GNU LibreJS
gnu.orgWhile the comments here are almost universally negative, this actually isn't that bad of an idea. Not just because of the freedom aspect, though I'm generally fairly principled about that--I'm more concerned about security and tracking. I've been increasingly paranoid in the post-Snowden era about this kind of stuff, using NoScript, RequestPolicy, and other plugins. And guess what... it's a huge pain in the ass. So many sites are broken, and I have to whitelist sites/external frameworks/CDNs quite often just to read simple articles. And even after all this effort, I know that I could still be running malicious code. I probably shouldn't care so much, but it's an irritating possibility. The implementation here isn't necessarily the best solution, but the idea of limiting javascript to trivial functionality could make things for the paranoid/security-conscious a lot easier.
I, for one, am growing tired of the entire "Libre + something" nomenclature.
Great. But why are you saying this in thread about something completely unrelated?
It's hardly "redoing an existing project". It's about giving user control on what he/she executes on his/her machine. It's just NoScript with automatic whitelisting of free software, nothing more.
Their definition of "non-trivial" includes using computed member expressions, so the following program is not supported:
var greetings = {world: "Hello World"};
var subject = 'world';
console.log(greetings[subject]);
I'm one of the maintainers for LibreJS, and we are discussing the issue of triviality right now. If you have any input, don't hesitate to send a message to the mailing list (help-librejs@gnu.org) -- https://lists.gnu.org/mailman/listinfo/help-librejs
Its not possible for humans to determine if a work qualify under copyright, so getting a computer to do it is about as impossible task as one can make it.
You can put in arbitrary heuristics and argue how many expressions, lines, or words should be required for copyright status, but then there will always be up to a judge if you guessed right.
The options here seems to either not include any detection for the copyright scope, or try invent something and hope that people will send in patches when it hit a false positive.
If you think such plugin should detect something as trivial code which it currently classify as not, send in a patch.
That's only if there is no license block. If there's a license block, it takes it at face value. So if the code really is free, putting a license statement to that effect should be enough.
I know people are going to say "what about minification", but c'mon, it's the 21st century, web servers know how to compress data streams when they send them and web browsers know how to decompress them. Minification for the purpose of saving bandwidth is a bugbear.
Minification improves the effectiveness of algorithms like Gzip by a large margin. It is generally a great idea to minify then Gzip.
https://developers.google.com/web/fundamentals/performance/o...
People who care more about freedom than comfort?
It's strange how age and the passage of time can change you. When I was in my 20's, I used to say things exactly like this. The further along I get into my 30's, the more I read things like this and experience the same feeling I get when reading "9/11 Truth" material.
But how is the above sample 'unfree'?
There is no license notice in the sample. LibreJS looks for a license notice as a comment in the script: http://www.gnu.org/software/librejs/manual/librejs.html#Free...
The main goal of the GPL is to allow that programs can be understood and modified by user. A "trivial" javascript program accomplishes that, regardless of license.
The sample above is "non-trivial" according to the set of heuristics they are using, so they are just saying "if the program is not trivial, then you need to explicitly state that it is GPL for us to consider it free"
Not GPL, but any free software license.
Without a license, the assumption is that it is proprietary.
So, all that in-line javascript on my website suddenly is "proprietary" even though it's usually just a few lines?
(as a consequence, my entire site won't work for users with this enabled)
Please contact your local politician and make the copyright scope more sane. That way, a few lines won't be copyright-able and we don't need licenses for it.
Seriously guy -- why even bother surfing the internet?
I mean -- the websites you are visiting are bound to be using non-free proprietary software. At least a few of them.
Actually -- the routers your packets travel through are using proprietary non-free software!
The BIOS that boots your PC is non-free and proprietary!
Just throw your computer out -- that is the only sure way to stop using non-free software. (actually, don't throw it out -- just mail it to me ;)
That's why triviality heuristics are there.
People who care more about the delusional ranting of Stallman than actually using any web service today?
Oh yeah, using jquery is "non-trivial".
What a load of crap.
jQuery, even in its compressed form makes a license known.
/! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license /
It's not ideal, but I'll take it.
See this: http://www.gnu.org/software/librejs/manual/librejs.html#Java...
The $.doSomething(); example
Stallman talking about the web is like a Catholic priest talking about sexual intercourse: he has no practical experience with it and has no idea what he's talking about.
> Stallman talking about the web is like a Catholic priest talking about sexual intercourse: he has no practical experience with it
Completely tangentially, its quite possible to be a Catholic priest [1], have never violated any Catholic teaching or discipline, and have practical experience with sexual intercourse. Catholic priests can't get married, and men usually can't become priests in the Latin Rite if they are currently married [2], but widowers can be ordained priests in the Latin Rite, and married men can become priests in the Eastern Rites.
