Of all the things in the world to be concerned about, running non-GPL'd JavaScript in my browser is far enough down my list that writing this comment bumps me well over my lifetime quota for the issue.
> it defines functions or methods and either loads an external script (from html) or is loaded as one,
Under this particular term, I can't think of a single web site that I have written which would be considered to be "trivial".
That said, I appreciate the underlying concern - that without significant changes to the browser, you have little to no fine-grained control over what is run by that browser. While there are add-ons which block scripts from running entirely, there are no add-ons that I know of [0] which would allow you to run a user-provided alternative to a script specified by the web page.
[0] I can, actually, think of way to potentially work around this with a combination of greasemonkey and NoScript - block certain scripts and provide your own functions which mirror those provided by the blocked scripts. Would make for an interesting project.
I would upvote your comment, but I think the javascript HN uses for that might qualify as nontrivial, and I don't want to taint my computer with nonfree software.
> While there are add-ons which block scripts from running entirely, there are no add-ons that I know of which would allow you to run a user-provided alternative to a script specified by the web page.
It's a decidedly non-trivial problem problem — how are we identifying a script? Some sites (FB used to, at least) often serve the same scripts from different hostnames (based on what CDN you're connected to, I believe). What happens if the same script (say, jQuery!) is downloaded from two entirely different sites? What if I change some comment, is that still the same script? What if I minify it and variable names change? What if we allow some small semantically equivalent changes? What if the script is non-cacheable and changes on every load (some are!), how do we replace that?
Presto-based desktop releases of Opera would allow you to modify code (and HTML and CSS) on a page identifying it by URL, but I don't know of anything else comparable.
I don't really understand this article. JavaScript is less of a trap than regular software: the code is running in a much less capable sandbox. This means that unlike unfree software which behaves against the users' rights, or against the users' will, a browser app asks you permissions for many obtrusive things (webcam/mic access, location, etc).
But the software is still proprietary. It's not just about the software doing nefarious things, but about giving the user freedom to modify and share the software.
JavaScript code is more of a trap because it runs without the user having to do anything! Just by visiting a website, an application is transparently downloaded and run on your computer. Most people don't even think of what is going on when they visit a web page in a modern web browser. System software needs to be explicitly installed by the user.
Try disabling JavaScript or using the Mozilla browser extension LibreJS and notice how much of the web breaks. That's the state of free software on the web. It's terrible.
I am just trying to understand the difference. But why not consider Javascript extension of server side code. I don't think, anybody is stopping use of websites just because their back-end is not open source.
Is it because we own our desktop and we don't allow non-free code to execute on our machines? If not then it is just issue of proximity, your laptop vs distant data center. If it is more philosophical point that we should not use non-free software then using website running on closed source back-end is as much a problem as obfuscated Javascript.
I actually asked Stallman about this once at a talk. It is precisely because we own our desktop. The analog he used was a food truck. It's fine to eat something from a food truck that somebody else prepares, even if there's a secret sauce you don't know about. The issue is being given the food truck and then being told that you must still use the sauce whose contents are opaque to you.
That being said, I don't really care much about using non-GPL programs. But that's the rationale.
There are plenty of people choosing not to use certain services because of the politics of their companies, business models, and yes software.
The calculus changes when you go from client to server software, but licensing is intimately tied to data ownership and portability.
I often don't subscribe to FSF's philosophy, but the issues they're generally concerned with do enter into my decisions about what services I use and/or trust.
The code that generated the resource you're viewing, regardless of script content, may not be Free. The code running the server may not be Free, and that might not be part of the details of the transmission. There is probably plenty of nonFree code in the hardware that got your packets there and back.
Open source/free/libre software is a great idea, but a lot of JS code out there is nontrivial, useful and incredibly narrow in scope. Compare it to a build script: it may be relatively complex, yet so specific to its particular use case that it is not really useful to anyone to open source it. I think this is much the case with Javascript on the web. Some websites may have genuinely useful nontrivial code full of their own domains and site-specific classes and IDs, and it's not worth anything to anyone else, but it qualifies as nontrivial nonfree and now deserves to be blocked!
