LibreJS ranting

48 respostas [Última entrada]
Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

I'm alienated by libreJS. Websites seem to never support it. I don't use google-maps, but go to openstreetmap.org instead. Guess what, libreJS needs to be disabled there, otherwise the site doesn't work.

A huge portion of the web doesn't work or is buggy. I'm basically forced to check all the JavaScript my browser loads manually and whitelist what is free, in the hopes that it will be enough to get the websites I want to visit work.

Why that? Because. LibreJS wont recognize free javascript automatically. The elaborate way of "freeing" your JavaScript the libreJS way is often times quite a pointless exercise for both the webmaster and the users.

The webmaster might have used jquery and several of it's plugins. All free software! But the webmaster just put the minified versions in, which is the right thing to do btw. Any user with knowledge of HTML can see which scripts are running there, in which versions and can easily get the full non-minified versions in order to exersize all the freedoms upon his specific implementations of said scripts.

But libreJS won't accept it as free software, unless a very elaborate way of freeing what is already free is implemented. It is a hassle for the webmaster, a hassle for users, and only scripts that are already free software to begin with can be MADE recognizable by libreJS.

The JavaScript trap is real and I don't argue it needs to be avoided, but libreJS seems awful in terms of usability. I can't imagine living with it being enabled all the time.

It's mind boggling, that there are people out there spending time developing a glorified webmaster-pestering tool. It automatically looks for e-mail address of webmasters to send a complaint, that they did not free what is already free???! If some javaScript is proprietary, its not like the person administrating the site could do anything about it...

Feel free to move this to troll hole and especially comment your thoughts on the usefulness of libreJS.

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

Sometimes the files have a license attached, which is free, but won't get recognized by libreJS because it requires a very elaborate process for each script to be recognized.

Example: I might put the short version of GNU GPL in a comment right at the beginning of a JavaScript file, which states the license, has a link to the full version of said license and even the postal address of FSF.

LibreJS will redflag that.

Only after a separate HTML file with a table, one row per script, is created, stating the links to minified version, full version, and link to a page with rawtext of the license agreement (!!) will LibreJS greenflag it.

Who provides links to rawtext versions of license files? GNU or the FSF, can't remember which out of the top of my head.

So not even is LibreJS a mess as is, as soon as the hosting of those rawtext license versions will end, it won't even work as intended.

Try this, download jquery and look inside. Does it state the license? Yes it does. Is it free? Yes it is. Try creating a simple HTML file that includes jquery as external and open it up with anything that has LibreJS active...

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

Here is the documentation on releasing free JavaScript: https://www.gnu.org/software/librejs/free-your-javascript.html

I do not consider that writing down a HTML table is "a very elaborate process" for anybody making websites. If you are afraid that a site hosting the plain text version of the license will cease to be, you can copy it on your own site.

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

Thanks I, read that. That's where I got the information about the process in the first place.

Sorry, but I consider it quite elaborate. Adding license information in the file is not enough? A link to both the license AND the full version of the program is needed? A readable version for stuff I wrote myself is understandable, but readily available JavaScript libraries too?

Very fun to complain "please create new tables on your page for my firefox-addon to function properly". "Please put license information in these tables, which IS PRESENT ANYWAY but my add-on can't read it besides this one specific way".

Let's pretend I run a site and get this sort of complaint e-mail. Here's my polite answer:

If you want the sourcecode to the free JavaScript on my page, press ctrl-u, look for the script tags, then go download full versions of said scripts. If you want the code to the other scripts, they are proprietary and I'm not the rights holder. Basically, my boss says these scripts are proprietary and will stay like that. Then there is one last script I wrote, it's simply using the jquery libs. It's code is non minified on the page, you already have it when loading the page! Unless you have LibreJS enabled and it redflags my script. So disable it, and look at the source code, if you want.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

Adding license information in the file is not enough?

The objective is to automatically execute free JavaScript. The machine does not understand free text.

A link to both the license AND the full version of the program is needed?

It is. Software without a license is proprietary and software without an access to the corresponding source code (minified JavaScript does not qualify as source code) is proprietary too.

A readable version for stuff I wrote myself is understandable, but readily available JavaScript libraries too?

Redistributing permissively-licensed software without (a link to) its license or without (a link to) its source code makes what you redistribute proprietary (the original program is free, but the user may not know it and you may have modified it). Doing the same with copylefted software is a violation of the license.

"Please put license information in these tables, which IS PRESENT ANYWAY but my add-on can't read it besides this one specific way"

As I wrote above, the machine does not understand free text. Also, there are "other methods" (the name of https://www.gnu.org/software/librejs/free-your-javascript.html 's Section 3.2), including one using magnet links. The magnet links and the links to licenses are on https://www.gnu.org/software/librejs/manual/html_node/Free-Licenses-Detection.html

Here's my polite answer

Adding "// @license [magnet-link] [human readable name of the license]" and "// @license-end" around your script probably takes less time than writing that answer.

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

Alright, here is an idea for dealing with some of this constructively.

