These days, most large FLOSS communities have a "Code of Conduct"; a document that outlines the acceptable (and possibly not acceptable) behaviour that contributors to the community should or should not exhibit. By writing such a document, a community can arm itself more strongly in the fight against trolls, harassment, and other forms of antisocial behaviour that is rampant on the anonymous medium that the Internet still is.

Writing a good code of conduct is no easy matter, however. I should know -- I've been involved in such a process twice; once for Debian, and once for FOSDEM. While I was the primary author for the Debian code of conduct, the same is not true for the FOSDEM one; I was involved, and I did comment on a few early drafts, but the core of FOSDEM's current code was written by another author. I had wanted to write a draft myself, but then this one arrived and I didn't feel like I could improve it, so it remained.

While it's not easy to come up with a Code of Conduct, there (luckily) are others who walked this path before you. On the "geek feminism" wiki, there is an interesting overview of existing Open Source community and conference codes of conduct, and reading one or more of them can provide one with some inspiration as to things to put in one's own code of conduct. That wiki page also contains a paragraph "Effective codes of conduct", which says (amongst others) that a good code of conduct should include

Specific descriptions of common but unacceptable behaviour (sexist jokes, etc.)

The attentive reader will notice that such specific descriptions are noticeably absent from both the Debian and the FOSDEM codes of conduct. This is not because I hadn't seen the above recommendation (I had); it is because I disagree with it. I do not believe that adding a list of "don't"s to a code of conduct is a net positive to it.

Why, I hear you ask? Surely having a list of things that are not welcome behaviour is a good thing, which should be encouraged? Surely such a list clarifies the kind of things your does not want to see? Having such a list will discourage that bad behaviour, right?

Well, no, I don't think so. And here's why.

Enumerating badness

A list of things not to do is like a virus scanner. For those not familiar with these: on some operating systems, there is specific piece of software that everyone recommends you run, which checks if particular blobs of data appear in files on the disk. If they do, then these files are assumed to be bad, and are kicked out. If they do not, then these files are assumed to be not bad, and are left alone (for the most part).

This works if we know all the possible types of badness; but as soon as someone invents a new form of badness, suddenly your virus scanner is ineffective. Additionally, it also means you're bound to continually have to update your virus scanner (or, as the case may be, code of conduct) to a continually changing hostile world. For these (and other) reasons, enumerating badness is listed as number 2 in security expert Markus Ranum's "six dumbest ideas in computer security," which was written in 2005.

In short, a list of "things not to do" is bound to be incomplete; if the goal is to clarify the kind of behaviour that is not welcome in your community, it is usually much better to explain the behaviour that is wanted, so that people can infer (by their absense) the kind of behaviour that isn't welcome.

This neatly brings me to my next point...

Black vs White vs Gray.

The world isn't black-and-white. We could define a list of welcome behaviour -- let's call that the whitelist -- or a list of unwelcome behaviour -- the blacklist -- and assume that the work is done after doing so. However, that wouldn't be true. For every item on either the white or black list, there's going to be a number of things that fall somewhere in between. Let's call those things as being on the "gray" list. They're not the kind of outstanding behaviour that we would like to see -- they'd be on the white list if they were -- but they're not really obvious CoC violations, either. You'd prefer it if people don't do those things, but it'd be a stretch to say they're jerks if they do.

Let's clarify that with an example:

Is it a code of conduct violation if you post links to pornography websites on your community's main development mailinglist? What about jokes involving porn stars? Or jokes that denigrate women, or that explicitly involve some gender-specific part of the body? What about an earring joke? Or a remark about a user interacting with your software, where the women are depicted as not understanding things as well as men? Or a remark about users in general, that isn't written in a gender-neutral manner? What about a piece of self-deprecating humor? What about praising someone else for doing something outstanding?

I'm sure most people would agree that the first case in the above paragraph should be a code of conduct violation, whereas the last case should not be. Some of the items in the list in between are clearly on one or the other side of the argument, but for others the jury is out. Let's call those as being in the gray zone. (Note: no, I did not mean to imply that the list is ordered in any way ;-)

If you write a list of things not to do, then by implication (because you didn't mention them), the things in the gray area are okay. This is especially problematic when it comes to things that are borderline blacklisted behaviour (or that should be blacklisted but aren't, because your list is incomplete -- see above). In such a situation, you're dealing with people who are jerks but can argue about it because your definition of jerk didn't cover teir behaviour. Because they're jerks, you can be sure they'll do everything in their power to waste your time about it, rather than improving their behaviour.