And, in any case, even in theory, becoming a priest doesn't require one to never have violated teaching on this (or any other) point before so doing.
[1] in the usual sense of a "priest in a church in union with Rome", not extending that to breakaway or never-in-union churches that might have "Catholic" in their name.
[2] But there are exceptions to this rule.
Maybe so, that's why he asked people like John Resig (creator of jQuery) and myself to assist him.
For the curious, this is what is considered "non-trivial":
.it makes an AJAX request or is loaded along with scripts that make an AJAX request,
.it loads external scripts dynamically or is loaded along with scripts that do,
.it defines functions or methods and either loads an external script (from html) or is loaded as one,
.it uses dynamic JavaScript constructs that are difficult to analyze without interpreting the program, or is loaded along with scripts that use such constructs. These constructs are:
..using the eval function,
..calling methods with the square bracket notation,
..using any other construct than a string literal with certain methods (Obj.write, Obj.createElement, ...).
I generally support Richard Stallman (or, as I've taken to referring to him lately, GNU/Stallman or GNU plus Stallman), but this is a set of directives so wildly out of step with common engineering practice that I have to question how seriously others will take it.
Or, perhaps, there's a deeper question here--can programs consumed from others on a network (such as embedded scripts) ever truly be considered free?
> I generally support Richard Stallman (or, as I've taken to referring to him lately, GNU/Stallman or GNU plus Stallman), but this is a set of directives so wildly out of step with common engineering practice that I have to question how seriously others will take it.
Its not about engineering practice, its about ideology -- these are only blocked if they aren't attached to an appropriate license notice. This is a tool to maintain an ideologically pure experience, engineering has nothing to do with the purpose.
The point is to know that you are running free software. If it's free and has a free license, then yes, it's easy to be considered free. Free. If it's trivial, you need not apply a license. Trivial. (You may disagree with their standard of trivial vs non-trivial, but if your objection is they set the bar too low, then you missed the point.)
Non-trivial and non-free? Not good for you young one, tread carefully. That is the point and it's obviously not clear, from reading this comment thread (I also didn't get it at first) but, that is clearly a gray area where free software activists/advocates could draw a line and shield themselves by saying "won't execute."
Find a program you would objectively call non-trivial in JS that does none of the things listed in the philosophy doc. If you can, the heuristic algorithm needs a patch to make sure it gets its license checked by LibreJS prior to runtime.
> this is a set of directives so wildly out of step with common engineering practice
how so? It's just a set of guidelines for how program such as LibreJS might interpret what trivial JavaScript code looks like. If you think it's wrong, write to RMS and tell him, or tell me and I'll pass it along.
But something like:
it uses dynamic JavaScript constructs that are difficult to analyze without interpreting the program
calling methods with the square bracket notation
feels like a totally arbitrary restriction. That has nothing to do with free software and everything to do with the difficulty of analysis. Stupid.
They're reasonable signs that the JavaScript is non-trivial, not restrictions. You can write a program that uses them and release it under a free software license and LibreJS will run it.
Here's a good example of a trivial JavaScript program.
<a href="#" onclick="javascript:alert('hello world')">click me</a>
For any non-trivial JavaScript programs, a free software license is required if you want it to be run by LibreJS -- a program designed to block any nonfree software from running on your computer inside a web browser.
I don't understand this view point. If this is about Free Software, then triviality should be irrelevant, either the code is Free or it isn't. I can write an arbitrarily complicated program within their constraints, license it under a non-free license and this thing will run it.
Those forms are not (supposed to be) blocked if they are attached to a free license.
It might be useful to automatically cross reference to a source like GitHub or NPM. Code could very well have licensing information at the source, but not serve it to web clients. Just the name of the library would be enough to get a lot of these.
The name is not nearly enough. I could serve a jquery-1.11.1.js file that has my own proprietary modifications. A checksum could fix this. However, what about when minified JavaScript is served, as is often the case? What source code corresponds exactly to the "binary" (minified source)? People use different minifiers/uglifiers with different settings. And then there's the issue of minifying all of your source files and then concatenating them into a single file. It's a tough problem.
And how would you define the "non-triviality" of JS code?
Actually, you can omit that completely. This extension does not need any triviality heuristics to do what it is meant to do. If it does it - it does it only to make life of its users a bit easier.
It's not about blocking non-trivial scripts. It's about allowing trivial scripts even if they're not explicitly marked as free.
It's funny how clueless comments here are focused almost entirely on the matter of non-triviality, which is completely unrelated to the point of this project. Triviality heuristics are in fact only an implementation detail, something made to make the usage of this extension a bit more bearable. It could be completely missing and the gist of this extension would still be preserved - that is, ensuring that no proprietary code gets executed in the browser.
