How to recognize non-free javascript

39 respostas [Última entrada]
quantumgravity
Desconectado
Joined: 04/22/2013

Hello,
i'm using Icecat with LibreJS installed.
As most of you might know, LibreJS scans the javascript code for a special licence declaration which hardly anyone is using at the moment, so it blocks almost everything by default.
Now my simple idea:
when I click on the librejs button, it shows me all of the blocked code on the site. As far as I know, non-free javascript uses "hazy" code (maybe unappropriate expression in english, but you know what I mean), so it's code with methode names consist only of one letter etc.
Can't we recognize non-free javascript by looking at the code? and, in case the code is readable, simply allow it?

Readable code is not the only criteria for free javascript, I know. But the possibility to make changes has to be provided by the browser I think.
Until this is possible, we have to deal with "open javascript" which is a lesser requirement.

Also useful would be a whitelist feature in librejs; we could collect popular sites which are ok and allow them.

My guess is that many sites get blocked without necessity.

quantumgravity
Desconectado
Joined: 04/22/2013

In case really no one knows about the problem / cares about it, sorry for the push of the thread;
but perhaps it got overlooked;
can anyone tell me if just looking at the code and seeing a well readable text is sufficient for detecting it as free javascript?

Michał Masłowski

I am a member!

I am a translator!

Desconectado
Joined: 05/15/2010

Many sites use unminimized nontrivial JavaScript code that has no
license, so it is nonfree.

onpon4
Desconectado
Joined: 05/30/2012

Many free programs are normally used in "minimized" versions. The purpose of this is to reduce load times. On the other hand, some short proprietary scripts aren't "minimized".

Unfortunately, there's no simple rule.

quantumgravity
Desconectado
Joined: 04/22/2013

Ok, but librejs doesn't recognize perfectly free jquery stuff;
I hope they will add a whitelist feature soon; or the possibility to allow single scripts instead of all scripts on the page.

onpon4
Desconectado
Joined: 05/30/2012

Honestly, I don't understand why LibreJS wasn't built as a fork of NoScript that adds the LibreJS features (namely the automatic allowing of certain scripts, the assistance with reading the Javascript files, and the assistance with finding contact information to complain about proprietary Javascript). NoScript already has a much better whitelist feature than LibreJS and LibreJS has this weird bug where a lot of pages stop being rendered properly under various circumstances (in ways other than scripts being unavailable). I've briefly looked at NoScript and don't really understand the code, but it doesn't look complicated enough to warrant reinventing the wheel.

quantumgravity
Desconectado
Joined: 04/22/2013

I agree and I encountered the rendering problems, too.

lembas
Desconectado
Joined: 05/13/2010

People can't seem to build web pages any more without boat loads of JavaScript these days...

I realize it's tempting to offload to clients but it makes for a horrible user experience. And the "webmasters" just love the idea of the client swallowing any and all JS blobs they and their affiliates like ramming down people's throats. Write angry emails and vote with your feet.

oysterboy

I am a member!

I am a translator!

Desconectado
Joined: 02/01/2011

There's a new version of LibreJS, with some interesting new features. Haven't tried it yet.

"The major improvements include:

Support for magnet links.

Scripts are analyzed individually.

Scripts are evaluated with a hash.

Display info in the add-on panel."

http://www.fsf.org/blogs/community/librejs-reaches-version-5.4

onpon4
Desconectado
Joined: 05/30/2012

I tried LibreJS 5.4 when it was first released and honestly wasn't impressed. It's still basically the same, including breaking web pages in ways that are completely unrelated to Javascript and having a whitelist that only serves to execute ALL Javascript code used on a whitelisted webpage, regardless of what script it is or even where it's from.

I still think they should fork NoScript, make it more powerful (so it can allow and deny individual scripts, rather than having a list of trusted sources for scripts), and add the LibreJS features.

But that still wouldn't be enough. We need something powerful that combines the ideas of script blocking (e.g. NoScript) and user scripts (e.g. Greasemonkey) to allow easy, fine-tuned script execution control. Better and easier than current user scripts.