In contrast, if you write a list of things that you want people to do, then by implication (because you didn't mention it), the things in the gray area are not okay. If someone slips and does something in that gray area anyway, then that probably means they're doing something borderline not-whitelisted, which would be mildly annoying but doesn't make them jerks. If you point that out to them, they might go "oh, right, didn't think of it that way, sorry, will aspire to be better next time". Additionally, the actual jerks and trolls will have been given less tools to argue about borderline violations (because the border of your code of conduct is far, far away from jerky behaviour), so less time is wasted for those of your community who have to police it (yay!).

In theory, the result of a whitelist is a community of people who aspire to be nice people, rather than a community of people who simply aspire to be "not jerks". I know which kind of community I prefer.

Giving the wrong impression

During one of the BOFs that were held while I was drafting the Debian code of conduct, it was pointed out to me that a list of things not to do may give the impression to people that all these things on this list do actually happen in the code's community. If that is true, then a very long list may produce the impression that the given community is a community with a lot of problems.

Instead, a whitelist-based code of conduct will provide the impression that you're dealing with a healthy community. Whether that is the case obviously depends on more factors than just the code of conduct itself, but it will put people in the right mindset for this to become something of a self-fulfilling prophecy.

Conclusion

Given all of the above, I think a whitelist-based code of conduct is a better idea than a blacklist-based one. Additionally, in the few years since the Debian code of conduct was accepted, it is my impression that the general atmosphere in the Debian project has improved, which would seem to confirm that the method works (but YMMV, of course).

At any rate, I'm not saying that blacklist-based codes of conduct are useless. However, I do think that whitelist-based ones are better; and hopefully, you now agree, too ;-)

That said, its wording is neutral to the point of meaninglessness. I’m queer — is someone using a homophobic slur a “personal attack” or is it merely an “opposing view” that I should be “tolerant” of? If someone makes repeated derogatory comments about my appearance in a thread, would a “reasonable” person consider that harassment, or am I failing to “assume good intentions” if I bring it up?

http://betsyhaibel.com/blog/2016-02-17-ruby-codes-of-conduct-and-integrity/


In short, a list of "things not to do" is bound to be incomplete

Just because something is not perfect, it does not make it a bad idea. And comparing it to virus scanners is not an argument for me.

it is usually much better to explain the behavior that is wanted

To be honest, I have not the slightest idea how this could look like. Let's take your post as an example: Using the terms "Black" and "White" judgmental, resembles racist culture for many people. They don't want to read it and they want people to be aware of this issue. How would you explain this in a list of wanted behavior?


You write about "jerks". You even write about "actual jerks". And if something harmful happens, it can be very important to call people what they were in this situation. However, for me, I am always adding the perspective that it is likely that I also will hurt people unintentionally. Please consider watching the Why Are You So Angry? series to learn more about the problems with dividing people in "good" and "bad". Every person should expect to be called out based on a code of conduct and that this is not an unbearable shame.

I also consider it important to shift the focus on the people affected by unwanted behavior, rather then looking at "the jerk". It is important to ask "what can help the affected person", rather then just asking "am I allowed to call somebody a jerk."

The major weapon of harassers is arguing whether something is actually harassing. It is difficult to enforce a CoC if you have to have a month long nasty argument about whether it was violated. It burns out people like you.

https://adainitiative.org/2014/02/18/howto-design-a-code-of-conduct-for-your-community/

I don't see how a list of wanted behavior would fix this problem. But maybe you have to give an idea how such a list would look like.


Instead, a whitelist-based code of conduct will provide the impression that you're dealing with a healthy community.

This sentence is especially telling. Let me make this very clear: I don't want the impression that a community is healthy. I want a community that is, for example, capable of adjusting to the needs of a person from a minoratized group. If a community is "healthy", it's often because it is so heterogeneous that none of those issues arose before.

I learned to be more reassured by the phrase “we’ve fired people for harassment” than “nothing has happened here”.

https://cate.blog/2017/03/02/the-reaction/

Comment by Sophie Thursday night, March 16th, 2017

After having witnessed the creation of GNOME CoC I can fully agree with this nuanced way of writing down a CoC. At GNOME too the idea was always to make rules that tell you what not to do.

After the CoC was introduced, stupid feminism took over (and with stupid feminism I don't mean that all feminism is stupid, but that the stupid kind of feminism was the one that took over - the evangelical fanatic version). And now GNOME is more about this kind of stuff than about writing actual code. Meanwhile there had never been any observable form of sexism or anything like that in GNOME at all.

You can see very clearly that all open source communities where the extremists take over, it goes downhill. The first step they take is trying to introduce negative code of conducts.

Comment by pvanhoof early Saturday morning, March 18th, 2017