
GNU LibreJS - willfarrell
http://www.gnu.org/software/librejs/
======
zwegner
While the comments here are almost universally negative, this actually isn't
that bad of an idea. Not just because of the freedom aspect, though I'm
generally fairly principled about that--I'm more concerned about security and
tracking. I've been increasingly paranoid in the post-Snowden era about this
kind of stuff, using NoScript, RequestPolicy, and other plugins. And guess
what... it's a huge pain in the ass. So many sites are broken, and I have to
whitelist sites/external frameworks/CDNs quite often just to read simple
articles. And even after all this effort, I know that I could still be running
malicious code. I probably shouldn't care so much, but it's an irritating
possibility. The implementation here isn't necessarily the best solution, but
the idea of limiting javascript to trivial functionality could make things for
the paranoid/security-conscious a lot easier.

~~~
Alupis
I, for one, am growing tired of the entire "Libre + something" nomenclature.

~~~
seba_dos1
Great. But why are you saying this in thread about something completely
unrelated?

It's hardly "redoing an existing project". It's about giving user control on
what he/she executes on his/her machine. It's just NoScript with automatic
whitelisting of free software, nothing more.

------
phpnode
Their definition of "non-trivial" includes using computed member expressions,
so the following program is not supported:

    
    
        var greetings = {world: "Hello World"};
        var subject = 'world';
        console.log(greetings[subject]);
    
    

This is zealotry in action, who do they think is going to use this?

~~~
mapleoin
People who care more about freedom than comfort?

~~~
petepete
But how is the above sample 'unfree'?

~~~
rglullis
The main goal of the GPL is to allow that programs can be understood and
modified by user. A "trivial" javascript program accomplishes that, regardless
of license.

The sample above is "non-trivial" according to the set of heuristics they are
using, so they are just saying "if the program is not trivial, then you need
to explicitly state that it is GPL for us to consider it free"

~~~
mattl
Not GPL, but any free software license.

------
angersock
For the curious, this is what is considered "non-trivial":

    
    
      .it makes an AJAX request or is loaded along with scripts that make an AJAX request,
      .it loads external scripts dynamically or is loaded along with scripts that do,
      .it defines functions or methods and either loads an external script (from html) or is loaded as one,
      .it uses dynamic JavaScript constructs that are difficult to analyze without interpreting the program, or is loaded along with scripts that use such constructs. These constructs are:
        ..using the eval function,
        ..calling methods with the square bracket notation,
        ..using any other construct than a string literal with certain methods (Obj.write, Obj.createElement, ...).
    

( [http://www.gnu.org/philosophy/javascript-
trap.html](http://www.gnu.org/philosophy/javascript-trap.html) )

I generally support Richard Stallman (or, as I've taken to referring to him
lately, GNU/Stallman or GNU plus Stallman), but this is a set of directives so
wildly out of step with _common engineering practice_ that I have to question
how seriously others will take it.

Or, perhaps, there's a deeper question here--can programs consumed from others
on a network (such as embedded scripts) ever truly be considered free?

~~~
mattl
> this is a set of directives so wildly out of step with common engineering
> practice

how so? It's just a set of guidelines for how program such as LibreJS might
interpret what trivial JavaScript code looks like. If you think it's wrong,
write to RMS and tell him, or tell me and I'll pass it along.

~~~
untog
But something like:

 _it uses dynamic JavaScript constructs that are difficult to analyze without
interpreting the program_

 _calling methods with the square bracket notation_

feels like a totally arbitrary restriction. That has nothing to do with free
software and everything to do with the difficulty of analysis. Stupid.

~~~
mattl
They're reasonable signs that the JavaScript is non-trivial, not restrictions.
You can write a program that uses them and release it under a free software
license and LibreJS will run it.

Here's a good example of a trivial JavaScript program.

<a href="#" onclick="javascript:alert('hello world')">click me</a>

For any non-trivial JavaScript programs, a free software license is required
if you want it to be run by LibreJS -- a program designed to block any nonfree
software from running on your computer inside a web browser.

~~~
phpnode
I don't understand this view point. If this is about Free Software, then
triviality should be irrelevant, either the code is Free or it isn't. I can
write an arbitrarily complicated program within their constraints, license it
under a non-free license and this thing will run it.

------
seba_dos1
It's funny how clueless comments here are focused almost entirely on the
matter of non-triviality, which is completely unrelated to the point of this
project. Triviality heuristics are in fact only an implementation detail,
something made to make the usage of this extension a bit more bearable. It
could be completely missing and the gist of this extension would still be
preserved - that is, ensuring that no proprietary code gets executed in the
browser.

------
brians
This is self-imposed, owner-initiated DRM: it's software specifically to make
your computer run fewer programs and be less useful, because it might hurt the
owner to come to rely upon powerful non-free programs.

~~~
angersock
...there are a lot of developers in the Microsoft ecosystem with Silverlight
and whatnot that probably have a deep appreciation for the sort of problems
reliance on non-free platforms brings.