It boggles my mind that an important site such as openstreetmap.org, a google-maps alternative that works as great as it does, requires the users to manually go through the source-code and look at what licenses are actually in use, so that they might whitelist them.

I found out, that the preferred way of contacting openstreetmap developers is their github. I want to file an issue there and ask them nicely, if they will help the users avoid the JavaScript Trap without having to read the sourcecode of the page and manually whitelisting the scripts.

Since I am biased, thinking libreJS is a bunch of pretentious BS, please help me to articulate the issue in the most precise manner. Maybe the outcome of this will convince me, that there is some hope in the approach of libreJS.

Here is what I came up with. I did not post this issue on their github yet! Please comment if you have any suggestions about the phrasing etc.:

Issue title: avoiding the JavaScript Trap

Users trying to avoid the JavaScript Trap (https://www.gnu.org/philosophy/javascript-trap.html) might be using the libreJS firefox add-on. Currently, libreJS will blacklist the JS on www.openstreetmap.org. The user is then expected to look through the source-code of the webpage manually to find out if the JS is licensed as free software.

If the JavaScript that is loaded by www.openstreetmap.org is in fact free software, would you please consider "setting the JavaScript free" as described in this documentation: https://www.gnu.org/software/librejs/free-your-javascript.html ? Your website contains the following notice: "OpenStreetMap is a map of the world, created by people like you and free to use under an open license." This seems to suggest, that the code is in fact free software and it is only a matter of correctly declaring the licenses!

This way anyone can easily avoid the JavaScript Trap without having to read through the source code of the webpage, manually confirming and whitelisting the scripts.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

That looks great to me.

koszkonutek
Desconectado
Joined: 03/19/2020

Hoooray, my favorite topic appears on the forum once again. How wonderful!

> A huge portion of the web doesn't work or is buggy.

True. And even if you were able to correctly flag ad allow all free js, the above would still hold. It's not a shortcoming of LibreJS' implementation but rather of its concept.

You correctly pointed out the hassle LibreJS requires from webmaster. Indeed, it is a bit as if a new distro appeared and demanded all developers package their software for it.

However, what is probably a more daring issue than the hassle is that the approach of allowing scripts based on just license notices if not sufficient. The current state of technology does not yet allow for "freeness" to be verified automatically. LibreJS' strategy to judge scripts based on a license notice fails for example when someone takes an X11-licensed js library, modifies it and serves a minified version of the modified lib on their site. LibreJS will allow this script to execute, even though the modifications are obviously nonfree.

OK, we could theoretically and with great effort cope with that by always (for minified scripts) checking whether a non-minified version is available and then verifying that it corresponds to the minified version we were served. That would of course require the minification process to be reproducible because verification of programs equivalence is not solvable in general. At that point it would already be more efficient to just execute the non-minified version we found.

So, we already decided we have to reject all minified scripts. But how do we decide whether a script is minified or not? I don't think this can be reliably done by a program yet. And existence of other languages that compile to javascript makes the problem even more complex.

What else? The fact that bypassing LibreJS' countermeasures - if the extension ever gets popular enough for it to be worth doing - would be trivial for a malicious website. The site could just put a GPL license string on an arbitrary piece of malicious js just to get it executed on one's computer. It would be breaking the law - but we can't assume that all our enemies play by the rules.

Additionally, a website could be for example mining crypto in users' browsers using fully free js. Even when that's not illegal, we still want to be able to block the miner. This issue is not as severe as it's only a missing feature in LibreJS and could be solved by installing some adblocker along it. However, I deemed it worth mentioning.

Also, executing all free scripts from unknown sites is still a bad idea. Let's assume we have a GNU/Linux distro that allows everyone who owns a domain to add packages to it. Without any human verification. Would it be a secure, stable and modular distro? Would one like to use it? Would FSF recommend such distro? That's more or less what LibreJS is doing right now, with the exception that browser's sandbox makes it a little more secure... But having in mind Meltdown and Spectre and also the fact most browser vulnerabilities these days rely on js, we shouldn't consider sandbox a solution.

Last but not least, I've never by myself[1] stumbled upon a site that would not work with NoScript but would start working with LibreJS. I did, however, like you, see many sites that use fully free js (mostly public instances of libre platforms like ethercalc or jitsi meet) that is not recognized by LibreJS. In that case I would just whitelist those in uBlock Origin almost as I would in LibreJS.

Some of these examples above, including the distro allegory (which I consider the most convincing) were given by chaosmonk in another thread which has unfortunately been deleted long ago. One could argue that LibreJS is just a temporary solution but I don't consider it good enough even for that.

As you probably see, the problems I am talking about overlap. I admit I might have presented these this way to make it more convincing...

If you're still interested in the fighiting nonfree js, you might want to look at one of my topics[2] where I thoroughly described the situation and issues we have and called for developing an extension that would allow replacement javascript to be specified for sites. Unfortunately, I received no support on the forum. Since then I made a working prototype (see here,[3] made to work with both Ungoogled Chromium and Firefox 60+ forks) and some people even like the idea but there are still no contributions and no sponsorship (GNU supposedly has no funds, etc.), so things are going as slow as an attempt to compile GCC on a Raspberry PI 2 or even slower.
Eventually, I will get the extension to a usable state by myself but the issue is so important that there really should be more effort put into it.

