Post

@hipsterelectron It was a blog post, people tend to use hyperbole in blog posts.

That still doesn't explain your complaints with what I saw as a perfectly reasonable reaction to the information the blogger was talking about.

@jzb https://fsfe.org/news/2026/news-20260504-01.en.html

The reported internal guidance, referred to as “SDLC-8”, would require public repositories to be made private unless an explicit exception is approved.

not sure why the @fsfe decided not to provide the contents of the internal guidance, or link to the place where it was first reported? the EFF usually does this and it allows people to evaluate their claims much more directly which i appreciate.

for example:

Taking already public repositories offline does not prevent attackers from analysing deployed systems, dependencies, interfaces, or binaries.

is there room to offer release source tarballs in this framework? does a developer need to publish access to their entire git history? git history btw is often the most difficult to secure against scrapers—see how every gnu savannah cgit web interface has experienced 100% downtime for months (although there are other issues there too). i know @ska has done it but it was not at all trivial.

i can see at the end it notes:

to publish the reported guidance

so that seems like there's some sort of gag order on publishing the leaked guidance?

it's just difficult to evaluate how serious of a problem this is if there are no specifics. the fsfe being a legal organization rather than a news one was where i would be hoping to see more discussion of the relevant legal specifics, or to explain what the possible legal workarounds might be