[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnuzilla] GNU LibreJS won't be removed from GNU IceCat

From: Loic Duros
Subject: Re: [Bug-gnuzilla] GNU LibreJS won't be removed from GNU IceCat
Date: Thu, 22 Feb 2018 12:55:27 -0500

It looks for license metadata in the following forms: https://www.gnu.org/software/librejs/free-your-_javascript_.html

On Feb 22, 2018, at 12:50 PM, Narcis Garcia <address@hidden> wrote:

It seems a crazy strategy.
If GNU distributions used this kind of analysis instead of trusting
software from subscribed repositories, all our computers could be a
jungle (either with scripts and compiled files).

How does LibreJS check an script's license?

El 22/02/18 a les 18:43, Ivan Zaigralin ha escrit:
From what I can pick up, LibreJS tries to detect and whitelist "trivial" code
first, meaning, the code which an algorithm can recognize as data-like and
harmless. For all other code, it checks the license. I don't have details on
how these things are done, but both can clearly be programmed in a variety of  

On Thursday, February 22, 2018 10:57:28 Narcis Garcia wrote:
I was asking about the CURRENT principle for LibreJS, not for "good" or
"bad" of theoretically prossibilities.

El 22/02/18 a les 09:35, Ivan Zaigralin ha escrit:
On Thursday, February 22, 2018 08:43:38 Narcis Garcia wrote:
Which is the principle for LibreJS to approve _javascript_ functions
and/or files?
A license mention?

Can be regarded as necessary, but not sufficient.

A signature?

Useful for creating a trust model between users and web parties, but this
is already implemented by https+noscript, and it solves a different
problem, not directly freedom-related.

A well-known functions comparison? A code analysis? It replaces funcions?

A code analysis is pointless. Detecting obfuscated code, in particular, is
an intractable problem. If you could define "obfuscated" formally,
chances are, there would be a formal proof that the detection is
unsolvable by a TM. But generally speaking, a good way to obfuscate is by
writing a virtual assembly interpreter, and then feeding it "binaries"
which appear to be perfectly cromulent, poetic even, _javascript_ sources.
And obfuscated code cannot be considered free.

None of this is purely academic. Dynamic, obfuscated _javascript_ bitcash
miners are all the rage right now. This is where we are today.





reply via email to

[Prev in Thread] Current Thread [Next in Thread]