Despite what I wrote so far, I don't think everything concerning LibreJS is bad. It is still important to call for website operators to release their js as libre software and flag it as such, although not necessarily with tables and hassle like that. Also, LibreJS code responsible for allowing just the trivial js to execute could also be worth re-using. Plus I sometimes happened to enable LibreJS instead of another blocker for a short time just to make sure some site indeed doesn't work before writing a complaint.

If for some reason you are *very* interested in the topic, you might want to look at yet another thread[4] where we've been discussing LibreJS and javascript problems.

Btw, there are other shortcomings in LibreJS. For example, it fails to block scripts from file:/// or ftp:/// which is embarrassing (although fixable).

[1] Someone arguing in favor of LibreJS once gave me a link to some MIT library site that supposedly works due to its scripts being classified as trivial by LibreJS. Perhaps it means others had more success than me in using LibreJS?
[2] https://trisquel.info/en/forum/software-freedom-movement-challenge-javascript-trap
[3] https://git.koszko.org/browser-extension/
[4] https://trisquel.info/en/forum/why-does-it-take-several-whitelisting-and-reloads-whitelist-all-js-librejs

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

However, what is probably a more daring issue than the hassle is that the approach of allowing scripts based on just license notices if not sufficient. The current state of technology does not yet allow for "freeness" to be verified automatically.

The license determines the "freeness".

At that point it would already be more efficient to just execute the non-minified version we found.

Indeed. Nevertheless, to take advantage of the minification, checking the correspondence between the minified and the non-minified versions could be only done from time to time. We do not "have to reject all minified scripts", as you conclude.

A hash of the minified JavaScript could be computed and, if new, then the correspondence would be verified. I believe (but may be wrong) that computing such a hash is much faster than interpreting the JavaScript, hence no significant impact on the performance. In fact, there could be a base of hashes of popular libraries, that would be automatically accepted, without the need for webmasters to do anything. Or am I missing something?

koszkonutek
Desconectado
Joined: 03/19/2020

> The license determines the "freeness".

The license is part of what determines the freeness. There are other bad things that can still happen even with free license: patent issues, trademark issues, absence of proper source code[1]... Plus even when license gives us legal rights to execute freedom (i.e. modify and run a modified version), we don't yet have technological means for that and we still face a kind of vendor lock-in.

In my previous post I gave a few examples of scenarios where LibreJS can be insufficient. Are those examples not enough? I always find it impossible to understand why some people are not convinced through them. Perhaps you can exaplain this phenomena to me? Or maybe you agree with my general thought and just wanted to point out the one piece of it that seems wrong?

> A hash of the minified JavaScript could be computed and, if new, then the correspondence would be verified. [...]

Hey, that's a perfectly good solution. I admit I missed it.
Unfortunately, it would require webmasters to strictly follow a standardized procedure to ship reproducible minified scripts. Also, other issues remain (including the mentioned difficulty of judging whether a script is minified or not).

[1] I earlier gave an example with a modified version of a permissively-licensed library. But the problem can occur with GPL'd ones, too! Script's copyright holder could legally distribute a minified version with GPL on it and without providing the full source code.

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

Thank you for the very elaborate response! I will try and look into the provided links, but will have to do so tomorrow.

Abhiseck Paira
Desconectado
Joined: 05/16/2021

> The JavaScript trap is real and I don't argue it needs to be avoided,
> but libreJS seems awful in terms of usability. I can't imagine living
> with it being enabled all the time.

I keep it running all the time. Most of the time the text just looks
weird, but I can still read the text. Sometimes the website doesn't even
load anything displays just a white page. In those cases I don't visit
the site again.

If you believe that a website is sending you free software but LibreJs
doesn't recognize it, whitelist the whole website.

--
Abhisek Paira
E34E 825B 979E EB9F 8505 F80E E93D 353B 7740 0709
"There is no system but GNU, and Linux is one of its kernels."

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

My issue with libreJS is, it expects me to do the webmasters work: check licenses, read the source code of the page, etc. How can that be a recommendable plugin? Who might be the potential user? Is the potential user supposed to keep up with development of all sites he frequents??? It's not useful in the development process of a website, like many other plugins might be. One might only enable it to verify "it works with libreJS".

Coming back to my practical example of osm. Their script is minified and I see no license in the .js file or on the page somewhere. So I'm expected to check their github I guess?? Some user on the osm IRC suggested, the javascript is indeed GPL v2.0.

This kind if activity does not feel like a solution to a problem, but rather like a delusion - you start living in your own little world, where you keep fighting something, but no one from the outside world knows or understands what exactly... Imagine the user looks at the projects github, verifys the script is free, whitelists it, but some time later an update to said script comes out - here we go again!

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

My issue with libreJS is, it expects me to do the webmasters work: check licenses, read the source code of the page, etc.

