graylist CF NS sites

forge_comparison.md

@@ -12,12 +12,10 @@ The following forges have no significant ethical issues:
 [framagit.org](https://framagit.org)|🟢|Gitlab (CE)|n|n|n|n||
 [git.disroot.org](https://git.disroot.org)|🟢|Gitea 1.13.6|n|n|n|n|SSH over Tor works|
 [git.fuwafuwa.moe](https://git.fuwafuwa.moe)([🧅](http://git.fuwafuwaqtlkkxwc.onion))|🟢|Gitea|n|n|n|n|SSH over Tor broken; HTTPS over Tor works|
-[git.hardenedbsd.org](https://git.hardenedbsd.org)|🟢|Gitlab (EE)|n|n|n|n|possibly restricted to BSD efforts|
 [git.jami.net](https://git.jami.net)|🟢|Gitlab (CE)|n|n|n|n|possibly restricted to Jami efforts; acces to help page blocked to non-members so CE/EE unknown|
 [git.nixnet.services](https://git.nixnet.services)|🔴|Gitea 1.13.1|n|n|n|n|formerly git.nixnet.xyz|
 [git.sdf.org](https://git.sdf.org)|🟢|Gitea 1.13.1|n|n|n|n|SSH over Tor broken but HTTPS over Tor works|
 [git.slashdev.space](https://git.slashdev.space)|🟢|Gitea 1.13.6|n|n|n|n|SSH over Tor broken (try HTTPS over Tor)|
-[git.teknik.io](https://git.teknik.io)|🔴|Gitea 1.9.0|n|n|n|n||
 [gitlab.freedesktop.org](https://gitlab.freedesktop.org)|🟢|Gitlab (CE)|n|n|n|n|possibly restricted to Freedesktop efforts|
 [gitlab.gnome.org](https://gitlab.gnome.org)|🟢|Gitlab (CE)|n|n|n|n|possibly restricted to Gnome efforts|
 [gitlab.torproject.org](https://gitlab.torproject.org)|🟢|Gitlab (CE)|n|n|n|n|open registration; repo creation possibly restricted; Google reCAPTCHA is [allegedley](https://lists.gnu.org/archive/html/repo-criteria-discuss/2021-03/msg00000.html) used, but [not at registration time](https://gitlab.onionize.space)|
@@ -29,6 +27,15 @@ The following forges have no significant ethical issues:
 [sr.ht](https://sr.ht)|🟢|Sourcehut|n|n|n|n|javascript-free|
 [yerbamate.dev](https://yerbamate.dev)|💀|Gitea|n|n|n|n|**dead site**|
 
+## Graylist
+
+These forges are not as seriously flawed as the blacklisted ones, but they should still be avoided if possible.  Non-Cloudflare sites that use a Cloudflare NS server pose a risk for disruptions because they can trivially and spontaneously flip a switch and route all your traffic through Cloudflare, potentially cutting access to some of your contributors.
+
+| *forge* | *registration publicly open* | *software* | *Tor-hostile* | *sensitive info exposed to CloudFlare* | *forced re/hCAPTCHA* | *forced execution of non-free software* | *notes* |
+|---|---|---|---|---|---|---|---|
+[git.hardenedbsd.org](https://git.hardenedbsd.org)|🟢|Gitlab (EE)|n|n|n|n|**Cloudflare NS server (they can route all traffic via CF at the flip of a switch)**; possibly restricted to BSD efforts|
+[git.teknik.io](https://git.teknik.io)|🔴|Gitea 1.9.0|n|n|n|n|**Cloudflare NS server (they can route all traffic via CF at the flip of a switch)**|
+
 ## Blacklist
 
 These forges have severe ethical or trust issues and should be boycotted:

input_data/forges.sql

@@ -7,6 +7,7 @@ create table if not exists forgesTbl
    dead                  boolean not null default 0,
    openpubreg            boolean not null default 1,
    cflogin               boolean not null default 0,
+   cfns                  boolean not null default 0,
    antitor               boolean not null default 0,
    forced_nfsw           boolean not null default 0,
    aws                   boolean not null default 0,
@@ -32,7 +33,7 @@ insert into forgesTbl (url_onion, dead) values ('http://githidep2hynhdmutuv7n2te
 /* Gitea */
 insert into forgesTbl (url_clrnet, software, notes) values ('https://codeberg.org','Gitea', 'functions without any JavaScript and the JavaScript that exists is all 1st-party ([ref](https://github.com/privacytoolsIO/privacytools.io/issues/843#issuecomment-483830547))');
 insert into forgesTbl (url_clrnet, software, openpubreg, notes) values ('https://git.nixnet.services','Gitea 1.13.1', 0, 'formerly git.nixnet.xyz');
-insert into forgesTbl (url_clrnet, software, openpubreg) values ('https://git.teknik.io','Gitea 1.9.0',0);
+insert into forgesTbl (url_clrnet, software, openpubreg, cfns) values ('https://git.teknik.io','Gitea 1.9.0',0,1);
 insert into forgesTbl (url_clrnet, url_onion, software, notes) values ('https://git.fuwafuwa.moe','http://git.fuwafuwaqtlkkxwc.onion','Gitea','SSH over Tor broken; HTTPS over Tor works');
 insert into forgesTbl (url_clrnet, software, notes) values ('https://git.slashdev.space','Gitea 1.13.6','SSH over Tor broken (try HTTPS over Tor)');
 insert into forgesTbl (url_clrnet, software, notes) values ('https://git.disroot.org','Gitea 1.13.6','SSH over Tor works');
@@ -42,7 +43,7 @@ insert into forgesTbl (url_clrnet, software, notes) values ('https://git.sdf.org
 /* Gitlab */
 insert into forgesTbl (url_clrnet, software) values ('https://framagit.org','gitlab_ce');
 insert into forgesTbl (url_clrnet, software, hrecaptcha, notes) values ('https://git.feneas.org','gitlab_ce','unavoidable','reCAPTCHA impedes registration and imposes non-free s/w');
-insert into forgesTbl (url_clrnet, software, notes) values ('https://git.hardenedbsd.org','gitlab_ee','possibly restricted to BSD efforts');
+insert into forgesTbl (url_clrnet, software, cfns, notes) values ('https://git.hardenedbsd.org','gitlab_ee',1,'possibly restricted to BSD efforts');
 insert into forgesTbl (url_clrnet, software, notes) values ('https://git.jami.net','gitlab_ce','possibly restricted to Jami efforts; acces to help page blocked to non-members so CE/EE unknown');
 insert into forgesTbl (url_clrnet, software, cflogin, hrecaptcha, notes) values ('https://gitlab.com','gitlab_ee',1,'unavoidable','flagship instance running the *Enterprise Edition*; uses both hCAPTCHA & reCAPTCHA; heavily restricted with discriminatory policies; [copious ethical issues](gitlab-dot-com.md)');
 insert into forgesTbl (url_clrnet, software, notes) values ('https://gitlab.freedesktop.org','gitlab_ce','possibly restricted to Freedesktop efforts');
@@ -52,8 +53,9 @@ insert into forgesTbl (url_clrnet, software, notes) values ('https://source.puri
 insert into forgesTbl (url_clrnet, software, openpubreg) values ('https://source.small-tech.org','gitlab_ce',0);
 
 update forgesTbl set forced_nfsw = 1 where hrecaptcha = 'unavoidable';
-update forgesTbl set lst_kind = 'gray' where lst_kind = 'white' and (aws or (notes is not null and (notes like '%google_cloud_hosted%')));
+update forgesTbl set lst_kind = 'gray' where lst_kind = 'white' and (aws or cfns or (notes is not null and (notes like '%google_cloud_hosted%')));
 update forgesTbl set lst_kind = 'black' where cflogin or antitor or forced_nfsw;
+update forgesTbl set notes = '**Cloudflare NS server (they can route all traffic via CF at the flip of a switch)**'||case when notes is null then '' else '; '||notes end where cfns;
 update forgesTbl set notes = '**Amazon AWS-hosted**'||case when notes is null then '' else '; '||notes end where aws;
 update forgesTbl set notes = '**dead site**'||case when notes is null then '' else '; '||notes end where dead;
 update forgesTbl set notes = '**forced h/reCAPTCHA**'||case when notes is null then '' else '; '||notes end where hrecaptcha = 'unavoidable' and notes not like '%captcha%';

tools/gen_forge_table.sh

@@ -42,7 +42,7 @@ intro()
             printf %s\\n 'The following forges have no significant ethical issues:'
             ;;
         gray)
-            printf %s\\n 'These forges would normally be blacklisted, but due to the short whitelist they are set aside as a less evil compromise to those blacklisted. They should still be avoided if possible.'
+            printf %s\\n 'These forges are not as seriously flawed as the blacklisted ones, but they should still be avoided if possible.  Non-Cloudflare sites that use a Cloudflare NS server pose a risk for disruptions because they can trivially and spontaneously flip a switch and route all your traffic through Cloudflare, potentially cutting access to some of your contributors.'
             ;;
         black)
             printf %s\\n 'These forges have severe ethical or trust issues and should be boycotted:'
@@ -109,7 +109,7 @@ table_md()
 {
     printf %s\\n "# Directory of forges"
 
-    for lst in white black
+    for lst in white gray black
     do
         if [[ "$lst" == black ]]
         then