Defining "nontrivial" is probably impossible, and the attempt looks a bit clumsy: making a network request apparently instantly qualifies you as non-trivial, even though your browser probably made a bunch of network requests for static content just to load the page. Want to load a sound to play with the Web Audio API? You now need to open source your Javascript code and provide a correct license to avoid blocking. The given description also means use of obj[prop] (often used to mimic a hashmap, thereby arbitrarily disqualifying certain data structures) or loading an external script via <script src="..."></script> (thereby disqualifying certain kinds of optimisation or organisation) count you as "nontrivial".
How can this ever be objectively determined? And if the punishment is blocking then how is it ever going to be fair?
In addition to the "too-tailored" issue, another problem with code reuse is that Javascript doesn't have any (good && standard) ways to handle packages, dependencies, or (partly the browsers' fault) load order.
RMS's line of thinking here is an example of coming up with a rule (i.e. use Free/Libre software on your computer) that approximates the right thing to do to achieve a certain outcome (maintain control of your computing and avoid anti-features / being exploited by other people), and then applying that rule beyond where the original approximation was valid, to the extent that you are actually doing worse in terms of your original outcome.
I think the rational ordering will normally be:
FLOSS code, your server > Non-free code, your server > Unknown code, someone else's server
RMS seems to prefer:
FLOSS code, your server > Unknown code, someone else's server > Non-free code, your server
But unknown code on someone else's server can generally do far more in terms of anti-features than non-free code on your server. You can at least see how much data is being exfiltrated; they still have to worry about people reverse engineering the code and ruining their reputation if they do something too bad; you at least have the option to reverse engineer the data format or network protocol and replace their code with something you completely understand and control. If the data is on their server, you give up a tremendous amount of control.
I think some of the stuff RMS writes can serve as a cautionary tale about not letting rational heuristics that start with good intentions become dogma (as can the development of many religions which also probably started with good intentions) - hyperbolic thinking and using words like evil and wrong to describe something you think should be avoided always seems to lead to things getting taken too far.
Unless you'Ve written, or at least read the code yourself, and know there are no vulnerabilities, you can never really prevent "anti-features" or being exploited by other people. FLOSS doesn't magically prevent that from happening. It is less likely, but not impossible.
This is the most ridiculous thing I've read today. If you are this adamant about it you might as well not use the internet at all. The vast, vast majority of the content of the web is not under a free license - javascript or otherwise.
And how is it any different than the server doing the exact same thing server side?
Stallman's commitment to..."open source"? Sir you better hide fast. He is coming for you!
On a serious note Stallman continuously points out that he does not support the open source movement and that free/libre software and open source software are two different concepts.
JavaScript is really easily "openable." It's actually really easy to run most of it through a beautifier. Take even something as insane as the contents of http://jsbin.com/OhisIQAW/1/source (uses nothing but symbols to run `alert("I love you.")`) and the magic becomes a lot more visible.
Running the first statement will give you an object filled with numbers 0-9 and letters a-f. The second statement, when run, outputs the string "constructor" by messing with references to the first object.
With a little bit of dedicated work, you can easily learn how anything is done in JS (well, besides Asm.js but that's beside the point) because it is, at its highest level, a language made to bridge between APIs. The only good thing about it is its widespread support and debuggability.
Oh, and the reasoning behind the "one character method names" mentioned: It's for minification of code, because we don't live in a world with infinite resources. If the FSF donated to me to keep my code "open" then I'd gladly keep it un-minified. Even when "obfuscated", though, it's pretty trivial to undo. [1]
Even asm.js is openable, it's pretty much just C with weird syntax - despite the name. Although almost all your type info's gone, which makes interpreting it a wee bit hard.
Heh, a lot of it is a generational thing. Back in the 90's, many if not most programmers would have passionately agreed with every word of this. Today, for younger programmers who take open-source for granted... it just seems like the incoherent ramblings of that old uncle who rants about Obama at every family gathering.