It expects the webmasters to do the work https://www.gnu.org/software/librejs/free-your-javascript.html describes, but almost none does.

Avron
Desconectado
Joined: 08/18/2020

Are there tools to make a website that help towards complying with this? If so, it could be good to recommend them to people willing to consider that question. If not, this may be something to consider. Perhaps the contributors to free software tools that make websites would have sympathy for this, at least some of them.

koszkonutek
Desconectado
Joined: 03/19/2020

If you mean web developers should switch to web-making tools that comply with LibreJS then it would be very difficult to convince them to drop the other tools they're currently using.

Btw, it seems quite many websites are actually violating permissive free software licenses (e.g. MIT/Expat) by serving the js without full license text as is required, sometimes with just a short license indicator and sometimes without any indicator at all. This is often how authors of these js libraries instruct to use them and probably also how they intend these libraries to be used. For that reason there're probably not going to be any legal cases over that but it's still an interesting issue.

The bigger problem we have is there is absolutely no incentive for website makers to comply with LibreJS. If we had a facility to replace sites' js with our own as I've been suggesting for over 9 months, we could create such incentive - sites that don't cooperate would be in "danger" of being written custom javascript for. But right now we're being viewed as just a bunch of mad people not worth caring about

Avron
Desconectado
Joined: 08/18/2020

> If you mean web developers should switch to web-making tools that comply with LibreJS then it would be very difficult to convince them to drop the other tools they're currently using.

If the developpers are being paid by someone to develop a website, that it works with LibreJS could be part of the requirements. I believe there are many organisations that could be convinced this is desirable. They would probably not redo their whole website for that single reason but whenever they would feel the need to redo their whole website for another reason, that opportunity should not be missed.

> If we had a facility to replace sites' js with our own as I've been suggesting for over 9 months, we could create such incentive - sites that don't cooperate would be in "danger" of being written custom javascript for.

I wish this would exist but I am not sure why it would be an incentive.

> But right now we're being viewed as just a bunch of mad people not worth caring about

I don't know whether this will be successful but at least yesterday I had a positive reply from a company selling laptops for GNU/Linux, apparently they were already aware of the issue and trying to handle it. My reasoning for spending time to send a nice and precise email was that they might care about that.

This encourages me to try more difficult targets, by that I mean people who might not care about free software, but with whom I have already regular exchanges so that hopefully they don't consider me as a mad person.

koszkonutek
Desconectado
Joined: 03/19/2020

> I wish this would exist but I am not sure why it would be an incentive.

Owner of a website probably wouldn't want someone else to have even indirect control over it. Through custom js we would be able to provide a different set of features for given site, thus executing some kind of control over it. We can then offer not to add features website's owner doesn't like in exchange for website's original scripts being properly released as free software.
Up until now I assumed we're simply going to provide javascript *fixes* for websites in some repository. We can, however, go further and also provide *enhancements* like translations or custom styling. Actually, it doesn't have to be "us", people running the project - quite likely volunteer-made enhancements would start appearing at some point. This leads us to yet another way of providing incentive. The possibility of getting volunteered enhancements would encourage website owners to become and remain compatible with our platform :)

> I don't know whether this will be successful but at least yesterday I had a positive reply from a company selling laptops for GNU/Linux, apparently they were already aware of the issue and trying to handle it. My reasoning for spending time to send a nice and precise email was that they might care about that.

I've heard similar response from the owners of some other website somehow related to GNU/Linux. It's a good thing they care, yet they are only the "easier targets" :/

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

I strongly disagree. Dynamically replacing the javascript on the websites equals to giving up. It equals to stating: webmasters are our enemy. They won't cooperate with our goals.

This is basically the beginning of a ping-pong game where websites get updated (and maybe even for some sane and important reasons), but out community starts complaining because the old javascript we used to circumvent the old version of the site does not work anymore. This kind of situation would easily lead to false accusations and conspiracy theories ("they just updated the site to make us run their nasty non-free code").

Sure some websites intend on providing non-free javascript. This is bad. Non-free software is a problem. Even regardless of how nice it might be at one given moment in time (maybe there is no malicious feature now, but who guarantees there won't be in the future? etc.). But in cases where websites ACTUALLY provide free JS, should it not be easier to make things work?

The solution must be, websites work with free software clients and in case the JS is free, it runs automatically. We don't read the sourcecode to every application that we run, so why should there be a requirement to read the JS beforehand? As it is, one basically has to read the blocked JS to confirm it's fine to run it, or to check which license it is using (sometimes it's in plain text in the beginning of the script)!

Why libreJS is inventing a completely new way of declaring licenses is beyond my understanding. I've heard people saying there are already established ways for doing this.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

What are the "established ways" for declaring the licenses of the distributed JavaScript so that a program can unambiguously understand it (for automatic acceptation/rejection)? Programs do not unambiguously understand plain text.

koszkonutek
Desconectado
Joined: 03/19/2020

As to just licenses, SPDX is enough to indentify them[1]. However, it is insufficient if we assume there can be multiple differently-licensed scripts mangled into a single file or if we want some additional info (e.g. unobfuscated source code link) to be provided.

