The aim of this protocol is to make Bits of Freedom's expectations with regard to software clear to developers.

Free software

Wherever possible, we use free softwareRead more about what falls under 'free software', and the software we create is free, as well. Any software we develop must be published under a GPL-compatible licence. In this way, everyone acquires the right to modify the software and in turn share it with others. So, if you write a piece of software for us, you will need to publish it under a licence that enables us to share it under a GPL-compatible licenceAn overview GPL-compatible licenses.

Privacy

To minimise damage in the event of data leaks, the software must process as little of users' data as possible. In addition, it may never send data to a third party. Should the software process personal data, the data must always be treated in accordance with the General Data Protection Regulation, and, by the same token, we shall ensure transparency in its regard and keep an accurate record of what we collect. We also discard such data as soon as possible.

Analytics

We prefer to collect as little data as possible, but if a project calls for the use of analytics, we employ an in-house installation of the open source analytics package, MatomoAbout Matomo (the only mature analytics software we know of that is in compliance with our privacy standards).

Elements from third parties

In order to prevent tracking and increase security, the software may not load elements from websites of third parties, e.g., illustrations, scripts, social-media sharing buttons, or entire pages via iframes. Should you, for example, wish to use any fonts, these should be obtained from our own server, which hosts them, rather than being dynamically loaded from, e.g., Google Fonts. The same applies to such libraries as jQuery and Bootstrap. We do not embed videos from external sites, such as YouTube, but instead use our own server.

Specific requirements for source codes

It is our aim to build software that we can maintain and easily reuse and which lends itself to sharing with interested parties. This means:

  • We save the code from projects on our GitLab serverOur GitLab server if the projects are suited for this. In this way, we ensure that developers are able to obtain an overview of the different versions of these codes and of any changes to them.
  • We write code preferably in Python and Django, unless it is essential that it be written in PHP. Our website is based on WordPress. If it is necessary for code to be integrated with WordPress, it is convenient for it to be written in PHP.
  • We program in Python in accordance with the PEP-8 standardAbout the PEP-8 standard. For PHP code, we apply the WordPress standardWordPress PHP coding standards.
  • We document code thoroughly. This makes it easy for other developers to build on our software.
  • We program and document in English. By using English-language functions and variables, and by documenting the code in English, we can ensure that organisations in other countries who wish to develop the software further can start working on our project without difficulty.
  • We allow for a front-end and back-end in different languages. To ensure that both the front-end and back-end are easy to translate, we write the code with internationalisation in mind. This means that the standard language for the content of projects is English, which is in turn translated into Dutch (if necessary).
  • We use such package managers as YarnAbout Yarn to install and update JavaScript libraries. This enables us to update rapidly if a weak spot is identified in the library used.
  • We write web applications with a strict content security policy (CSP)Mozilla on CSP in mind. The CSP we use for new projects is default-src ‘self’, meaning that all assets loaded must be of the same origin, such that the use of insecure inline CSS or JavaScript is not permissible. If necessary, an exception can be made for Matomo (https://stats.bof.nl).

Security audits

Before placing software in production, we have someone not directly involved with the project carry out a security audit.

This page has been translated from the Dutch original by Nick Lakides.

Help mee en steun ons

Door mijn bijdrage ondersteun ik Bits of Freedom, dat kan maandelijks of eenmalig.