This is self-imposed, owner-initiated DRM: it's software specifically to make your computer run fewer programs and be less useful, because it might hurt the owner to come to rely upon powerful non-free programs.
> self-imposed, owner-initiated DRM
That's like saying that choosing not to go out for drinks is self-imposed house arrest. Nonsense.
Right, just like Debian. Nobody uses that.
...there are a lot of developers in the Microsoft ecosystem with Silverlight and whatnot that probably have a deep appreciation for the sort of problems reliance on non-free platforms brings.
Which is an argument against using Silverlight, not for removing essentially all JS (breaking) from all websites.
This doesn't do that, this is just a way to ensure any code you're running on your machine is free software. If you don't care about such things, then you wouldn't install this.
Right now, virtually all JavaScript is unlicensed.
NB: I saw LibreJS in use months ago, in person at the FSF offices. I also got in an argument about it in which I brought up points that are echoed in comments on this page.
But, I was missing the point then. (Maybe I still am.)
I think the point of this thing is show web users a truth that they might not have thought about: that most javascript in the wild isn't licensed at all && they depend heavily on it.
To see this point clearly, try an experiment: install and activate the add-in. Now, try to do something on the web. Find a restaurant, buy airline tickets, comment on a post, author a post on your blog. Most likely, you can't do any of those things. That's the point. Even ardent free software supporters are depending on [large number] lines of non-free software every day.
If you don't want to run nonfree software on your computer, you can install this and it'll only allow JavaScript to run if its freely licensed or if its very basic and passes the rules of trivial code.
That's the point of it.
What's the point of that? You can hardly use the web with LibreJS active.
Today, users have a choice: accept non-free javascript, or don't use the web.
Which brings us to a goal: we must change the web so that the majority of javascript is Free Software.
Right?
this is great for its audience(true gnu believers) and idk why every other comment is defensive like you feel personally slighted by some peoples' decision to avoid unsigned/licensed js code running on their machine without explicitly feeding it to a runtime(don't tell me they should curl down 'source' and dependencies and check licenses before viewing a page, this actually does it for them!).
If you don't care about GPL/"as in speech"/etc then it's not for you, don't install it.
RMS is a zealot but he backs it up with his crazy ass longsoon unlocked bootloader laptop from china(and other unusual practices, look up his speech rider sometime)
I love the speech rider. Thank god somebody brought it up!
I really enjoyed the part about not buying a parrot. Something along the lines of "If we haven't explored other options, then please don't book a hotel for me. I would rather stay at someone's house if someone will have me at their house. If there is someone with a parrot, I will generally prefer to stay with that person. Please also nobody should go out and buy a parrot, if you're not completely sure what you're getting into; having a parrot is a big commitment especially since they are very emotional creatures, and you can scar a parrot for life if you don't know how to take care of it. Also chances are the parrot will probably outlive you, so just don't go out and buy a parrot. It's a big decision and should not be taken lightly."
You know that's got to be in there I'm sure because someone actually did go out and buy a parrot for him once.
>crazy ass longsoon unlocked bootloader laptop from china
He's upgrading to a Thinkpad X60 with Trisquel GNU/Linux and Libreboot.
I don't want to be negative about this, but TBH I can't think of a webpage -besides Wikipedia- that will work fine restricting non-free JS.
At this point I can't put my faith in web authors, since they could not even take care of prefixing the CSS for non-webkit browsers (not trying to fault the web authors, but trying to point out that prefixes were a less-from-ideal solution that ended up in the -webkit-disaster)... How can I expect from them to license their code with a free license?
On the other side, the awful practices (like using JS for animation, or tightly coupling the site code with the Tracking code) exists in most websites (including mainstream ones).
> How can I expect from them to license their code with a free license?
Some examples of JavaScript code under a free software license:
* jQuery
* extJS
* Handlebars
* Backbone
* Angular
* Ember
In fact, pretty much any JavaScript library that people are using. Then you have stuff like node, which is being used extensively on the server -- also free software.
I was not talking about frameworks, but about website-specific code.
Lots of websites I use work fine with LibreJS:
- Craigslist - Hacker News - Duck Duck Go
... Please help us make this list longer :`p
I think this involves a big misunderstanding of the web as a medium. You may produce non-free content using Open Software as a tool. E.g., I may write a book using LibreOffice and sell it (with copyrights). I may also embed this book into HTML code and provide it for free to my readers, even when not granting rights to copy or change the text. But, if I would use JS for the means of embedding the same text, I'm off. And I haven't even mentioned of all the use cases, where a web project is the final product, aka the text, in its own end ...
If your JavaScript were just a bunch of document.write lines, then it'd run just fine, but if you require my browser to run something more complex, it should be a free software licensed program as it's running on my computer and I installed LibreJS to ensure only freely licensed code runs on my computer.
