# terms-privacy.diff -rw-r--r-- 8.6 KiB View raw
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
diff --git a/privacy.md b/privacy.md
index 6481edd..806380e 100644
--- a/privacy.md
+++ b/privacy.md
@@ -1,13 +1,5 @@
 ---
 title: Privacy policy
-# TODO:
-# - Clarify that we don't store any information about logged-out users, except
-#   for their IP address.
-# - Improve wording of details about short-lived session cookies.
-# - Improve presentation of bcrypt process.
-# - Mention information stored from email headers.
-# - Clarify s/web browser/client/g
-# These changes are batched to reduce the noise upon notifying users.
 ---
 
 If you have any questions, please reach out to Drew DeVault <sir@cmpwn.com> via
@@ -17,13 +9,14 @@ email.
 
 The only data we require of your account is your email address; a username of
 your choosing, which must be unique among all users; and a password. Your email
-and username are stored in "plain text". Your password is stored after
-processing with bcrypt, from which the original password cannot be devised
-without a computationally expensive process. However, given your password, we
-can determine that it matches our stored key without expensive processing.  The
-purpose of this step is to ensure that should our database become compromised,
-your original password will be difficult to recover. Regardless, you are
-strongly encouraged to use a unique password for your sr.ht account.
+and username are stored in "plain text". Your password is obsfucated with the
+bcrypt algorithm, from which the original password cannot be derived without a
+computationally expensive process. When you log in with your password later on,
+we are able to verify that it matches our bcrypt record, and discard it once you
+have been authorized. The purpose of this step is to ensure that should our
+database become compromised, your original password will be difficult to
+recover. Regardless, you are strongly encouraged to use a unique password for
+your sr.ht account.
 
 You may choose to give us additional information, which is shown publicly on
 the site. This includes:
@@ -46,8 +39,8 @@ You may delete this information at any time by visiting your [account
 details](https://meta.sr.ht). If you provide a PGP key, you may choose to have
 email communications from sr.ht encrypted before being sent to you.
 
-We also obtain some information from your web browser as you use our services
-and store it for up to 30 days:
+We also obtain some information from your user agent (typically a web browser)
+as you use our services, and store it for up to 30 days:
 
 - Your IP address
 - When you accessed the site
@@ -60,12 +53,22 @@ unknown activity on your account. If we permitted deletion of this information,
 someone who obtains unauthorized access to your account would be able to delete
 it, too.
 
+We also collect this information automatically for anonymous users (users who
+are not logged in), and store it for up to 30 days. This information is examined
+during routine security audits to identify malicious use of the services.
+
 We also store various other kinds of information that you explicitly choose to
 give us, including (but not limited to):
 
-- repositories on git.sr.ht
+- repositories on git.sr.ht or hg.sr.ht
+- your name and email address as recorded in Git and Mercurial repositories
 - tickets on todo.sr.ht
 - build logs and secrets on builds.sr.ht
+- email contents and headers posted to lists.sr.ht
+
+Some of this information is shared with other users as a normal part of
+providing access to the relevant services; for example, your name and email
+address are recorded by git and shared with users who clone your git repository.
 
 To faciliate automated access to your account for third-party service or your
 personal use, we also generate and store API keys which can be used to authorize
@@ -80,9 +83,8 @@ recovered from this token.
 
 We also use cookies to store long-lived authorization data, to remember that
 you're logged into your account between visits without prompting you for your
-password again. We also use cookies to store short-lived information, like the
-fact that we have to tell you on the next page you load that we completed some
-operation sucessfully for you.
+password again. We also use cookies to store state associated with your user
+session, only to the extent necessary to provide functional service.
 
 ## How we share your information with third-parties
 
@@ -99,10 +101,10 @@ sites. On pages displaying this content, information may be sent to these
 third-parties. This information includes:
 
 - Your IP address
-- Information about your web browser, such as whether you use Firefox or Chrome
+- Information about your user agent, such as whether you use Firefox or Chrome
 - The URL on sr.ht you visited when you saw this content
 
-We are not responsible for any additional information your web browser may send
+We are not responsible for any additional information your user agent may send
 to these third parties.
 
 If you use any of our paid services, we will transmit your payment information
diff --git a/terms.md b/terms.md
index 8d1afde..5ccaf71 100644
--- a/terms.md
+++ b/terms.md
@@ -1,8 +1,5 @@
 ---
 title: Terms of Service
-# TODO:
-# - Explicitly prohibit the use of our services for cryptocurrency mining
-# - Use of the terms "free software" and "open source"
 ---
 
 These are the terms of service for sr.ht; please read them before using sr.ht.
@@ -16,11 +13,12 @@ email.
   your account. We can cut you off at any time.
 - Use our services in good faith and don't get us in trouble.
 - You grant us enough rights to your content to provide our services.
+- Public projects must use an approved license from the list.
 - We can terminate service at any time.
 - Some services may require payment.
 - We'll email you before these terms change.
 
-This is for quick reference only, binding terms follow.
+This is for quick reference only - see the full terms in detail follow.
 
 ## Definitions
 
@@ -74,6 +72,7 @@ You must not deliberately use the services for the purpose of:
 - impersonating any person other than yourself or organizations you are
   authorized to represent
 - spamming, unsolicited advertising, or solicitation
+- use of excessive resources, such as for cryptocurrency mining
 
 You may use automated tools to obtain public information from the services for
 the purposes of archival or open-access research. You may not use this data for
@@ -88,13 +87,46 @@ services. If you make your content public through privacy tools on our services,
 you grant other users of the network the right to view and use your content
 through the tools provided by our services.
 
-You may grant additional rights on your content, for example by providing a
-LICENSE or COPYING file in git repositories hosted on git.sr.ht.
-
 You may request an archive of all of your content on the service by writing an
 email to Drew DeVault <sir@cmpwn.com> and allowing up to 2 weeks for an archive
 to be prepared.
 
+## Permissible licenses for distribution
+
+Public projects utilizing the services are required to use an open source
+license, free software license, or Creative Commons license for the distribution
+of their works. A 90 day grace period is offered to new projects to decide on a
+license, after which they are expected to obey these terms. If you need help
+choosing a suitable license, [advice is available online][choosing a license].
+
+[choosing a license]: https://man.sr.ht/license.md
+
+The use of multiple licenses is permitted, so long as other users of the service
+may use, at their choice, at least one license which qualifies. You may also
+choose to distribute your software under separate license terms by private
+agreement; for example by licensing your work under the GPL and offering
+different license terms to private buyers; assuming you possess the copyright
+for the software being licensed under such terms. You may also choose a
+non-approved license for derivative works if such derivatives do not make use
+of the services.
+
+"Free software license" refers to licenses listed at ["Various Licenses and
+Comments about Them"][gnu license list] which are not listed as "Nonfree
+licenses".
+
+[gnu license list]: https://www.gnu.org/licenses/license-list.en.html
+
+"Open-source license" refers to licenses approved as such by the Open Source
+Initiative. See: [Open Source Licenses by Category][osi license list]
+
+[osi license list]: https://opensource.org/licenses/category
+
+"Creative Commons license" refers to licenses published by Creative Commons,
+such as CC-BY-SA, CC-BY-NC, CC-0, and so on.
+See: [About CC Licenses][cc license list]
+
+[cc license list]: https://creativecommons.org/about/cclicenses/
+
 ## Service availability
 
 We may disable or terminate all or part of our services, permanently or