[1] https://spdx.github.io/spdx-spec/appendix-V-using-SPDX-short-identifiers-in-source-files/

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

Fun fact - spdx links to license-texts, similar how libreJS does, but the host is linuxfoundation.com. Something on there gets redflagged by libreJS btw.

Avron
Desconectado
Joined: 08/18/2020

>This is basically the beginning of a ping-pong game where websites get updated (and maybe even for some sane and important reasons), but out community starts complaining because the old javascript we used to circumvent the old version of the site does not work anymore.

If the javascript is free, doesn't that mean anyone should be free to run a modified version of it that better suits one's needs or preferences, including when accessing the website?

Also, no software is updated on my computer without me being willing to update it. I am confidently running apt update/upgrade because I know Trisquel is a stable distribution and only includes software versions that were reviewed and tested for years already.

I am also trusting the Parabola maintainers but they made it clear that as it is a rolling release, updating the system may break something and I am supposed to check information on Parabola and Arch websites before running any update and to be autonomous enough to deal on my own with any issue that would occur at update.

For sure, it is a problem that the server might do changes so that the modified javascript version is not suitable anymore, so it would be nice to have webmasters advertise changes. If they are uncooperative, for sure it will be difficult to maintain modified javascript.

This is why I don't think that being able to run mdified javascript can put pressure on any webmaster, I am more counting on cooperative webmasters who may realise that the modified javascript may actually increase interest for their website and benefit them.

koszkonutek
Desconectado
Joined: 03/19/2020

> If they are uncooperative, for sure it will be difficult to maintain modified javascript.
>
> This is why I don't think that being able to run mdified javascript can put pressure on any webmaster

There might be many website owners who wouldn't want to be cooperative but wouldn't have the resources or needs to make frequent changes to their websites. For them, pressure could be real.

Also, if we get enough volunteers, adapting scripts to changes might be actually a quick process (especially for popular websites).

I now realized what I mentioned ("We can then offer not to add features website's owner doesn't like in exchange for website's original scripts being properly released as free software.") might not be the best example. Ads one is better. "what if we require that substitute js for a given website blocks all ads, UNLESS the website cooperates, makes its javascript free and uploads it to our service"? We could even make money on that (although we have to consider whether losing a part of community due to allowing of ads at all is worth it)

koszkonutek
Desconectado
Joined: 03/19/2020

> It equals to stating: webmasters are our enemy.

Some indeed are, some aren't. Some sites would be ridiculously easy to fix but webmasters are just lazy. This is not nice of them but assuming we're already in such situation, being able to do the work for them is actually a good thing.

In the meantime I posted [1] above which mentions possible enhancements to websites that could be appealing to their owners. Also, a lot depends on how we present the platform. We can and should take care to do it in a way so as not to scare webmasters away.

> This is basically the beginning of a ping-pong game

Yes, it is. But if we don't play it, we've already lost. There's nobody doing anything that would give us better chance of making things somewhat better than they are now, with 90% of what "web" has become being unusable.

The most natural way of solving a nonfree program issue is writing a free software replacement for it. In case of sites' javascript this approach might indeed be slightly less practical but this doesn't mean we should not have any facility enabling it. And it doesn't mean there is a better approach, either.

Also, the currently existing fixes (CloudTube, Nitter, Bibliogram, etc., as well as IceCat extensions recommended by the FSF) are also playing this ping-pong game.

Fortunately, there is a chance that if we get prominent enough with our platform, volunteers will come and help with the ping-pong game. I am especially looking at people currently involved with content blockers ecosystem. Our extension could be an appealing alternative for them.

> websites get updated (and maybe even for some sane and important reasons), but out community starts complaining because the old javascript we used to circumvent the old version of the site does not work anymore.

Fortunately, web developers (as we've already noticed) are lazy and so they won't be updating websited very often.

> This kind of situation would easily lead to false accusations and conspiracy theories ("they just updated the site to make us run their nasty non-free code").

But we all like conspiracy theories, don't we? :)

Now, seriously - I don't think the possibility of someone coming up with a conspiracy theory or accusation is a good enough reason to drop an idea that is this important to software freedom in the field of web browsing.

> The solution must be, websites work with free software clients and in case the JS is free, it runs automatically. [...]

I consider Avron's response[2] for this statement satisfactory.

[1] https://trisquel.info/en/forum/librejs-ranting#comment-158432
[2] https://trisquel.info/en/forum/librejs-ranting#comment-158436

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

I feel like, if there is a firefox add-on which dynamically replaces javascript on websites, that might be considered a security risk from the original authors point of view. On the other hand, is Greasemonkey not already doing something similar?

So I guess I give up, you convinced me of the idea to dynamically replace non-free JavaScript with some kind of add-on.

In the long run WWW should just work without this weird hack of running half of websites functionalities on the client and half on the host. Maybe in the future we will come up with some standard set of JavaScript libraries, which are to be included with browsers (and provide all JavaScript functionality the websites might ever need). This would help again to clearly separate the client and server side, instead of this stupid situation we have now.