I don't get why the FSF seems to approach the problem of proprietary Javascript so differently than with other proprietary software. LibreJS is like if, in 1983, RMS had written a shell script that somehow showed approximately how much proprietary software was on a computer and blocked that software (plus some collateral damage on free software), then told people to use the resulting barely-usable or unusable system and complain to the distributor of the system that the script broke it. If you can see how absurd that sounds, you can see how absurd I think the idea of LibreJS is. It's stalling, and the sooner we stop just blocking Javascript and start actually working to replace the non-free Javascript code (the first step of which is making running custom Javascript and otherwise controlling Javascript execution much easier than it is now), the better.

lembas
Desconectado
Joined: 05/13/2010

Join LibreJS development? They might appreciate your ideas and extra pair of hands.

We're at a serious risk of losing the free internet, this time to proprietary JS, much like we were about to lose it to proprietary code thanks to IE6 and flash et al.

axgb
Desconectado
Joined: 09/22/2013

There are many problems with LibreJS, it blocks some scripts on the FSF website.

jxself
Desconectado
Joined: 09/13/2010

"There are many problems with LibreJS, it blocks some scripts on the FSF website."

It's not a LibreJS problem but an adoption problem: Even if the JavaScript is intended to be free, most JavaScript has absolutely no information about this. How is LibreJS (or even a human looking at the JavaScript) supposed to know? Neither a human nor a computer can read the mind of the person that made the website and somehow magically know their intention. People need to add copyright & licensing information to their programs for it to be free. This also extends into writing programs that are run inside a web browser. It's as simple as that.

A common one I see people bring up is jQuery. They say "Oh, it's jQuery, which is free already", to which I disgaree. jQuery is under the MIT license. It's not under a copyleft license like the GPL, so people aren't required to pass on freedom to the people using it. If the website's only offering a minifed version (essentially a compiled version) of jQuery, how is a computer (or even a human) intended to know if the author is in fact passing on the required four freedoms if there is no source code, etc.? (The preferred form for modification, and a minified JavaScript thing is hardly that.)

My understanding is that the FSF is working on making sure that every single piece of JavaScript on their site has the proper stuff so that LibreJS will know that it is free. If you find some that they missed please send them an email.

You should also talk to other websites that have JavaScript with no copyright or licensing information included and encourage them to put it in there so that it can be known to be free.

t3g
t3g
Desconectado
Joined: 05/15/2011

"A common one I see people bring up is jQuery. They say "Oh, it's jQuery, which is free already", to which I disgaree. jQuery is under the MIT license. It's not under a copyleft license like the GPL, so people aren't required to pass on freedom to the people using it. If the website's only offering a minifed version (essentially a compiled version) of jQuery, how is a computer (or even a human) intended to know if the author is in fact passing on the required four freedoms if there is no source code, etc.? (The preferred form for modification, and a minified JavaScript thing is hardly that.)"

You couldn't be more wrong. The MIT is as free software as the GPL and respects the four freedoms. You just want everything to be GPL, which is becoming more and more niche as JavaScript libraries are going for permissive licenses since permissive encources more community and corporate contributions instead of the GPL which benefits the copyright holder only so he can sell a commercial license.

Btw I think that more minified JavaScript libraries should use Source Maps to show where the source code is. When you enable source maps in Chrome (and I believe Firefox) and go into the Developer Tools, it will already load up the source file. I hope that more JavaScript source files in the future take advantage of the Source Maps feature and put the proper license or link to the license at the top.

Heck, the latest jQuery at https://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js and https://ajax.aspnetcdn.com/ajax/jquery/jquery-2.0.3.min.js and of course http://code.jquery.com/jquery-2.0.3.min.js all have the "sourceMappingURL" to link to a .map file that provides not only direct access to the source code, but debugging tools.

If LibreJS wants to be more than antiquated software, it should start checking for Source Maps too: http://www.html5rocks.com/en/tutorials/developertools/sourcemaps/

jxself
Desconectado
Joined: 09/13/2010

"You couldn't be more wrong. The MIT is as free software as the GPL and respects the four freedoms."

I think you've misunderstood. I was not attempting to evaluate the license "freeness."

