"The Python trap"

39 respostas [Última entrada]
zigote
Desconectado
Joined: 03/04/2019

https://hacks.mozilla.org/2019/04/pyodide-bringing-the-scientific-python-stack-to-the-browser/

Time to start banning and boycotting Mozilla browsers from all distros.

chaosmonk

I am a member!

I am a translator!

Desconectado
Joined: 07/07/2017

I'm no fan of client-side scripts on the web, and certainly don't want to see more of them. However, as far as I can tell the Python interpreter and libraries are downloaded from the websites that use them, not integrated into the browser. The article describes using it in both Firefox and Chrome, and if I understand correctly (I might not) any browser with JS could download and run this software. I don't see how banning Mozilla browsers would stop this.

zigote
Desconectado
Joined: 03/04/2019

> I don't see how banning Mozilla browsers would stop this.

By not allowing this hypocrite company which endorses all these "let's run a whole bunch of stuff in browser" anti-security practices to turn FOSS systems into honeypots for corporate bullshit and pile up vulnerabilities.

Just read their "privacy" notice:

https://www.mozilla.org/en-US/privacy/firefox/

There is absolutely nothing private in it.

chaosmonk

I am a member!

I am a translator!

Desconectado
Joined: 07/07/2017

How do you feel about Firefox-derivatives like Abrowser and Icecat which remove DRM and privacy-hostile defaults and are not subject to Mozilla's privacy policy? Would you advocate more distros using these browsers, or so you think that we should avoid all browsers downstream from Firefox?

zigote
Desconectado
Joined: 03/04/2019

It's like choosing deliberately a dirty room just because of the "freedom" to clean it forever while someone else keeps contaminating it in new ways.

chaosmonk

I am a member!

I am a translator!

Desconectado
Joined: 07/07/2017

> It's like choosing deliberately a dirty room just because of the "freedom" to clean it forever while someone else keeps contaminating it in new ways.

Cleaning up after upstream is certainly not an ideal use of labor, and there's always the risk of something slipping through. There are cases in which it is better than starting from scratch and there is not a better upstream to choose from (Linux-libre cleans Linux; the active FSDG-distros all clean Arch, Debian, and/or Ubuntu), but the more freedom- and privacy-friendly upstream is the better, so if we are to move away from Mozilla, and I agree that this would be good, the question is what to use instead.

Chromium does not seem like an improvement. As a company, Google is just as privacy-hostile as Mozilla, if not more so. ungoogled-chromium is supposed to remove all of the Google tracking from Chromium, but then we're back to the situation of cleaning up after upstream. Moreover, I believe that ungoogled-chromium only addresses privacy issues, not freedom issues. As far as I know, no Chromium forks address the licensing issues that prevent Chromium from inclusion in FSDG distros.

Hyperbola's Iceweasel-UXP might be an option. It is based on Basilisk, which is a hard fork of pre-Quantum Firefox, so although it's based on Mozilla code, it won't be affected by any changes Mozilla makes in the future unless those changes are intentionally backported. Some obstacles to adoption are that it is slower than post-Quantum Firefox, and that it does not support Webextensions, and since XUL addons don't work in Firefox anymore no one is motivated to maintain them anymore except for the Hyperbola devs. That aside, if being a hard-fork of Firefox is enough to qualify Iceweasel-UXP to be a non-Mozilla browser, then I think it's the best option.

As for free browsers that are not Chromium- or Firefox- based, the best one I've tried is Midori. However, it went several years without a new release, so although there were a couple of new releases a few months ago, I'm not confident that it won't go dormant again. The lack of addon support could also be an obstacle to adoption. Still there is something to be said for being an independent browser that approaches being competitive (in quality, not marketshare) to the major browsers.

Do you have any other browsers in mind?

zigote
Desconectado
Joined: 03/04/2019

I use ungoogled-chromium. Unlike many of those "privacy improved" Firefox forks it creates zero unsolicited connections which is more important to me than a privacy abusing browser with whatever license. Additionally overall the Chrome technology seems better from technical viewpoint. It torifies quite well too.

> Moreover, I believe that ungoogled-chromium only addresses privacy issues, not freedom issues.