~~~
kansface
Which is an argument against using Silverlight, not for removing essentially
all JS (breaking) from all websites.

~~~
mattl
This doesn't do that, this is just a way to ensure any code you're running on
your machine is free software. If you don't care about such things, then you
wouldn't install this.

Right now, virtually all JavaScript is unlicensed.

------
daveloyall
NB: I saw LibreJS in use months ago, in person at the FSF offices. I also got
in an argument about it in which I brought up points that are echoed in
comments on this page.

But, I was missing the point then. (Maybe I still am.)

I think the point of this thing is show web users a truth that they might not
have thought about: that most javascript in the wild isn't licensed at all &&
they depend heavily on it.

To see this point clearly, try an experiment: install and activate the add-in.
Now, try to do something on the web. Find a restaurant, buy airline tickets,
comment on a post, author a post on your blog. Most likely, you can't do any
of those things. That's the point. Even ardent free software supporters are
depending on [large number] lines of non-free software every day.

~~~
mattl
If you don't want to run nonfree software on your computer, you can install
this and it'll only allow JavaScript to run if its freely licensed or if its
very basic and passes the rules of trivial code.

That's the point of it.

~~~
daveloyall
What's the point of that? You can hardly use the web with LibreJS active.

Today, users have a choice: accept non-free javascript, or don't use the web.

Which brings us to a goal: we must change the web so that the majority of
javascript is Free Software.

Right?

------
waterfowl
this is great for its audience(true gnu believers) and idk why every other
comment is defensive like you feel personally slighted by some peoples'
decision to avoid unsigned/licensed js code running on their machine without
explicitly feeding it to a runtime(don't tell me they should curl down
'source' and dependencies and check licenses before viewing a page, this
actually does it for them!).

If you don't care about GPL/"as in speech"/etc then it's not for you, don't
install it.

RMS is a zealot but he backs it up with his crazy ass longsoon unlocked
bootloader laptop from china(and other unusual practices, look up his speech
rider sometime)

~~~
yebyen
I love the speech rider. Thank god somebody brought it up!

I really enjoyed the part about not buying a parrot. Something along the lines
of "If we haven't explored other options, then please don't book a hotel for
me. I would rather stay at someone's house if someone will have me at their
house. If there is someone with a parrot, I will generally prefer to stay with
that person. Please also nobody should go out and buy a parrot, if you're not
completely sure what you're getting into; having a parrot is a big commitment
especially since they are very emotional creatures, and you can scar a parrot
for life if you don't know how to take care of it. Also chances are the parrot
will probably outlive you, so just don't go out and buy a parrot. It's a big
decision and should not be taken lightly."

You know that's got to be in there I'm sure because someone actually did go
out and buy a parrot for him once.

------
Aldo_MX
I don't want to be negative about this, but TBH I can't think of a webpage
-besides Wikipedia- that will work fine restricting non-free JS.

At this point I can't put my faith in web authors, since they could not even
take care of prefixing the CSS for non-webkit browsers (not trying to fault
the web authors, but trying to point out that prefixes were a less-from-ideal
solution that ended up in the -webkit-disaster)... How can I expect from them
to license their code with a free license?

On the other side, the awful practices (like using JS for animation, or
tightly coupling the site code with the Tracking code) exists in most websites
(including mainstream ones).

~~~
mattl
> How can I expect from them to license their code with a free license?

Some examples of JavaScript code under a free software license:

* jQuery

* extJS

* Handlebars

* Backbone

* Angular

* Ember

In fact, pretty much any JavaScript library that people are using. Then you
have stuff like node, which is being used extensively on the server -- also
free software.

~~~
Aldo_MX
I was not talking about frameworks, but about website-specific code.

~~~
of
Lots of websites I use work fine with LibreJS:

\- Craigslist \- Hacker News \- Duck Duck Go

... Please help us make this list longer :`p

------
masswerk
I think this involves a big misunderstanding of the web as a medium. You may
produce non-free content using Open Software as a tool. E.g., I may write a
book using LibreOffice and sell it (with copyrights). I may also embed this
book into HTML code and provide it for free to my readers, even when not
granting rights to copy or change the text. But, if I would use JS for the
means of embedding the same text, I'm off. And I haven't even mentioned of all
the use cases, where a web project is the final product, aka the text, in its
own end ...

~~~
mattl
If your JavaScript were just a bunch of document.write lines, then it'd run
just fine, but if you require my browser to run something more complex, it
should be a free software licensed program as it's running on my computer and
I installed LibreJS to ensure only freely licensed code runs on my computer.