Rather, we all know that programs under a permissive license can be turned into something proprietary. Therefore, the "it's jQuery and so it must be free" argument doesn't apply because you have to ask the additional question: "Have they forwarded those freedoms on by providing the source code with copyright and license information?" (since they're not required to pass on freedom.) If they have done so, it's free and LibreJS should recognize it as such. Otherwise it's not since, as I explained, programs under a permissive license can be turned into something proprietary and LibreJS is properly blocking it. Yes, the website developer can elect to forward those four freedoms on but are not required to. Another way to ask it might be, "Is it free jQuery or proprietary jQuery?"

Hopefully that makes it clearer what I was talking about - not about how "free" the license is, but that the "it's jQuery and must be free so LibreJS shouldn't be blocking it" doesn't really work since it's a permissive license and so is allowed for there to be websites with a proprietary version that doesn't provide visitors with the needed freedoms. LibreJS should definitely be blocking those cases where the website developers isn't passing on the necessary freedoms.

jxself
Desconectado
Joined: 09/13/2010

I should probably add on that some people may find this a more advanced concept that the same program can be free or non-free depending on the circumstances.

There are two things to consider: a) Is it a free license? (which is yes.) and then b) Do the people using it/interacting with it in their browser have freedom? (That is a site-specific question and answer as some sites will give their users freedom while others won't pass on freedom.)

t3g
t3g
Desconectado
Joined: 05/15/2011

There is a lot of software (some would say the strongest) that benefit from a permissive license and do not have a lot of forks (free or not) that cause the original to be obsolete. Where are all these jQuery forks? Apache? nginx? How about programming languages like Python, Ruby, and Scala?

The reality is that the attacks on permissive licenses are FUD by GPL zealots and the FSF. I mean... the GPL is their license and their baby so they have to protect it. There is this "fear" that software under a permissive license automatically means that someone is going to take it and lock it down.

Sure, that can happen, but I found out that most users and developers of that software (commercial or community) would rather spend the effort in contributing back to the project than spend the resources forking a project like jQuery or nginx and having to maintain that codebase.

I personally don't develop core software, but more of an integrator and do not modify the libraries that I use or bundle with. For example, if I create software in Python and use Qt and have to include the Qt libraries, I want the best way to be able to ship them with the source code for a client. Thankfully, Qt is licensed under the LGPL and not as draconian as the GPL.

t3g
t3g
Desconectado
Joined: 05/15/2011

I also meant to say that the official releases of a library like jQuery (which get served from the Google and code.jquery.com) servers are free software and THOSE don't need to be blocked. The official releases of jQuery ARE free software and the team makes it easy to access the source code through their minified version or their GitHub: https://github.com/jquery

A company adding non-free bits to the jQuery library is where you are probably worried with. Then yes, it is no longer free software as it is not an official jQuery release.

Maybe for certain libraries that are very popular and essential to the web should be checked in a different way in LibreJS. If they are from a trusted server serving the official release (like the Google or jquery.com domains), then they should be passed. If not, maybe an MD5 check should be made against the .js file loaded and the .js from the official release.

ssdclickofdeath
Desconectado
Joined: 05/19/2013

If the GNU project used permissive licenses, we wouldn't have GNUstep or a free C++ compiler.

jxself
Desconectado
Joined: 09/13/2010

You're missing my point, t3g.

t3g
t3g
Desconectado
Joined: 05/15/2011

If you do a diff between the jQuery library offered on the Google, ASPNETCDN, and CDNJS servers, you will find out that they match the official release. Of course there are some naming convention differences (like the name of the sourcemap file to match the filename) but they are the same. That is why it is ok to load these libraries from these trusted free software JavaScript CDNs.

I encourage you to go to http://www.cdnjs.com for example and find me one JavaScript library that is not free software. Also, the latest NoScript allows the Google, ASPNET, and CDNJS servers by default as well.

lembas
Desconectado
Joined: 05/13/2010

Stop with the anti-GPL FUD already. And as jxself said, you're missing his point.

akirashinigami

I am a member!

I am a translator!

Desconectado
Joined: 02/25/2010

You just don't get it, do you? We're pro-GPL here. We like it because it guarantees freedom for users. That's really all there is to it.