However, there is one more thing to consider regarding libreJS, that I was not initially aware of. It actually does auto-detect scripts as free, somehow this did not work when I was testing it myself, but here is a list of all the scripts that would be automatically accepted by it.

Instead of trying to convince webmasters to put some new tags and/or tables in their sites to conform to some arbitrary plugin (and who is to say the plugin does not change tomorrow? Or stop existing? It's not right to expect all the webmasters everywhere to be dependent on what GNU decides to do next), we could just add more scripts to the list on bzr.savannah.gnu.org. In case we find a website using a script which is under a free license, just submit an update-request for the script-libraries.json list on /librejs/dev repository! This seems much more sensible, than to complain to people that they don't support some plugin that does nothing but block JavaScript which is working OK.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

I feel like, if there is a firefox add-on which dynamically replaces javascript on websites, that might be considered a security risk from the original authors point of view.

Since the JavaScript runs in the Web browser, I do not understand why the website administrators might consider that replacing it is a security risk. For the visitor, choosing to run free JavaScript rather than whatever the site serves is safer.

koszkonutek
Desconectado
Joined: 03/19/2020

A bank with online banking functionality would obviously deem a third-pary javascript for its website a shady thing. I consider this a real issue and I admit we need to find ways to deal with it.

What are the possible ways? For example, having an organization like FSF behind the project is going to be better than having the project run by a bunch of strangers nobody knows

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

A bank with online banking functionality would obviously deem a third-pary javascript for its website a shady thing.

In Brazil, the major banks (including public ones) want us to install a US third-party (developed by Diebold Nixdorf) proprietary multi-megabyte service (launched at init time) called warsaw. They call it a "security module". How ironic! Without warsaw, no online access to our accounts. As a consequence, I only use ATMs.

koszkonutek
Desconectado
Joined: 03/19/2020

> the major banks (including public ones)

So there are smaller ones that do it differently? Also, what is the offer for businesses? I imagine a serious business could have some different requirements.

In Poland all banks I managed to check (and I took effort to email all I could from the Wikipedia list of polish banks) are simply using proprietary js in the browser, it seems to be a custom interface in each case.

> a US third-party (developed by Diebold Nixdorf) proprietary multi-megabyte service (launched at init time)

Do you mean it runs outside of web browser?

Well, there is a plus to it. We only need to RE this single service to have all those banks covered ;)

> called warsaw

Now I'm even more glad I went to university to Kraków ;)

> As a consequence, I only use ATMs.

Just as I do with withdrawals. As to transfers, I mostly do them at post office. Can't wait for REing of online banking software, though - the current approach is soooo inconvenient :/

Avron
Desconectado
Joined: 08/18/2020

Did you have a look at https://woob.tech ?

The advertised goal is not to address the Javascript trap and I am not sure whether it is loading the Javascript from the server or not.

koszkonutek
Desconectado
Joined: 03/19/2020

Wow! Thanks for showing this to us :D

> I am not sure whether it is loading the Javascript from the server or not.

It doesn't seem so. Everything seems to be done from python (not that I verified thoroughly).

This project is certainly worth watching. While this approach seems slightly less convenient for users (who would probably want to have everything "just work" in their web browser), it is no worse freedom-wise than my idea and seems to be pretty mature.

I believe we could utilize a great piece of Woob's site-specific code for our needs ^^

Avron
Desconectado
Joined: 08/18/2020

The Trisquel package weboob is an old version (1.2-1) of it then the site-specific things may be too old so I tried to install woob 3.0 using git. Based on the information on dependencies, I installed the following packages first: python3-lxml python3-cssselect python3-pretty-yaml pythonhtml2text python3-unidecode python3-babel python3-termcolor python3-setuptools (I had a number of pything packages already installed).

I tried to launch the bank app (seems to be focused on French banks, so I can test) but I have an error when trying to install any bank backend:"cannot import name 'etree'". I suspect it is about some python thing not calling the right version of another python thing, possibly related to having both python2 and python3 things installed, but without a bit more verbose log (like which script was calling what), unlikely I can find out. I'll search a bit more later.

There is also an up-to-date woob Parabola x86_64 package but I only have Parabola on armv7 now. One more motivation to install Parabola on x86_64.

Woob is also one more motivation for me to try learning Python (the only code I understand now is C, and a bit Lisp).

koszkonutek
Desconectado
Joined: 03/19/2020

> I tried to launch the bank app (seems to be focused on French banks, so I can test) but I have an error when trying to install any bank backend:"cannot import name 'etree'". I suspect it is about some python thing not calling the right version of another python thing, possibly related to having both python2 and python3 things installed, but without a bit more verbose log (like which script was calling what), unlikely I can find out. I'll search a bit more later.

Hmm, what could be the reason? Are you sure you ran it as `python3 path/to/script.py' and not as `python path/to/script.py'?

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

So there are smaller ones that do it differently? Also, what is the offer for businesses?