At any rate, where this is coming from would make a lot more sense if you'd come up in the 80's and 90's, and remembered what it was like before open-source gained a serious foothold.
Richard Stallman had a frustrating experience thirty years ago when he couldn't debug a software issue for lack of access to the source code. Since then he has used "evil" to mean anything that impedes programmers' ability to read source code with the original debugging symbols, regardless of whether those programmers are working on evil products.
I fail to understand the conflation of "nonfree" with "nontrival."
If they are implying that the complexity of a snippet of code has some bearing on whether copyright protection applies, that is simply untrue. Forgive me for that strawman, but if they had told us we wouldn't have to guess.
I also sense a bit of fear mongering here. Half a megabyte of Javascript for a web page? Goodness, what could they be putting in there? And just a reminder, eval is evil. But why does that automatically qualify code as nontrivial? And how does that have anything to do with free software in the first place?
It's a legal distinction. Code which is 'trivial' or 'functional' cannot be copyrighted, so therefore the GPL doesn't apply.[1] The example given there is a Hello World dialog, but certainly I have written tons of DOM manipulation JS which is purely 'functional'. The contents of underlying HTML elements might have more copyright protection than the code.
(As to what it actually means, the case law is complex and the FSF would probably tell you to go ask a lawyer if you really want to know. Otherwise they will just offer you some arbitrary guideline, somewhat like their prohibition on linking to GPL C programs.)
RMS has said he doesn't mind using ATMs that use non-free software because he can't be responsible for what other people run on their devices. If we consider the website a service, where the javascript runtime is isolated to the web, then it is a similar situation - while it is evaluated on your device, the code itself is not installed on your computer, and it is sandboxed to have very limited access.
This only really applies to JS served from the website. Offline apps are a little more iffy, and browser extensions certainly qualify as installed software that you are running. Possibly less so in Chrome, where the extension API has some pretty hard limits on what extension code can access, but in Firefox you have the ability to do almost anything on the user's machine, which is why Mozilla reviews add-ons before approving them and has stricter guidelines for how they should behave.
The problem of comparing ATM's with web services is that banks are liable for the machine to work correctly. For software, users are commonly the one liable if something goes wrong and thus in need of liberty to balance responsibility with freedom.
If a bank websites JS software goes wrong and causes damages, whose fault is it? Is it the customer fault, maybe because his machine had broken hardware? Is it the bank, because its their service and they are responsible that all transactions are done correctly? Is it the JS developers who maybe introduced a bug?
When we can define whose responsibility it is, we can define if the user of the software/service need access to change, modify and distribute the code.
Considering that just about all JS code running out there is likely non-free (except pure library demos usually), one could just run NoScript if they really wanted to block such code without losing out on much. It also seems like replacing non-free applications with free counterparts is quite a bit more complex in such an environment because it'd still have to interact with the (typically) non-free server infrastructure. Not to mention that doing so might actually be (sadly) illegal.
The fallacy here is the assumption that there is value in JavaScript in any form. As a long time web programmer, I can tell you I could care less about the freeness of your Javascript. I don't want to see it, read it, or spend one second trying to understand your smelly bowl of web code.
> a JavaScript program nontrivial if:
> ...
> - calling methods with the square bracket notation
-something[key](x);
+var f = something[key];
+f.call(something, x);
Some of the websites you access also run on non-free closed source code, too! This means the HTML they send to you is made by the smut that is closed-source software. The horror!
I'm all for open source as much as possible and whenever it's practical, but this blog post is akin to saying you shouldn't use C code on your system because there's non-free software written in C.
This isn't advocating that users avoid using javascript (although it suggests that users who avoid non-free software avoid non-free javascript as well, which should go without saying). It's just advocating that client-side javascript code be released as free software and gives guidelines for doing so.
[+] [-] smithkl42|11 years ago|reply
[+] [-] jumpwah|11 years ago|reply
[+] [-] falcolas|11 years ago|reply
Under this particular term, I can't think of a single web site that I have written which would be considered to be "trivial".