It removes all binary blobs from upstream chromium. Also AFAIK it is part of Debian, so although I have not researched personally about the licensing part, I suppose Debian guys have.

chaosmonk

I am a member!

I am a translator!

Desconectado
Joined: 07/07/2017

> I use ungoogled-chromium.

Okay, but ungoogled-chromium is still "cleaning a dirty room", and

> Unlike many of those "privacy improved" Firefox forks it creates zero unsolicited connections

neither do Abrowser and Icecat, so by the criteria you have laid out so far, ungoogled-chromium is neither better nor worse than Abrowser and Icecat, so why ban the latter and not the former?

> Also AFAIK it is part of Debian, so although I have not researched personally about the licensing part, I suppose Debian guys have.

Interesting. I wonder if this is an oversight by Debian, or if someone (either Debian or ungoogled-chromium) has indeed patched these problems[1] which remain unresolved upstream. I'll look into it when I have time.

What are your thoughts on Iceweasel-UXP? Unlike Abrowser, Icecat, and ungoogled-chromium, it is a hard fork from upstream, so while it may or may not have cleaned up all current problems, there is no risk of Mozilla or Google introducing *future* problems.

[1] https://bugs.chromium.org/p/chromium/issues/detail_ezt?id=28291

zigote
Desconectado
Joined: 03/04/2019

> so why ban the latter and not the former?

I have not laid out all comparison criteria (and perhaps I couldn't possibly). As far as I have seen some of those FF-fork/tune projects don't have the goal to completely remove background connections and would often argue that some of them are good for security. Even TBB is not quite hardened. The last time I checked IceCat it was making unsolicited connections. I have also observed that disabling things like JIT in Firefox clones makes the whole browser very laggy. Plus, it is still possible to install/update extensions through Mozilla's site and re-enable (inadvertently or deliberately) anti-privacy features which would restore the background connections. With ungoogled-chromium it is impossible to re-enable connectivity to Google through settings or to connect to Google's extension store. There are other things in which chromium is better IMO.

> What are your thoughts on Iceweasel-UXP?

Never heard of it so far.

chaosmonk

I am a member!

I am a translator!

Desconectado
Joined: 07/07/2017

> I have not laid out all comparison criteria (and perhaps I couldn't possibly).

Fair enough. You seem to know more about issues of computer security than I do, so I trust that you have your reasons for preferring ungoogled-chromium.

> The last time I checked IceCat it was making unsolicited connections.

How long ago was that? Icecat used to allow some automatic connections for various reasons some users might consider desirable (captive portal detection, automatic extension updates) but they are now disabled by default and have to be manually enabled from the "new tab" menu. (see screenshot)

> Even TBB is not quite hardened.

Please correct me if I have this wrong, but Tor Browser seems like a somewhat unique case, in that some automatic connections are presumably necessary to check for updates. It is important for anonymity that users are running the same version and configuration. Distros don't package it for that reason, so if updates aren't coming from the package manager it seems that the browser must instead self-update. Are the connections that check for updates what you refer to, or does Tor Browser make other, superfluous automatic connections?

> > What are your thoughts on Iceweasel-UXP?

> Never heard of it so far.

https://wiki.hyperbola.info/doku.php?id=en:project:iceweasel-uxp

If you at some point have the time/interest to look at it I would like to know what you think. The devs seem very committed to security and privacy, and as a hard fork of Firefox the "room" isn't being "redirtied" by upstream.

Screenshot at 2019-04-19 13:28:44.png
zigote
Desconectado
Joined: 03/04/2019

> How long ago was that?

I have just downloaded it to test that. Upon first run I simply opened the extensions page and instantly a connection to a92-123-102-107.deploy.static.akamaitechnologies.com showed up (I tested with a simple watch 'ss -tuapr | grep -i icecat' command).

BTW some (IMO anti-privacy) things which catch my attention:

- DDG is default search engine (Amazon hosted) and Amazon.com, Bing, eBay and Google are in the list of "One-Click search engines"

- "Disabling JavaScript greatly improves privacy" - well, not necessarily. The fact that one has disabled JS is a fingerprintable fact too (and the same applies to DNT header, cookie disabling). So although it has benefits, it is not a privacy heaven. Even the HTTP request headers which browsers send are fingerprintable.