I do not know.

Do you mean it runs outside of web browser?

Yes.

Can't wait for REing of online banking software, though - the current approach is soooo inconvenient :/

Reverse-engineering a binary that weights over 1 MB and deals with cryptography does not look easy. Here is what major Brazilian banks want us to install (here the related page of Banco do Brasil): https://seg.bb.com.br/home.html#en

koszkonutek
Desconectado
Joined: 03/19/2020

> Reverse-engineering a binary that weights over 1 MB and deals with cryptography does not look easy.

Sure, I was kind of joking. Still, we don't know what's in there. If it's a C++ program written from ground up, that would be hard. But perhaps 90% of that 1MB binary is some permissively-licensed free software library? Or maybe it is a C# program that can be relatively easily decompiled?

koszkonutek
Desconectado
Joined: 03/19/2020

> In the long run WWW should just work without this weird hack of running half of websites functionalities on the client and half on the host. [...]

I agree. Actually, huge part of the problem comes from the facts that
1. js is being overused
2. more and more complex functionalities are being moved into "Web"

As to 1., many things like tabbed viewing, popup windows, hamburger-unhidable menus, etc. can be done using HTML+CSS these days, through checkbox tricks and the like. Yet, many webmasters use js for it. It is partially because support for these came to HTML and CSS quite late and also because webmasters follow fashion, I guess. Still, good-looking well-working sites without js are perfectly possible :)

An example of 2. could be videoconferencing platforms like Jitsi Meet. Things of this kind are more convenient to distribute through web browser (lazy users don't have to install enything, sandbox by default) and so this approach becomes popular, even though it is not good for software freedom. Some people advocate projects like Gemini which aims to ba a simple alternative to "Web" and doesn't have all those complex functionalities.

Personally, I would advocate standardizing of a limited subset of CSS and HTML, without javascript, and marketing as a new, secure, lightweight platform. Although a bit more complex than Gemini, it would still allow things like posting of data, fancy styling and compatibility with many existing tools and would hence be more appealing to the general audience.

Actually, the platform I propose could be used to distribute not only fixes for js-encumbered websites but also alternative (possibly more modest) front-ends for existing sites. Possibly front-ends compatible with our hypthetical stripped, standardized subset of HTML+CSS, so as to encourage webmasters to use it. Whether it would be actually practical would need to be verified experimentally.

> However, there is one more thing to consider regarding libreJS, that I was not initially aware of. It actually does auto-detect scripts as free, somehow this did not work when I was testing it myself, but here is a list of all the scripts that would be automatically accepted by it.

You know, what? Such list could also be useful for the extension I propose. That's because sometimes we would want to just:
a) use the same free javascript website normally uses, but have it served locally of from trusted repo for some reasons
b) allow our fellow hackers to free websites more rapidly in cases where only a subset of libraries used is nonfree.

EDIT: Greasemonkey response

> On the other hand, is Greasemonkey not already doing something similar?

Greasemonkey:
- has beeen created with something completely different in mind (enhancing websites, not freeing them)
- fails to block sites' own scripts
- executes user scripts in a priveleged context of content scripts instead of page's context which is bad for security and perhaps would cause some compatibility problems

Despite all that, it could be theoretically used to fix some website, with some other extension being used to block site's native scripts. It would just not be very convenient on a larger scale

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

> Greasemonkey:
- has beeen created with something completely different in mind (enhancing websites, not freeing them)
- fails to block sites' own scripts
- executes user scripts in a priveleged context of content scripts instead of page's context which is bad for security and perhaps would cause some compatibility problems [...]

I meant, from technological point of view. What Greasemonkey literally says in it's description is "Allows users to alter webpages using small pieces of javascript". So it basically replaces the original JavaScript from the website with some scripts that the user can download as en extension for this add-on. Obviously Greasemonkey recommends non-free scripts, but functionality-wise, it does something very similar to what you had in mind.

I can only wish you luck with your project, right now I cannot contribute my time to it, sorry.

koszkonutek
Desconectado
Joined: 03/19/2020

> I meant, from technological point of view.
> [...]
> Obviously Greasemonkey recommends non-free scripts, but functionality-wise, it does something very similar to what you had in mind.

Yeah, that's correct

> So it basically replaces the original JavaScript from the website with some scripts that the user can download as en extension for this add-on.

Wouldn't the word "complements" be more accurate than "replaces"?

> I can only wish you luck with your project

Thanks

> right now I cannot contribute my time to it, sorry

It's OK, I've already found 2 hackers willing to contribute ^^

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

My issue with libreJS is, it expects me to do the webmasters work: check licenses, read the source code of the page, etc. How can that be a recommendable plugin? Who might be the potential user? Is the potential user supposed to keep up with development of all sites he frequents??? It's not useful in the development process of a website, like many other plugins might be. One might only enable it to verify "it works with libreJS".

Coming back to my practical example of osm. Their script is minified and I see no license in the .js file or on the page somewhere. So I'm expected to check their github I guess?? Some user on the osm IRC suggested, the javascript is indeed GPL v2.0.

