"Further, we've recently seen companies such as Research In Motion (makers of the Blackberry) advising customers to entirely disable JavaScript in the WebKit browser on its devices because of a security problem that was discovered. While free software JavaScript can have security problems too, this example illustrates that we have a real need to be able to see what the code we're running on our computers is actually doing, and change it."
I think the author doesn't understand how client side javascript works. If on the other hand they're referring to server side Javascript, that has nothing to do with the web browser over say, PHP. You don't necessarily get the source to a PHP-based web app when you use it. Why so much Javascript hate?
I think the rub here is not that they want to be able to see the script files, it's that they want the javascript behind GMail and other big apps to be released under a Free Software License.
I can understand the point, but is it really necessary to express it in a way that evokes the works of L Ron Hubbard?
You may not be aware of the dangers of JavaScript — a problem we've deemed The JavaScript Trap — proprietary software running on your computer, inside your web browser.
Silently loading and running nonfree programs is one among several issues raised by "web applications". The term "web application" was designed to disregard the fundamental distinction between software delivered to users and software running on the server.
Beware, dear reader. They may be starting with this fundamental distinction... but your children will be next!
I agree, it is rather unsettling how they frame their argument--there really isn't an argument at all as to why these things should be released under such a license, besides a vague allusion to security concerns. I love open source stuff, but the Free Software Foundation always seemed to me like that annoying vegan friend who never leaves you alone about the evils of animal products
the tagline in the link reads like a scary movie trailer:
>You may be running nonfree programs on your computer every day without realizing it--through your web browser.
Not to mention that should it be licensed under a free model, those security concerns don't just magically vanish. I agree with you summation their stance can be radical and preachy at times much like the Vegan community.
Security concerns was not the only argument.
"It's clear that JavaScript is a very powerful and useful technology in the right hands. Many free software developers have written add-ons and enhancements to popular websites thanks to tools like Greasemonkey. There's a slew of fantastic free software Greasemonkey scripts for Gmail. The existence of scripts like these shows both that Gmail's JavaScript is not trivial, and that there are users who could make useful, interesting contributions if the JavaScript were released as free software for them to modify."
They argue that we should be able to change GMail's javascript code just like we do other applications we use.
I think they do understand that. It is, however, nontrivial to edit compiled JavaScript. There might also be legal complications to editing the scripts...
I'm extremely relieved to see so many posts mirroring my exact impression from this article. Here we have a splendid reference as to the power of words to illicit an emotion, with no real effort to craft an argument of any substance.
They should instead be advocating users to move on to services which use the GPL. Good luck getting all these corporations to open up their source code just like that.
I think it can be split into the issues of license-free JavaScript (those with no license attached), obfuscated JavaScript, and the lack of tools to modify JavaScript on the client side.
Javascript on Gmail predates GWT. It may be possible that they've moved it to GWT but I don't think so, it loads too fast for starters.
For GWT normally you have to import the libraries, and then you get a lot of gibberish that looks like its been run through an obfuscator. Then in the body you have a section where you basically say 'insert stuff here', and that is where all your controls get inserted (by the magic javascript). Gmail doesn't have either of those that I can see.
I had a look at the source of gmail, and it looks like a normal page (lots of standard html controls (which you wouldn't expect to see in GWT) plus some weird ass timezone javascript at the end of it. Which does look kind of obfuscated, but probably was just run through a variable-name-shortener.
What I don't see, is any other script or onclick= stuff. And that is kind of suspicious. There's a blank script tag in the header, maybe they have a javascript that runs (to add all that junk dynamically) and then somehow erases itself (a neat trick?) or they have some other way of hiding the javascript?
The corollary to Poe's law[1] is appropriate here: Even the most sincere fundamentalism will be confused with with parody by a cynical enough audience.
The benefit to Google of the current mode is the ability to rapidly change the code pushed to your browser.
If there was a open source release of the gmail client code, it would force google into maintaining an API for that code for the foreseeable future, which would require additional effort.
The closest to this request that seems remotely likely is a client side API for gmail, so that browser plugins or third party services could extend it. I see a lot of cost to Google to actually release the code, and not a ton of benefit.
How weird. Their position here seems to be that proprietary software running on Google's servers generating html is ok, but proprietary javascript embedded in those pages is not ok. (because it runs in your browser?)
