Google
  1. Google's reCAPTCHAs compromise security as a consequence of surveillance capitalism that entails collection of IP address, browser print.
     • anonymity is compromised.
     • (speculative) could Google push malicious j/s that intercepts user registration information?
  2. Users are forced to execute non-free javascript (recaptcha/api.js).
  3. The reCAPTCHA requires a GUI, thus denying service to users of text-based clients.
  4. CAPTCHAs put humans to work for machines when it is machines who should be working for humans. PRISM corp Google Inc. benefits financially from the puzzle solving work, giving Google an opportunity to collect data, abuse it, and profit from it. E.g. Google can track which of their logged-in users are visiting the page presenting the CAPTCHA.
  5. The reCAPTCHAs are often broken. This amounts to a denial of service.
     • E.g.1: the CAPTCHA server itself refuses to give the puzzle saying there is too much activity.
     • E.g.2:
       
  6. The CAPTCHAs are often unsolvable.
     • E.g.1: the CAPTCHA puzzle is broken by ambiguity (is one pixel in a grid cell of a pole holding a street sign considered a street sign?)
     • E.g.2: the puzzle is expressed in a language the viewer doesn't understand.
  7. (note: for a brief moment gitlab.com switched to hCAPTCHA by Intuition Machines, Inc. but now they're back to Google's reCAPTCHA)
  8. Network neutrality abuse: there is an access inequality whereby users logged into Google accounts are given more favorable treatment the CAPTCHA (but then they take on more privacy abuse). Tor users are given extra harsh treatment.

There's nothing wrong with self-hosting an instance running Gitlab CE or using the Gitlab instance of another party.

Decent alternatives

1. self-hosting (Gogs, Gitea, Gitlab CE, etc.)
   1. (+) avoids the "shake-up" problem of shrinking the community each time the project moves (there is no risk that the privacy factors would later take a negative turn).
2. Bitbucket
   1. (-) dodgy j/s up the yin yang that clusterfucks uMatrix
   2. (-) has some relationship with Netlify, who uses AWS
   3. (-) non-free software?
3. Launchpad
4. notabug.org ("NAB") (privacy policy). Based on a liberated fork of gogs.
   1. (+) supports Tor (although the onion web UI is currently disabled in response to attack, so the onion site only accepts git connections)
   2. (+) supports SSH keys and SSH over Tor
   3. (+) no CAPTCHAs
   4. (+) registration very non-intrusive, and not controlling about where you get your email
   5. (-) noteworthy drawback unrelated to privacy: e-voting non-existent.
   6. (-) noteworthy drawback unrelated to privacy: NAB doesn't associate PGP keys to users, so PGP signed commits may be unavailable or more manual work needed.
   7. (-) IRC support channel is dead.
5. Codeberg. Runs on Gitea, which is a Gogs fork.
   1. (+) web UI works on Tor (probably SSH as well)
   2. (+) supports SSH and GPG keys
   3. (+) registration very non-intrusive, and not controlling about where you get your email
   4. (+) functions without any j/s, and the javascript that exists is all 1st-party
   5. (+) supports e-voting
   6. (-) logins don't work from all Ungoogled Chromium installations
   7. (-) no onion address
6. yerbamate.dev
7. git.openprivacy.ca
8. git.nixnet.xyz
9. git.sr.ht
10. framagit.org: Gitlab CE instance
11. git.jami.net: Gitlab CE instance, perhaps dedicated to jami
12. sourcehut.org
13. http://dweb.happybeing.com/blog/post/002-safegit-decentralised-git-on-safe-network/