Andrew R.
Desconectado
Joined: 09/27/2013

On 26/10/13 03:41, em9002 wrote:
> You just don't get it, do you? We're pro-GPL here. We like it
> because it guarantees freedom for users. That's really all there is
> to it.

Permissive licenses do guarantee freedom for users. But what they don't
do is prevent the creators of derivative works from imposing additional
restrictions on the work.

I do see the merits of both styles of licensing. For some projects the
fact that a proprietary fork would require a lot of work and also
convince users to give up their freedom is enough to make it infeasible.
I think Apache httpd is a good example of this, as it is typically used
by the more tech-savvy people who perhaps care more about their freedom.
But I don't think might be the case for all software. For example, maybe
for smaller less-mainstream software it would take less work to produce
a successful fork of a free program.

Andrew.

jxself
Desconectado
Joined: 09/13/2010

"Permissive licenses do guarantee freedom for users."

Not really.

I might distribute program Foo under a permissive license that merely requires preservation of copyright notices and nothing else. In one case I give a copy of the program to Person A with source code and give them those same permissions to modify, redistribute, etc. In the second case I give Person B a copy of only a binary with nothing else. In each case I have complied with the license but in the first case, Person A has freedom while Person B does not. (Refer to the free software definition for why it's non-free for Person B.) This shows why the same program can be both free and non-free at the same time, depending on the specifics of the circumstances.

This kinda goes to what I was talking about with websites: Some people claim that there is, somehow, something wrong with LibreJS because it blocks jQuery but there isn't. Just like my program Foo, jQuery can be free or non-free depending on its manner of distribution. A website distributing only a minified version of their JavaScript without anything else really isn't passing on freedom to the people running said JavaScript -- it's more like my example with Person B -- and LibreJS is correctly identifying and blocking that. If people find that they run into this a lot on the internet that just goes to show how many websites are more like my Person B example and aren't properly passing on freedom to the people running the JavaScript on their site and how big of a problem this is & needs to be addressed.

ssdclickofdeath
Desconectado
Joined: 05/19/2013

jQuery should be LGPL (or GPL).

t3g
t3g
Desconectado
Joined: 05/15/2011

Speaking of web servers, nginx is under the 2-clause BSD license (http://nginx.org/LICENSE) and due to it being under a permissive license, it can be deployed anywhere. I know that if it was under a GPL license, that the BSD crowd would have a problem with it due to their freedoms being restricted by the GPL.

I totally understand your worries about a permissively licensed piece of software allowing others to make proprietary forks. In the case of nginx again, as long as the standard nginx is free software, who cares if the creator wants to create a custom modified version for a client as long as the original is always free?

Don't also say that "well the creator can always change the license and make it non-free" since that applies to GPL software as well.

Michał Masłowski

I am a member!

I am a translator!

Desconectado
Joined: 05/15/2010

> Don't also say that "well the creator can always change the license
> and make it non-free" since that applies to GPL software as well.

This is solved by having multiple copyright holders to a GPL-licensed
project (or a trusted non-profit required by contracts to not make the
license nonfree and required to distribute the source). This won't
solve the ASP loophole that GNU AGPL partially solves.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

jxself explained it three times and you still do not get it. I am going to give it a try.

If anyone uses a permissively-licensed code in her website, she is effectively redistributing this code. Because the license is permissive, she can choose to redistribute the (modified or not) code under a proprietary license. The web browser (of a visitor) reading this code is executing proprietary software. This is unacceptable.

In conclusion, knowing that the original code is under a permissive license is useless: the website owner, between the developer and the user, can change the licensing terms.

t3g
t3g
Desconectado
Joined: 05/15/2011

I think you are missing the point of my argument Banana. Jason Self as well.

I said MULTIPLE times that if the JavaScript is free software (jQuery) and is being served from a server (like the official one or the Google AJAX one) and matches the official, free release, then there should be no problem serving that JavaScript.

Yes, the original code can be modified and re-released under a proprietary license. That is the whole difference between a permissive and copyleft license like the GPL. But if this JavaScript is being pulled in the web browser from the server and is not modified and matches the original as it is being served into the web browser, then what is the problem?

Its not like the JavaScript on the CDN has read/write access to the web browser and suddenly you can modify the core jQuery code on the code.jquery.com or Google servers at a whim. That is common sense.