That said, I appreciate the underlying concern - that without significant changes to the browser, you have little to no fine-grained control over what is run by that browser. While there are add-ons which block scripts from running entirely, there are no add-ons that I know of [0] which would allow you to run a user-provided alternative to a script specified by the web page.
[0] I can, actually, think of way to potentially work around this with a combination of greasemonkey and NoScript - block certain scripts and provide your own functions which mirror those provided by the blocked scripts. Would make for an interesting project.
[+] [-] tedunangst|11 years ago|reply
[+] [-] gsnedders|11 years ago|reply
It's a decidedly non-trivial problem problem — how are we identifying a script? Some sites (FB used to, at least) often serve the same scripts from different hostnames (based on what CDN you're connected to, I believe). What happens if the same script (say, jQuery!) is downloaded from two entirely different sites? What if I change some comment, is that still the same script? What if I minify it and variable names change? What if we allow some small semantically equivalent changes? What if the script is non-cacheable and changes on every load (some are!), how do we replace that?
Presto-based desktop releases of Opera would allow you to modify code (and HTML and CSS) on a page identifying it by URL, but I don't know of anything else comparable.
[+] [-] sktrdie|11 years ago|reply
[+] [-] davexunit|11 years ago|reply
JavaScript code is more of a trap because it runs without the user having to do anything! Just by visiting a website, an application is transparently downloaded and run on your computer. Most people don't even think of what is going on when they visit a web page in a modern web browser. System software needs to be explicitly installed by the user.
Try disabling JavaScript or using the Mozilla browser extension LibreJS and notice how much of the web breaks. That's the state of free software on the web. It's terrible.
[+] [-] Jare|11 years ago|reply
[+] [-] amitamb|11 years ago|reply
Is it because we own our desktop and we don't allow non-free code to execute on our machines? If not then it is just issue of proximity, your laptop vs distant data center. If it is more philosophical point that we should not use non-free software then using website running on closed source back-end is as much a problem as obfuscated Javascript.
[+] [-] norseboar|11 years ago|reply
That being said, I don't really care much about using non-GPL programs. But that's the rationale.
[+] [-] AshleysBrain|11 years ago|reply
Because it's entirely possible to write purely client-side web apps using Javascript that involve no server at all.
[+] [-] LamaOfRuin|11 years ago|reply
The calculus changes when you go from client to server software, but licensing is intimately tied to data ownership and portability.
I often don't subscribe to FSF's philosophy, but the issues they're generally concerned with do enter into my decisions about what services I use and/or trust.
[+] [-] keville|11 years ago|reply
The code that generated the resource you're viewing, regardless of script content, may not be Free. The code running the server may not be Free, and that might not be part of the details of the transmission. There is probably plenty of nonFree code in the hardware that got your packets there and back.
How the Hell does Stallman even use the Internet?
[+] [-] AshleysBrain|11 years ago|reply
Defining "nontrivial" is probably impossible, and the attempt looks a bit clumsy: making a network request apparently instantly qualifies you as non-trivial, even though your browser probably made a bunch of network requests for static content just to load the page. Want to load a sound to play with the Web Audio API? You now need to open source your Javascript code and provide a correct license to avoid blocking. The given description also means use of obj[prop] (often used to mimic a hashmap, thereby arbitrarily disqualifying certain data structures) or loading an external script via <script src="..."></script> (thereby disqualifying certain kinds of optimisation or organisation) count you as "nontrivial".
How can this ever be objectively determined? And if the punishment is blocking then how is it ever going to be fair?
[+] [-] Terr_|11 years ago|reply
[+] [-] drdaeman|11 years ago|reply
[+] [-] A1kmm|11 years ago|reply
I think the rational ordering will normally be:
RMS seems to prefer: But unknown code on someone else's server can generally do far more in terms of anti-features than non-free code on your server. You can at least see how much data is being exfiltrated; they still have to worry about people reverse engineering the code and ruining their reputation if they do something too bad; you at least have the option to reverse engineer the data format or network protocol and replace their code with something you completely understand and control. If the data is on their server, you give up a tremendous amount of control.I think some of the stuff RMS writes can serve as a cautionary tale about not letting rational heuristics that start with good intentions become dogma (as can the development of many religions which also probably started with good intentions) - hyperbolic thinking and using words like evil and wrong to describe something you think should be avoided always seems to lead to things getting taken too far.
