[Bug-librejs] Do you check for compiling/versionning/archiving of free u

bug-librejs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-librejs] Do you check for compiling/versionning/archiving of free u

From:	Garreau\, Alexandre
Subject:	[Bug-librejs] Do you check for compiling/versionning/archiving of free unknown javascript libraries?
Date:	Mon, 21 May 2018 09:19:13 +0200
User-agent:	Gnus (5.13), GNU Emacs 25.1.1 (x86_64-pc-linux-gnu)

Javascript and the way it’s downloaded and executed in general is
perturbating, not only the licence.

Given a never versioned, never archived, untrusted, unknown, new, maybe
badly written, by a non-trusted source (and that often happens,
concerning javascript), and given all the scary things you can do from
javascript (track mouse and keyboard patterns to uniquely identify
people, transform your browser in websocket client/server, find your IP,
etc.), and given that even native, local and free software have been
known to do privacy-questionnable things (unity amazon partnership), I’m
not sure a free licence is a sufficient guard for user freedom.

Because usually, the fact every user isn’t able (or just willing, if
they’re able) to inspect and modify each code they run, is pondered by
the fact they could ask someone else, or could learn and do it later:
with javascript from the browser this often might be impossible as the
website could as well send a different javascript per http request, so
the version of the non-dev and the version of the dev could never be the
same, same thing for different periods of day, week, month, etc.

You could even maybe try to find patterns so that the nasty features of
your non-free javascript are heuristically less likely to be sent to
people or at time more likely for it to be inspected.

So I wonder if librejs has or plan to have any capability of
fingerprinting, randomly deterministically-compiling (including
“minification”), and eventually collaborative archiving of source code
of downloaded javascript, to be sure nobody is exposed to untrusted
source code that might lie on its origin, or be different of the ones
that were inspected.

If not so, including a such thing not only would be reassuring, useful,
and a “selling point” in terms of security for librejs, but it would be
a good experiment to enhence the security on the web and typically of
systems which includes as a “feature” automatic and transparent
execution of remote turing-complete code.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-librejs] Do you check for compiling/versionning/archiving of free unknown javascript libraries?, Garreau\, Alexandre <=
- Re: [Bug-librejs] Do you check for compiling/versionning/archiving of free unknown javascript libraries?, bill-auger, 2018/05/21
- [Bug-librejs] Collaborative rating of freeness/readability: let’s do like GPL and make companies our side (Was: Re: Do you check for compiling/versionning/archiving of free unknown javascript libraries?), Garreau\, Alexandre, 2018/05/28

Prev by Date: [Bug-librejs] LibreJS 7.14 released
Next by Date: Re: [Bug-librejs] Do you check for compiling/versionning/archiving of free unknown javascript libraries?
Previous by thread: [Bug-librejs] LibreJS 7.14 released
Next by thread: Re: [Bug-librejs] Do you check for compiling/versionning/archiving of free unknown javascript libraries?
Index(es):
- Date
- Thread