- IceCat account "Take Your Web With You" = upload your info to someone else's computer.

I also don't like a "clean" browser coming with 11 extensions installed.

> Are the connections that check for updates what you refer to, or does Tor Browser make other, superfluous automatic connections?

When I checked they were other connections (one thing I see is that OCSP queries are enabled by default).

Yes, I saw that page you linked but thanks for sharing. I don't know when I will have to time to look into it.

chaosmonk

I am a member!

I am a translator!

Desconectado
Joined: 07/07/2017

> DDG is default search engine (Amazon hosted) and Amazon.com, Bing, eBay and Google are in the list of "One-Click search engines"

Yes, I've long had a problem with this. Abrowser has the same issue. Part of my motivation for this thread[1] was to determine what to recommend as a replacement default search engine. I'm not sure why the other one-click search engines need to be there at all.

[1] https://trisquel.info/en/forum/comparison-search-engines

andyprough
Conectado
Joined: 02/12/2015

> zigote - With ungoogled-chromium it is impossible to re-enable connectivity to Google through settings or to connect to Google's extension store.

Incredibly easy to side-load Chrome extensions, however. First thing I did was add ublock, before browsing at all.

zigote
Desconectado
Joined: 03/04/2019

Yes, I know extensions can be installed manually.

tonlee
Desconectado
Joined: 09/08/2014

> it is part of Debian

Is the name of the package ungoogled-chromium? In debian
9 64bit synaptic package
manager does not find such a package.

zigote
Desconectado
Joined: 03/04/2019

> it is part of Debian

There was an important "AFAIK" before that.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

So, basically, you do not know. Yet you build a supposition on that ignorance:

[ungoogled-chromium] removes all binary blobs from upstream chromium. Also AFAIK it is part of Debian, so although I have not researched personally about the licensing part, I suppose Debian guys have.
https://trisquel.info/fr/forum/python-trap#comment-140515

Given that you have not even typed "ungoogled" in https://www.debian.org/distrib/packages to check your fact, it is natural to be even more wary w.r.t. "the licensing part". It is apparently common among Firefox haters/Chromium lovers to blatantly lie. For instance, one of the developers of Iridium (another Chromium's derivative) claimed on its issue tracker, where no other developer contradicts him:

yes we can confirm Iridium Browser is fully Open-Source! (...) fully Open-Source means 100% including any and all components, plugins, extensions, patches, snippets and everything else it is shipped with by default.
https://github.com/iridium-browser/tracker/issues/93

As I explained in that issue (through davidhedlund, who avoided me the creation of a GitHub account, what requires executing proprietary JavaScript), it is actually very easy to find proprietary software in Iridium, copied from Chromium. My first example is 'unrar' in the "third_party" directory: https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/tree/third_party/unrar/ copied from https://chromium.googlesource.com/chromium/src/+/master/third_party/unrar/

Does ungoogled-chromium do better? According to https://github.com/Eloston/ungoogled-chromium/blob/master/docs/building.md the command "./utils/prune_binaries.py build/src pruning.list" is supposed to "prune binaries" from Chromium's source (downloaded in the first step). None of the 13,080 Chromium file paths in https://raw.githubusercontent.com/Eloston/ungoogled-chromium/master/pruning.list includes "unrar"...

So, there should be more than 13,080 files to prune from Chromium's source tree to get a free browser! Probably much more given the licensing mess that Chromium is: see every issue in the "BlockedOn" list on the left of https://bugs.chromium.org/p/chromium/issues/detail?id=28291 (the issue is ten years old and still active: Chromium's developers just do not care and the last change, this year, was to downgrade the priority).

In contrast, a 200-line script turns Firefox's code (+ two Debian patches) into Abrowser's: https://devel.trisquel.info/trisquel/package-helpers/raw/flidas/helpers/make-firefox

You are entitled to recommend ungoogled-chromium (well, recommending non-free software actually goes against https://trisquel.info/en/wiki/trisquel-community-guidelines) and call Firefox a "dirty room". For those who care about facts, that makes no sense.