Similarly, you can use Emacs and GCC to write nonfree software, but if you ask me to run it on my own computer, I can refuse.
So you will block all algorithmically produced content (think of web art)? This is, what I would consider an inconsistency.
Even the greatest original text services, think of "In the Beginning was the Command Line", which is served for free, are still copyrighted texts, and this is ok. If you think of a medial form that is genuine to the web, you probably wouldn't go without any algorithmic aspects, and JS is of all solutions for this still the most open one. (The source code is open and free for any one to inspect, even if it is not open sourced.) But JS, especially on the client-side, is more than just a tool, it's also a mean for expressing creativity, with all the potential of being/producing a text in its own rights.
This boils essentially down to, if you need algorithms, let go of any content.
Edit: I may note that I've done some (even awarded) web art myself, and I'm not making a cent from it. But I would be disgusted to see this copied from the very first minute something goes viral and see it served with ads plastered all over in some crude, barely functional fashion (since the copyist would be only interested in making some quick cents and not in the quality and preserving its aspects as a work. And I'm speaking of real cases here.)
Would this be a good choice for Tor? Although I think Tor is even more restrictive since it blocks all scripts and even Mozilla's JIT.
It doesn't even make sense philosophically to say client side should be treated differently from server side. If you want to block this then you'd surely also what to block servers that can't prove they're running free software. You're still using the non free software either way; the only distinctions are technical not practical.
What's next, GNU LibreCSS?
(I read somewhere that html5+css3 can be turing complete)
Maybe LibreJS will just become LibreWWW, or LibreHTML5 for the cool kids?
"It blocks..."
ah yes, freedom
Are you forced to install this extension?
If I'm an abstainer and I refuse to go drinking to a friend, does it mean I'm infringing his freedom to take me drinking, or would he infringe my freedom if he would keep bothering me about that against my will?
It's my freedom to say no. I won't use this extension, as I don't really mind non-free JS code being executed by my browser (aka I don't mind some beer from time to time), but I fully support and understand people who develop and use it. There's simply no other way to use the web and not use non-free software, aside of disabling JS completely.
Yes, you care about avoiding the JavaScript trap, that is running nonfree software on your computer, via the web browser.
So, you exercise freedom 0 (the freedom to run the program) and install GNU LibreJS as an extension into your free web browser.
Now your browser blocks programs from running in your browser unless they are free software or trivial in their nature.
Classic GNU/Stallman. Putting ideology ahead of actually accomplishing anything. Thankfully, less than 1000 people will ever use this.
It is not evil to make proprietary software.
Blocking "nontrivial JavaScript"?! You have got to be kidding me. Let's block Linux kernel for "nontrivial C" while we at it. It sure as hell looks far more nontrivial than an average js script.
I see what they did now. They're not blocking any nontrivial JavaScript altogether. They're blocking nontrivial JavaScript insofar as it's unlicensed, or not licensed with a free license.
So your trivial, unlicensed javascript can be allowed to run, but once you cross the heuristic threshold of non-triviality they've applied, you need to have a license so the user is sure they're not using some complex, non-free thing.
At first I thought it was blocking all "non-trivial" JavaScript, like you. That would be boneheaded of them.
If you were working at the EFF (on the Linux kernel), or on a Free Software project, I'm sure you wouldn't want to find out that you depend on some non-free binary-only modules that you've been running without knowing about it this whole time. The Linux kernel has a whole framework of "taint" for doing the exact same thing as this LibreJS. You are meant to know when you are running non-free kernel modules, if you are paying attention to the signals the kernel is sending.
Ok, let's assume for a moment that we want to stick to the idea that programs ought to be readable/comprehensible by the user, thus "trivial" in a sense. But who decides on "nontriviality"? How did they come up with those heuristics? I can hardly find any nontrivial js code with my years of experience in it (except some jsfuck perhaps), yet at the same time I see every other day someone coming from .NET/Java land crying about all the wtf's of js. So how do we decide what is trivial and what's not?
http://www.gnu.org/philosophy/javascript-trap.html
Our tentative policy is to consider a JavaScript program nontrivial if:
* it makes an AJAX request or is loaded along with scripts that make an AJAX request,
* it loads external scripts dynamically or is loaded along with scripts that do,
* it defines functions or methods and either loads an external script (from html) or is loaded as one,
* it uses dynamic JavaScript constructs that are difficult to analyze without interpreting the program, or is loaded along with scripts that use such constructs. These constructs are:
- using the eval function,
- calling methods with the square bracket notation,
- using any other construct than a string literal with certain methods (Obj.write, Obj.createElement, ...).
How do we tell whether the JavaScript code is free? At the end of this article we propose a convention by which a nontrivial JavaScript program in a web page can state the URL where its source code is located, and can state its license too, using stylized comments.
The kernel is under the GPL, generally. This code has no license.