Similarly, you can use Emacs and GCC to write nonfree software, but if you ask
me to run it on my own computer, I can refuse.

~~~
masswerk
So you will block all algorithmically produced content (think of web art)?
This is, what I would consider an inconsistency.

Even the greatest original text services, think of "In the Beginning was the
Command Line", which is served for free, are still copyrighted texts, and this
is ok. If you think of a medial form that is genuine to the web, you probably
wouldn't go without any algorithmic aspects, and JS is of all solutions for
this still the most open one. (The source code is open and free for any one to
inspect, even if it is not open sourced.) But JS, especially on the client-
side, is more than just a tool, it's also a mean for expressing creativity,
with all the potential of being/producing a text in its own rights.

This boils essentially down to, if you need algorithms, let go of any content.

Edit: I may note that I've done some (even awarded) web art myself, and I'm
not making a cent from it. But I would be disgusted to see this copied from
the very first minute something goes viral and see it served with ads
plastered all over in some crude, barely functional fashion (since the copyist
would be only interested in making some quick cents and not in the quality and
preserving its aspects as a work. And I'm speaking of real cases here.)

------
higherpurpose
Would this be a good choice for Tor? Although I think Tor is even more
restrictive since it blocks all scripts and even Mozilla's JIT.

------
supereggbert
It doesn't even make sense philosophically to say client side should be
treated differently from server side. If you want to block this then you'd
surely also what to block servers that can't prove they're running free
software. You're still using the non free software either way; the only
distinctions are technical not practical.

------
0x0
What's next, GNU LibreCSS?

(I read somewhere that html5+css3 can be turing complete)

~~~
mattl
Maybe LibreJS will just become LibreWWW, or LibreHTML5 for the cool kids?

------
2emoore4
"It blocks..."

ah yes, freedom

~~~
seba_dos1
Are you forced to install this extension?

If I'm an abstainer and I refuse to go drinking to a friend, does it mean I'm
infringing his freedom to take me drinking, or would he infringe my freedom if
he would keep bothering me about that against my will?

It's my freedom to say no. I won't use this extension, as I don't really mind
non-free JS code being executed by my browser (aka I don't mind some beer from
time to time), but I fully support and understand people who develop and use
it. There's simply no other way to use the web and not use non-free software,
aside of disabling JS completely.

------
morgante
Classic GNU/Stallman. Putting ideology ahead of actually accomplishing
anything. Thankfully, less than 1000 people will ever use this.

It is not evil to make proprietary software.

------
maga
Blocking "nontrivial JavaScript"?! You have got to be kidding me. Let's block
Linux kernel for "nontrivial C" while we at it. It sure as hell looks far more
nontrivial than an average js script.

~~~
yebyen
I see what they did now. They're not blocking any nontrivial JavaScript
altogether. They're blocking nontrivial JavaScript insofar as it's unlicensed,
or not licensed with a free license.

So your trivial, unlicensed javascript can be allowed to run, but once you
cross the heuristic threshold of non-triviality they've applied, you need to
have a license so the user is sure they're not using some complex, non-free
thing.

At first I thought it was blocking all "non-trivial" JavaScript, like you.
That would be boneheaded of them.

If you were working at the EFF (on the Linux kernel), or on a Free Software
project, I'm sure you wouldn't want to find out that you depend on some non-
free binary-only modules that you've been running without knowing about it
this whole time. The Linux kernel has a whole framework of "taint" for doing
the exact same thing as this LibreJS. You are meant to know when you are
running non-free kernel modules, if you are paying attention to the signals
the kernel is sending.

~~~
maga
Ok, let's assume for a moment that we want to stick to the idea that programs
ought to be readable/comprehensible by the user, thus "trivial" in a sense.
But who decides on "nontriviality"? How did they come up with those
heuristics? I can hardly find any nontrivial js code with my years of
experience in it (except some jsfuck perhaps), yet at the same time I see
every other day someone coming from .NET/Java land crying about all the wtf's
of js. So how do we decide what is trivial and what's not?

~~~
mattl
[http://www.gnu.org/philosophy/javascript-
trap.html](http://www.gnu.org/philosophy/javascript-trap.html)

Our tentative policy is to consider a JavaScript program nontrivial if:

* it makes an AJAX request or is loaded along with scripts that make an AJAX request,

* it loads external scripts dynamically or is loaded along with scripts that do,

* it defines functions or methods and either loads an external script (from html) or is loaded as one,

* it uses dynamic JavaScript constructs that are difficult to analyze without interpreting the program, or is loaded along with scripts that use such constructs. These constructs are:

\- using the eval function,

\- calling methods with the square bracket notation,

\- using any other construct than a string literal with certain methods
(Obj.write, Obj.createElement, ...).

How do we tell whether the JavaScript code is free? At the end of this article
we propose a convention by which a nontrivial JavaScript program in a web page
can state the URL where its source code is located, and can state its license
too, using stylized comments.