As for the original topic, the Python interpreter runs in Chrome (and certainly Chromium) too, as chaosmonk pointed out. https://2r4s9p1yi1fa2jd7j43zph8r-wpengine.netdna-ssl.com/files/2019/04/image1-1.png even compares the performances of Firefox and Chrome: the article does not justify in any way a preference for a Web browser based on Chromium rather than Firefox.

andyprough
Conectado
Joined: 02/12/2015
Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

Thank you. That said, that patch does not prune third_party/unrar. It removes Google SafeBrowsing's support of RAR. Do you know if Chromium uses 'unrar' elsewhere?

andyprough
Conectado
Joined: 02/12/2015

Chromium does come with third party unrar I believe: https://chromium.googlesource.com/chromium/src/third_party/+/master/unrar/

The ungoogled-chromium guys argue that their Guix sources do not include unrar: https://bit.ly/2W0sagk

Of course, that takes you into the middle of the discussion that jxself was having with them about the ethics of creating Guix sources on the end user's machines, which is a pretty complex and involved discussion. Seems to me both sides were making good arguments and awaiting some type of ruling from the FSF.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

I do not think there is any ungoogled-chromium developer in that discussion. At least I see no intersection with https://github.com/Eloston/ungoogled-chromium/contributors and https://github.com/Eloston/ungoogled-chromium/blob/master/docs/platforms.md does not list Guix as a supported platform.

The discussion is typical. jxself points out obvious FSDG problems (in that case, Google's DRM software, UnRAR, Google Toolbar and some NC images) found in no time and insists that those are the tip of the iceberg:

I have recently submitted upstream's Chromium 73.0.3683.45 into my FOSSology instance for analysis. Actually, less than a third of the total files were classified as "BSD-like". In total it found 162 unique licenses. Of course, automated licenses analysis is never perfect and I have not fully vetted any particular results but it does help to at least indicate that which is very clearly free software and that which needs further investigation.
Even in the short time I was reviewing it I found a number of freedom problems. I don't mean that to be an exhaustive list of everything, merely an indicator of a symptom:
* unrar (license denies freedom 0)
* third_party/blink has some images under CC-BY-NC-SA-2.0
* Google Toolbar is in there, with a non-free EULA

https:name at domain/msg11789.html

A symptom of what disease? Well, it would be better to ask jxself, but I believe he refers to Chromium's derivatives (like Iridium and ungoogled-chromium) pretending to be free software, fooling the free software communities with that speech, including Guix's (the email thread) and this forum (https://trisquel.info/forum/confirmation-iridium-libre), although they have obviously not done anything serious to even detect the problems. The task is certainly huge to clean the "dirty room" that Chromium is, as licensecheck (which I mentioned earlier) and FOSSology (which jxself used) indicate. And it is now pretty clear that Chromium developers will never help.

zigote
Desconectado
Joined: 03/04/2019

> I do not think there is any ungoogled-chromium developer in that discussion.

Neither there is in this forum.

Discussing here who is ignorant, a hater, a blatant lier or "recommends non-free software" is meaningless. If you are serious and really interested in the matter - better go to GitHub and talk to Eloston. He is a nice guy and pays attention to everything said. Only then your words may change something for better.

andyprough
Conectado
Joined: 02/12/2015

> Do you know if Chromium uses 'unrar' elsewhere?

In looking through the files on Chromium's github, I can only find unrar under the third_party folder. The readme there says it is just for checking Safe Browsing reputation of files that have been downloaded by the users. So no, it does not appear initially that unrar is being used in any other way in Chromium. Can't tell for certain, however.

I did find the unrar header files are still showing up in the Guix source code for ungoogled-chromium. So, ideally those would be removed, even if the functionality is stripped out by the ungoogle pruning.list. ungoogled-chromium does appear to prune rar functionality with a patch that should prune unrar functionality as well. Here is the line from the pruning.list: third_party/afl/src/testcases/archives/common/rar/small_archive.rar

As you say, this is all an endless investigation of an extremely complex browser. One that is also changing by the day. As much admiration as I have for the ungoogled-chromium devs for the work they are doing, this looks like a project with a goal that looks nearly impossible to fully attain. Google is just throwing proprietary code and questionable material into Chromium so quickly that it may simply be impossible for any project to keep pace to pull it all back out.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

I grepped "unrar" in Chromium (huge) source code and only found includes in the Safe Browsing module. I actually forgot to write about it in my last reply: sorry.

zigote
Desconectado
Joined: 03/04/2019

ungoogled-chromium is listed in Guix packages, not Debian:

https://www.gnu.org/software/guix/packages/U/

which is also publicly visible on:

https://github.com/Eloston/ungoogled-chromium

I never used iridium, neither I am "recommending non-free software" by answering chaosmonk's question. OTOH FSF recommends Guix.