Of course a web site owner can try to piggyback additional code to modify the terms of the jQuery license pulled from a server, but the original jQuery library pulled from the server is always pure and anything additonal by the website owner to modify that (through a secondary script or whatever), is the fault of web owner and not the original library.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

Oh, I see! Sorry for the misunderstanding. However, I am pretty sure that, in the case you mention, LibreJS executes JQuery (because the original authors, hosting the executing script, properly set the licensing terms).

t3g
t3g
Desconectado
Joined: 05/15/2011

Yeah, and that's why I said it would be nice if LibreJS had some file integrety check (via MD5 or whatever) against the official version(s) and reject the file if it does not match common MD5 checks. There may be multiple MD5 checks for jQuery for example as sourceMap linking names in the Google version ("jquery.min.map" instead of "jquery-2.0.3.min.map" in the official version) may have a MD5 difference.

Either way, once the sourceMap naming conventions are linking to the proper source files, the source is pretty similar.

http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.js and http://code.jquery.com/jquery-2.0.3.js are similar if you compare the two and these are the source files referenced in the sourceMaps in the minified versions.

I know that this discussion has gone into a license war, but I feel that jQuery is an excellent free software library that is important to the internet. I use it and develop with it all the time and I ALWAYS use an official version.

jxself
Desconectado
Joined: 09/13/2010

I think LibreJS already does some hashing and, in any event, this doesn't invalidate the issue I raised and that you started replying to about something which we can now see is a different issue.

quantumgravity
Desconectado
Joined: 04/22/2013

It seems to me that the developer of a free program is the only one who has disadvantages due to a permissive licence.
If he doesn't care - what's the problem with this kind of licence?
Someone can take it and make a proprietary version out of it, but the original free one still exists, and no one is forced to use the new one.
I don't see any problem with that.
I can't understand why anyone wants to release something under this licence, but if so - I would use it.

leny2010

I am a member!

I am a translator!

Desconectado
Joined: 09/15/2011

The users of the proprietary version(s) have their freedoms stolen,
so they are also affected. Further any technical benefit that could
be gained from the proprietary modifications is lost to the users of
the free version unless someone is able to code a replacement. In
effect not putting free software under a copyleft license invites a
Tragedy of the Commons[1].

[1] https://en.wikipedia.org/wiki/Tragedy_of_the_commons

jxself
Desconectado
Joined: 09/13/2010

"It seems to me that the developer of a free program is the only one who has disadvantages due to a permissive licence."

Actually, with a permissive license, it's the other way around: The developer still has the source code and so has lost nothing. The users are the ones that have lost out because the developer doesn't pass on the source code and the freedom.

"I can't understand why anyone wants to release something under this licence"

In my experience it's those that actually *like* the idea of their program becoming or proprietary or, at the very least, don't see anything wrong it. They only evaluate "first level effects": How it affects the developer, not any "second level effects" about how it might impact the people using the software. I think of it as short sighted and/or careless, depending on the person and their viewpoints and reasons for using the license.

t3g
t3g
Desconectado
Joined: 05/15/2011

You forget about those people who include a library like Qt with their application and just want it there and have no intention of changing those Qt libraries.

I think some devs like permissive for ease of integration and bundling with the focus being on creating other software and leaving the core alone.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

Terrible example: Qt is not, and has never been, distributed under a permissive license. Today, it is distributed under the GNU LGPL 2.1 (before that, between 2000 and 2009, the GNU GPL was used) and, for evil proprietary software, under the Qt Commercial License. The former is copylefted (any redistribution of the library must be under the same GNU LGPL 2.1 license). The latter is proprietary.

jxself
Desconectado
Joined: 09/13/2010

Even if they never change it, if they're distributing something under a permissive license and not passing on the source code and freedom, it matters not that the users of the program can go get source code elsewhere - the software that that particular developer is distributing is proprietary. Hence, freedom depends the method of distribution as much as it does on license and other factors.

jxself
Desconectado
Joined: 09/13/2010

"If you want freedom, go somewhere else. I'm not giving it to you and not going to cooperate. $*&!@ off."