[Bug-librejs] Collaborative rating of freeness/readability: let’s do like GPL and make companies our side (Was: Re: Do you check for compiling/versionning/archiving of free unknown javascript libraries?)

[Garreau\, Alexandre]

I suggested bill-auger to me, I recently did browse the bug-gnuzilla
list to see the discussion about the global problem of automatically
downloaded and executed javascript.  And I did read there about
minifying and hashing javascript as I thought.  Does libreJS currently
do that?  If so it means a big portion of the needed infrastructure is
already there!  What would be needed afterwards would mainly be some
decentralized whitelisting system where you can manually (or
transitivly, think WoT) trust institutions about whitelisting, like
repositories.  Then you may have a system of repositories to archive,
with compression and caching (you may use dictionnaries to store the
identifiers elsewhere and compress all of them together to gain space,
or use zstd and its dictionnary capabilities).  And we could distribute
all this trust information either through copies on several well-known,
possibly either manually or software-configured servers, either through
P2P, using magnet-links for instance (after all librejs already allows
using magnet-links to refers licences).

Also, I thought: what about allowing even more decentralized, complete
and automated reviewing?  Let’s think big, so that if we’re ambitious
enough, and solving enough problem at once, we’ll maybe get more help
for longer times, and paradoxally it may become more realistic: let’s do
so you don’t need to manually join some “review group”, such as you do
when you become a Distro maintainer/packager (like Debian, F-Droid,
Cydia, etc.) but something more fine-grained or “liquid”.

I propose making a general standard for reviewing software, to review it
is *really* free, because that problem will also arise on github, guix,
ctan/cpan, any liberal-enough software automatical repository, and may
really well disturb not only free-software activists, but also
companies, who have a lot of money and maybe would like to spend it to
be able to trust software they use!  Just like GPL force
proprietary-software companies and developers to make their software
free, because the one of the others is, we can convince them to review
the code of each others between them!  Because no company can by default
trust another one, and what we want, is trusting nobody and everything
to be surely free!

So, anybody might review software, identified per pubkey of their author
+ name (or possibly unique id if we want to allow same author to have
several packages of same name) for a “package”, and hash of their
canonically minified version, for each version of it.

Let’s say review is incremental: for something to be reviewed, it is
okay if all its parts has been reviewed by different people.

Let’s say review is unequal: an cryptography expert won’t have an as
valuable review as your random friend.

Let’s say review is multidimensional: something might be obfuscated for
diverse reasons, more or less importants: indentation (might be well
automatically indented), comments and meaningful identifiers, type
system (untyped < dynamically typed < statically typed), algorithmic
complexity, programming paradigm expressivity in current context (my
perspective is for more high-level problems imperative < functional <
logical, but people may disagree, and yet functional with a
little-imperative stays my favorite).

Let’s say review is not binary: you may say this is 5-stars readable,
1-star obfuscated, 5-stars not backdoored, 3-stars good
identifiers/comments, 2-stars complicated algorithm (may strive for
formalized decentralized verifiable competition for which programming
paradigm makes the more readable algorithm: especially useful for
multiparadigm languages like javascript), etc.

Let’s say review is approximative: I trust Debian, I also trust it to
find malware, non-free code and trojans in software it distributes, but
I don’t expect for its developers to read *all* source code included in
Debian, expect in the (really cool) case where the original software
developer/maintainer package its own program: so you can quickly check
what I/O libraries it actually uses, if possible grep (or something more
semantic) for what it does with I/O (filesystem and network is the more
crucial), if possible imagine how it does work and look if all the
majors/crucial algorithms are readable enough.

Then precise *formally*, objectively and unambiguously how deep your
review was, and of which parts of the software.  Don’t let
people/organizations who trust each other review twice, let that be done
by people/organizations who don’t trust each other: I won’t review
anything reviewed by any GNU or Debian maintainer, I will when it comes
from a corporation or an unknown individual, an Apple emloyee won’t
review what other Apple employees did review, maybe not even what BSD
people did if Apple had enough of its employees working for it, but it
will review what comes from google in BSD, Google will look for Apple,
Microsoft will look for both.  Let’s make a global dys^Wutopia where
backdoors, informal obfuscation, hidden proprietary-software delation is
the rule and where each company spies on each other until all the code
is as readable, clean and trustable as possible!
{
Then, you precise what sources you trust.  If you already use lot of
unreviewed Company-X software, you might give a great care to only
accept what Company-X (or the other entities it trust, let’s say BSD and
the GNU Project, since, hey, lot of these will use GNU software anyway)
reviewed.  Then the other way around.  Incrementally each reviewing gain
importance and then network-effect is no problem since things might
exponentially get interesting for all parties.  Because in fact that
process might not be directed toward checking if software is free, it
could be said to be directed to formalize the collaborative process to
check if it’s trustable, if there’s no hidden backdoor and if everything
is understandable.  But in this process it would be damn easy to let
people check if the software really is free, without even noticing or
willing to do so!

Not only that would push for more software review, but that might as
well push for more easily-reviewable software, and even for more people
being able to review things! once that one-day-trash javascript may have
incentive to being better understandable by the lambda person who only
programmed twice in their life, anybody could get the good habit of
trying to review the most easily reviewable stuff, or the most
high-level software, or the best-style more elegant one, etc. 

What do you think of it?  Wouldn’t a such system stay realistic while
being of great usefulness generally or software community and user
freedom?