As for ungoogled-chromium's potential imperfections - you can simply open a GitHub issue and explain what may need to be fixed.

GNUser
Desconectado
Joined: 07/17/2013

Hello,

Just want to let you know of a very good browser for Android, called Privacy Browser [1].
I have been using it and it's lightweight, very easy to customize per-domain, very privacy-friendly as the name suggests, and the best part, the developer actually has a long term roadmap that involves the creation of a new engine (based on Android WebView but better than either that or Gecko). It will eventually be available in Desktop version too.

[1].: https://www.stoutner.com/privacy-browser/

onpon4
Desconectado
Joined: 05/30/2012

I find the idea of "boycotting" software to be silly. Even proprietary software. Realistically, you're not doing anything meaningful. Mozilla doesn't care if you use Firefox, and your "boycott" isn't going to cause a massive shift to some unpopular browser like Midori. It's just going to make you look unrealistic.

If we were to boycott Web browsers on this sort of basis, though, we would have to boycott all browsers that support JavaScript in my opinion, which would pretty much rule out any browser that isn't entirely text-based. Far more productive, though, would be to develop a JavaScript-free browser that attracts users on its own merit. Such a browser should even advertise its lack of support for JavaScript as a feature. zigote, would you like to start such an effort?

zigote
Desconectado
Joined: 03/04/2019

Boycotting is wasted effort if it is done by one person or a small group. It needs to be a combined massive activity, not an individualistic one.

Just like replacing modern closed hardware with open one: Removing widely adopted technology like JS without which people would not be able to do their work is very difficult without a decent replacement. And it surely can't happen instantly.

Perhaps the right protest should be against W3C standards. Unfortunately big tech companies have a huge influence on those.

That's why I think distros are the entities which can give a big slap and change things. Not the individual person or a tiny community. So - no, I wouldn't be able to start such an effort.

onpon4
Desconectado
Joined: 05/30/2012

That "combined massive activity" isn't going to happen for something as obscure as this that so few people care about. Besides, if Mozilla sees use of Firefox in decline, how exactly are they going to know that working on a JavaScript implementation of Python is why? There's no connection between these two things at all. It would be like "boycotting" Linux because of some proprietary program that Linus Torvalds developed.

Use whatever browser you want, but I think this "boycott" won't help your cause.

zigote
Desconectado
Joined: 03/04/2019

> That "combined massive activity" isn't going to happen for something as obscure as this that so few people care about.

Even less people care about "The JavaScript trap" article (even those who know about it). A lot of the advanced linux users and sysadmins actually laugh at it.

> Besides, if Mozilla sees use of Firefox in decline, how exactly are they going to know that working on a JavaScript implementation of Python is why?

When you protest against something, you don't keep silent about your reasons and demands. The same applies to any boycott.

> Use whatever browser you want

Thank you.

onpon4
Desconectado
Joined: 05/30/2012

"Even less" people care about JavaScript than this obscure Python implementation that works alongside JavaScript? Surely you must be joking. Opposition to JavaScript is not exactly mainstream, but there are several articles you can find in favor of JavaScript-free support. As for "The JavaScript Trap" specifically, there's a whole community putting silly license tags into JavaScript code for the sake of LibreJS, which is developed because of that article. On the other hand, you're the first person I've ever seen express any disdain whatsoever for Python being used in JavaScript software.

> you don't keep silent about your reasons and demands.

And what is your demand, exactly? After all, what you're upset about has nothing to do with Firefox, as has been pointed out. Need I remind you that you are reacting to nothing more than a way to use Python with JavaScript? It's not even a novel thing, the article you linked to clearly explains that this is just a further extension of work that was already being done.

zigote
Desconectado
Joined: 03/04/2019

> "Even less" people care about JavaScript than this obscure Python implementation that works alongside JavaScript?