This kind if activity does not feel like a solution to a problem, but rather like a delusion - you start living in your own little world, where you keep fighting something, but no one from the outside world knows or understands what exactly... Imagine the user looks at the projects github, verifys the script is free, whitelists it, but some time later an update to said script comes out - here we go again!

koszkonutek
Desconectado
Joined: 03/19/2020

Have you considered using some desktop client for OSM? Some are even packaged for popular distros. I use Marble, another popular one seems to be GNOME Maps

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

Thank you very much, I will try desktop clients for OSM!

lanun
Desconectado
Joined: 04/01/2021

> A huge portion of the web doesn't work or is buggy.

I totally subscribe to this. LibreJS, NoScript and the whole panoply of privacy protection tools are only shedding a crude light on this fact.

> Have you considered using some desktop client for OSM?

Indeed. The web is broken, avoid it as much as possible.

PublicLewdness
Desconectado
Joined: 03/15/2020

I agree with lanun. LibreJS may make your internet experience a lot harder but it is showing you exactly who to blame: shady and lazy web developers. Don't criticize the test that says you have cancer, blame the cause of the cancer. Not a perfect analogy but you get my drift, don't shoot the messenger.

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

OK, so I opened an issue on github. It got instantly closed as duplicate of another one, that for some reason I was unable to find by searching.

If you want to know the OSM-developers stance on libreJS, you can read the comments to this original issue here: https://github.com/openstreetmap/openstreetmap-website/issues/2886

The actual problem of making OSM libreJS compatible is summarized in the following comment:


There are probably a hundred or more different pieces of javascript and they're changing all the time - we're not going to go round trying to catalogue them with some esoteric labels just because you're chosen to shoot yourself in the foot.

I guess that would make it pretty hard to dynamically replace javascript too.

Avron
Desconectado
Joined: 08/18/2020

Thanks for the reference.

I am also thinking that the work for this license marking is not negligible and does not actually solve the issue of one being able to control one's own computer.

The missing point is that I'd like to execute something "compiled" (Javascript served by the website is somehow the result of compilation, it is not directly what the website source code shows) either by myself or someone I know and trust, not something that is loaded from a website and doesn't have the signature of people I trust.

So I'd like to fetch all the source files that produce the javascript sent to the web browser, compile that and store the result on my computer (or fetch that result as a Trisquel package), then I can use it when accessing the website.

As openstreetmap even publishes the source of the server, all information necessary to produce the minified Javascrit to be executed by the web browser are available. If someone subscribing to FSDG would package that, I would confidently use it and wouldn't worry about license tags.

I am not sure the same is feasible for websites that don't publish their source.

Cyberhawk

I am a translator!

Desconectado
Joined: 07/27/2010

JavaScript isn't served compiled, but minified. This means, whitespaces and newline characters removed, sometimes functions and vars renamed to single letter names.

Makes the script easier to execute and saves some space. But it's still source code, however quite unreadable, unless you at least do a search-and-replace to put newlines back in.

Just a little clarification of terms ;-)

Sometimes, even a minified version includes name of the library and license at the start, not full license agreement or link to it, but just the name, like MIT {version-nr} or something along those lines.

koszkonutek
Desconectado
Joined: 03/19/2020

In Software Freedom Movement it is widely assumed obfuscated source code does not count as source code:
https://www.gnu.org/philosophy/free-sw.html

While js minification is somewhat analogous to compilation, it could be argued (as you're doing) that technically its result is source code. The only problem is it makes freedoms 1 and 3 unreasonably difficult to execute. That's why it is considered insufficient.

Btw, I know of several cases where people patched binaries without having the source, so in practice it could be sometimes possible to actually execute 1 and 3. Still, distributing something with its original source undisclosed is a bit of an insult to the user.

> Sometimes, even a minified version includes name of the library and license at the start, not full license agreement or link to it, but just the name, like MIT {version-nr} or something along those lines.

And actually, I think this is enough for us to be able to execute all software freedoms. If a script is indeed freely-licensed, it is - as you probably already said somewhere in this thread - very likely going to be possible to find an unobfuscated version of it. And if it is not, then even unobfuscated source code is not useful to us. The only issue is the convenience of being able to verify it automatically, but I think we've already discussed it thoroughly enough.

As to full license texts, I believe we should re-add them in case we ever find ourselves serving substituted scripts. Perhaps keeping common licenses in a separate place (locally on user's computer, for example within the browser extension) and just clearly pointing to them in scripts would also be OK... (I mean something analogous to what distros are doing)

And in case we ever find an obfuscated script with free license and without unobfuscated version, it will simply need to be unobfuscated by humans in order to be FSDG-compliant and distributable without violation of Software Freedom Movement spirit. I thing I could do that when need arises

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

In Software Freedom Movement it is widely assumed obfuscated source code does not count as source code

Indeed. In the GNU GPLv3, source code is defined in this way:

The “source code” for a work means the preferred form of the work for making modifications to it.
https://www.gnu.org/licenses/gpl-3.0.html#section1