[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnuzilla] GNU LibreJS won't be removed from GNU IceCat

From: Ivan Zaigralin
Subject: Re: [Bug-gnuzilla] GNU LibreJS won't be removed from GNU IceCat
Date: Tue, 27 Feb 2018 10:33 -0800
User-agent: KMail/4.14.10 (Linux/4.4.115-gnu; KDE/4.14.32; x86_64; ; )

On 02/22/2018 02:56 PM, David Hedlund wrote:
> On 2018-02-22 09:22, Ivan Zaigralin wrote:
>> GPL-licensed code is not necessarily free. An obfuscated source is
>> unmaintainable regardless of the license, so two freedoms are taken
>> away: the freedom to study, and the freedom to run modified versions.
>> LibreJS is unable to detect obfuscated code.
> Thank you. This is a bug, can you please file a bug report to
> https://savannah.gnu.org/bugs/?group=librejs ?

If anyone wants to submit this issue/bug via the formal channels, god-speed, 
but I am hardly the right person to do that. The issue being: one of the 
stated design goals of LibreJS is to block non-free JS while allowing free JS, 
but it doesn't look like this goal is attainable even in principle without a 
human or human-grade AI vetting every incoming byte. And even with such 
fantastic vetting in place, there is still the intractable problem of users 
not being able to *afford* to change the behavior of *disposable* software, 
which effectively takes away a core freedom, regardless of how the disposable 
code is licensed. (A detailed explanation is cited at the end of this post.)

So on one hand, it does not feel right to me to create a ticket which will 
basically say that the very concept of LibreJS is misguided, the stated goals 
are unattainable, the users are misled, and the energy would be better spent 
on *unscripting* the web. Not only this would be borderline trolling, but I am 
also taking notice of other people's personal opinions on the matter. RMS, in 
particular, has been reported to believe in the usefulness of LibreJS. Perhaps 
RMS considers the marginal profit stemming from filtering out *some* nonfree 
code as beneficial enough to offset the downsides: the filter is not perfect, 
and users continue to cozy up to a platform which will never be free. Perhaps 
RMS thinks that any amount of attention drawn to this problem is better than 
nothing, even if it's due to a technical non-solution. And perhaps he is 
right, I really cannot build a strong argument against such notions.

On the other hand, I personally have had a single interaction with Savannah 
collective so far, and it was not a very pleasant one, although if I had to 
point a finger to one person most to blame, it would be me :) I basically 
popped a vein and raised hell when they told me my project will not be hosted 
because it's not "generally useful", and I managed to convince them to admit 
the subjective component of the initial review on their web page. It took a 
lot of time and fighting, and the final result looks like "...but is 
ultimately at the discretion of Savannah hackers."


I'd rather see a clear description of this rejection policy, which is in fact 
based on a *subjective* perception of quality and usefulness by a single 
examiner, but just having them to officially *confirm* this policy in a 
mailing list took KiBs of heated exchange. So I am afraid that if I come back 
with another highly contentious issue like the very fate of LibreJS, no matter 
how good my argument is, it will produce more pointless anger and friction.

I have to say, this thread really made me think about the JS trap some more, 
and I really feel that with the help of bill's sharp questions we are making 
some progress here. I realized that in order to make the web useful without 
having to run nonfree software, we must *unscript* it. Fixing individual 
pages/domains will not solve the problem posed by the disposable software; the 
way we interact with the web must change, and this can only be effected via a 
standardization of a protocol. And the other thing I realized, there is a 
clear path forward, and it has to do with web masters. One of the most 
important parts of LibreJS project is its appeal to web masters, who are being 
asked to free the JS code in order to disabuse the users. We need to go after 
the same web masters, and ask them to do more, if not something else entirely. 
If these web masters already believe that a free web is a worthy goal, we 
should be able to convince them to act now by making sure their web pages are 
fully functional without JS. We should also be able to convince them to make 
the non-JS version the default, and create a long-term plan for ditching JS 
completely. And if they also want to annotate the legacy JS code so that its 
license can be checked by a simple AI, that's fine too, as long as they keep 
their eyes on the prize.

On Tuesday, February 27, 2018 00:19:29 bill-auger wrote:
> On 02/26/2018 10:10 AM, David Hedlund wrote:
> > Issues can be reported to https://savannah.gnu.org/bugs/?group=librejs
> > as well since there are not dedicated "issue" link for LibreJS.
> im not sure what is the difference between "issues" and "bugs" but
> libreJS has a separate tracker for general user support questions if
> that is what you meant:
>   https://savannah.gnu.org/support/?func=additem&group=librejs
> and libreJS has multiple mailings lists also:
>   https://savannah.gnu.org/mail/?group=librejs

My previous rant on the issue is cited below for easy reference.

> this is confusing - what exactly is a
> "drive-by-download" and how are they inherently "non-free no matter what
> license is attached to them"?
> also, how could LibreJS "incorrectly mark an obfuscated piece of
> GPL-licensed code as free" - GPL-licensed code IS free

GPL-licensed code is not necessarily free. An obfuscated source is 
unmaintainable regardless of the license, so two freedoms are taken away: the 
freedom to study, and the freedom to run modified versions. LibreJS is unable 
to detect obfuscated code.

What I mean by drive-by-downloading, here we get philosophical. How free is 
the code which is only meant to be executed once? No one audits > 99% of this 
code, and it's all in constant flux. I would even argue, there's no hope it 
can ever be audited. There are already (I am sure) websites that generate 
brand-new code for every visit, making this assertion literal. How do you 
audit all that code? With an automated tool? An algorithm can't even solve a 
halting problem, let alone audit itself out of a paper bag.

Now put yourself in the shoes of an average web user. Average here is the key 
word. Their freedoms to understand and modify the JavaScript code have all but 
completely eroded. In a traditional software distribution market they can hire 
experts to explain and fix the software for them. This is utterly unaffordable 
if every click generates new software.

And now back to drive-by-downloading, which is important because it is perhaps 
the source of the problem. All of this is happening, as we all know very well, 
because average users are willing to run software from any source, as long as 
it doesn't make their computer explode right away. They don't even understand 
the basic difference between downloading data versus downloading and executing 
an arbitrary algorithm. When a blog, or a news site, or a government website 
won't load because you didn't let it run an arbitrary algorithm on your 
computer, that's crazy, just crazy. And the norm. These users who leave all 
JavaScript on, they already buried 2 of their freedoms, and the boilerplate 
license on the disposable code can't change that. They need to be told to 
boycott sites which require JS to function, and to demand legislation which 
would require something like HTML+CSS web fronts from commercial and 
government entities. It is not at all helpful, in my opinion, to differentiate 
between varieties of JavaScript sources, because none of them should be 
downloaded in the first place. Most importantly, web masters who want a free 
web should stop using JavaScript, and they should be transitioning right now, 
and not stop until there's nothing left for LibreJS to mark as free. All 
desired JavaScript functionality can be trivially recreated via a combination 
of free browser plugins and calls to free and standard libraries. The drive-
by-download culture, on the other hand, will plunge us deeper into the sea of 
disposable software.

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]