What I meant to say was that most people don't care about "The JavaScript trap" article (or about any other gnu.org article). This was a second reply to your comments focused on mocking at how silly boycotting is based on a crooked assumption that a boycott would be a single person's silent activity and all the rest of it. Due to the aggressive and scornful way you attack this discussion, I am not going to reply to you further.

onpon4
Desconectado
Joined: 05/30/2012

> What I meant to say was that most people don't care about "The JavaScript trap" article

Perhaps you need an English lesson, then.

I said, and you quoted:

"That "combined massive activity" isn't going to happen for something as obscure as this that so few people care about."

You replied:

"Even less people care about "The JavaScript trap" article[.]"

That is a very specific statement: that fewer people care about "The JavaScript Trap" than those who care about this supposed issue that, so far as anyone here can tell, only you have ever raised any concern about.

If you didn't want to compare the number of people who care about the JavaScript issue to the number of people who care about this supposed issue, "even less" was the wrong expression to use.

> based on a crooked assumption that a boycott would be a single person's silent activity

You're literally the only person I've ever seen express even a modicum of concern about this. You don't even explain what your objections are, other than claiming that Mozilla is a "hypocrite" (which you also haven't explained). So how is this assumption "crooked"?

Do you understand that Pyodide is just an extension to the JavaScript API to allow JavaScript programmers to use Python as well? People have been writing JavaScript extensions for years. Why should anyone be particularly outraged over this one? Or outraged at all, for that matter?

GNUser
Desconectado
Joined: 07/17/2013

I agree that there is no point in banning a particular browser. Though we could (should?) make our concerns known to Mozilla.
Apart from that, what we really need is "templates" of Javascript-free websites, that also have the "modern" and "enterprise" looking and behavior everyone expects from websites these days. If we say "you shouldn't use Javascript, do your website like an 90's website" people won't listen. If we give them the option of having a modern looking website without JS they will accept and eventually it could become the norm. I think onpon has a great website where he publishes his games and articles, and that website is made without JS I think. For companies I still think they would require more than that though.

chaosmonk

I am a member!

I am a translator!

Desconectado
Joined: 07/07/2017

I've started a new thread in which I'd like to focus on the freedom status of ungoogled-chromium.

https://trisquel.info/en/forum/freeing-ungoogled-chromium-was-python-trap

Masaru Suzuqi -under review-
Desconectado
Joined: 06/06/2018

As an average user, I have a simple question, though.
I think a browser is the application which is used most among all the applications.

Why is not there still the perfect browser from the view point of computer freedom?

Dozens years have passed since 1980s.
It still seems that there are arguments about which one is better or that one violates something or this one includes something etc etc in the community. Of course it would confuse so-called average users very much.
It is not just about browsers.
"I don't understand well." then going back to Chrome OS is a perfectly natural reaction. It is stable, fast, maybe secure.
How did this chaotic situation happen?

andyprough
Conectado
Joined: 02/12/2015

abrowser is pretty much perfect. Excellent computer freedom.

Masaru Suzuqi -under review-
Desconectado
Joined: 06/06/2018

Why "pretty much"? Why is it not perfect?

zigote
Desconectado
Joined: 03/04/2019

> Why is not there still the perfect browser from the view point of computer freedom?

Because neither web standards nor legislation are made to serve that purpose.

> How did this chaotic situation happen?

https://en.wikipedia.org/wiki/Commercialism

Masaru Suzuqi -under review-
Desconectado
Joined: 06/06/2018

I cannot say I understand well, though. I maybe understand if web standards and legislation were surved mainly privacy and security, it would be better situations. Then since those complicated current standards, making a perfect browser is impossible, that means?
I have heared some good story about world wide web so I don't think everything is going with commercialism or bad things, though.
Redrawing the line seems very troublesome. This is written in Wikipedia too though, where is the line between acceptable commerce and unacceptable one is obscure. From the beggining, the word commercialism (and maybe capitalism too) has contrary or obscure ideas. Anyhow if we have to redraw the line, not to accept gathering any information would be ideal.
I think that the only effective way is that people demanding privacy (and security) seriously.
We would not be able to proceed things without that but... how to prove a public consensus.