[+] [-] chrismcb|11 years ago|reply
[+] [-] Houshalter|11 years ago|reply
And how is it any different than the server doing the exact same thing server side?
[+] [-] tylermauthe|11 years ago|reply
[+] [-] mardurhack|11 years ago|reply
On a serious note Stallman continuously points out that he does not support the open source movement and that free/libre software and open source software are two different concepts.
[+] [-] forsaken|11 years ago|reply
[+] [-] striking|11 years ago|reply
Oh, and the reasoning behind the "one character method names" mentioned: It's for minification of code, because we don't live in a world with infinite resources. If the FSF donated to me to keep my code "open" then I'd gladly keep it un-minified. Even when "obfuscated", though, it's pretty trivial to undo. [1]
[1]: http://features.jsomers.net/how-i-reverse-engineered-google-...
[+] [-] streptomycin|11 years ago|reply
[+] [-] TazeTSchnitzel|11 years ago|reply
[+] [-] BlewisJS|11 years ago|reply
[+] [-] StevePerkins|11 years ago|reply
At any rate, where this is coming from would make a lot more sense if you'd come up in the 80's and 90's, and remembered what it was like before open-source gained a serious foothold.
[+] [-] dragonwriter|11 years ago|reply
[+] [-] myhf|11 years ago|reply
[+] [-] valar_m|11 years ago|reply
If they are implying that the complexity of a snippet of code has some bearing on whether copyright protection applies, that is simply untrue. Forgive me for that strawman, but if they had told us we wouldn't have to guess.
I also sense a bit of fear mongering here. Half a megabyte of Javascript for a web page? Goodness, what could they be putting in there? And just a reminder, eval is evil. But why does that automatically qualify code as nontrivial? And how does that have anything to do with free software in the first place?
[+] [-] flomo|11 years ago|reply
(As to what it actually means, the case law is complex and the FSF would probably tell you to go ask a lawyer if you really want to know. Otherwise they will just offer you some arbitrary guideline, somewhat like their prohibition on linking to GPL C programs.)
[1]http://www.iusmentis.com/copyright/software/protection/
[+] [-] mcovey|11 years ago|reply
This only really applies to JS served from the website. Offline apps are a little more iffy, and browser extensions certainly qualify as installed software that you are running. Possibly less so in Chrome, where the extension API has some pretty hard limits on what extension code can access, but in Firefox you have the ability to do almost anything on the user's machine, which is why Mozilla reviews add-ons before approving them and has stricter guidelines for how they should behave.
[+] [-] belorn|11 years ago|reply
If a bank websites JS software goes wrong and causes damages, whose fault is it? Is it the customer fault, maybe because his machine had broken hardware? Is it the bank, because its their service and they are responsible that all transactions are done correctly? Is it the JS developers who maybe introduced a bug?
When we can define whose responsibility it is, we can define if the user of the software/service need access to change, modify and distribute the code.
[+] [-] joesmo|11 years ago|reply
[+] [-] indutny|11 years ago|reply
[+] [-] ownedthx|11 years ago|reply
Fight some other battle, gnu!
[+] [-] dyadic|11 years ago|reply
We most certainly are, there's very little may be about it.
It's nice that we can see Javascript (albeit, often minimized) but we should never assume that visibility === free.
[+] [-] guest1206|11 years ago|reply
[+] [-] codezero|11 years ago|reply
[+] [-] xg15|11 years ago|reply
But you still have to include those two paragraphs in all minified files...
[+] [-] cenhyperion|11 years ago|reply
I'm all for open source as much as possible and whenever it's practical, but this blog post is akin to saying you shouldn't use C code on your system because there's non-free software written in C.
[+] [-] adrusi|11 years ago|reply
[+] [-] markuz|11 years ago|reply