Server side code is what they have the affero GPL for:
“The GNU Affero General Public License is a modified version of the ordinary GNU GPL version 3. It has one added requirement: if you run the program on a server and let other users communicate with it there, your server must also allow them to download the source code corresponding to the program that it's running. If what's running there is your modified version of the program, the server's users must get the source code as you modified it.…” — http://www.gnu.org/licenses/why-affero-gpl.html
presumably they dont want the back end of gmail being proprietary either but its not the point of the article?
I have a problem with this article, which is that treats JavaScript "programs" as different from other resources on the web. Must the HTML and CSS which make up a webpage be free? What about pictures, audio, and video?
JavaScript may be the most flexible language which web browsers natively understand, but HTML has long included forms (now with support for validation) and CSS lets authors program complex, interactive rules for presentation.
Even without JavaScript, websites like Gmail are undeniably applications (in this case, a mail reader, manager, and composer), some part of which are downloaded to and rendered by your own computer.
This article is ridiculous and pointless JavaScript hate article.
JavaScript is not different from HTML and CSS, all of these are generated by a sometimes proprietary service and executed in the browser.
This article is completely stupid because it not only misses the point of JavaScript, it even contradicts itself:
- if the UI is plain HTML/CSS and is generated server side and then fed to your browser, you will never even have a clue how it works
- if the UI is done with JavaScript on the client you can always de-obfuscate it
> Further, we've recently seen companies such as Research In Motion (makers of the Blackberry) advising customers to entirely disable JavaScript in the WebKit browser on its devices because of a security problem that was discovered.
It seems the FSF wants to build a reputation by taking things out of context and leaving out important bits. The security was probably found in the browser and not in JavaScript, this is the same as advising someone to unplug the computer because of a computer virus.
I am really disappointed by this short sighted article, the FSF should be better than this.
29 comments
[ 3.8 ms ] story [ 50.4 ms ] thread"Further, we've recently seen companies such as Research In Motion (makers of the Blackberry) advising customers to entirely disable JavaScript in the WebKit browser on its devices because of a security problem that was discovered. While free software JavaScript can have security problems too, this example illustrates that we have a real need to be able to see what the code we're running on our computers is actually doing, and change it."
I think the author doesn't understand how client side javascript works. If on the other hand they're referring to server side Javascript, that has nothing to do with the web browser over say, PHP. You don't necessarily get the source to a PHP-based web app when you use it. Why so much Javascript hate?
You may not be aware of the dangers of JavaScript — a problem we've deemed The JavaScript Trap — proprietary software running on your computer, inside your web browser.
Danger! Your very soul is at risk!
This page is even worse: http://www.gnu.org/philosophy/javascript-trap.html
Silently loading and running nonfree programs is one among several issues raised by "web applications". The term "web application" was designed to disregard the fundamental distinction between software delivered to users and software running on the server.
Beware, dear reader. They may be starting with this fundamental distinction... but your children will be next!
the tagline in the link reads like a scary movie trailer: >You may be running nonfree programs on your computer every day without realizing it--through your web browser.
Not to mention that should it be licensed under a free model, those security concerns don't just magically vanish. I agree with you summation their stance can be radical and preachy at times much like the Vegan community.
What the FSF doesn't get is that its actually much easier to change proprietary JavaScript than it is to modify a binary running on your system.
http://code.google.com/closure/
You can look at the (compiled version) of the code by looking at the scripts tab of the chrome web inspecter. They're there :)
For GWT normally you have to import the libraries, and then you get a lot of gibberish that looks like its been run through an obfuscator. Then in the body you have a section where you basically say 'insert stuff here', and that is where all your controls get inserted (by the magic javascript). Gmail doesn't have either of those that I can see.
I had a look at the source of gmail, and it looks like a normal page (lots of standard html controls (which you wouldn't expect to see in GWT) plus some weird ass timezone javascript at the end of it. Which does look kind of obfuscated, but probably was just run through a variable-name-shortener.
What I don't see, is any other script or onclick= stuff. And that is kind of suspicious. There's a blank script tag in the header, maybe they have a javascript that runs (to add all that junk dynamically) and then somehow erases itself (a neat trick?) or they have some other way of hiding the javascript?
We released this all some time ago under apache 2.
[1] http://en.wikipedia.org/wiki/Poes_law
If there was a open source release of the gmail client code, it would force google into maintaining an API for that code for the foreseeable future, which would require additional effort.
The closest to this request that seems remotely likely is a client side API for gmail, so that browser plugins or third party services could extend it. I see a lot of cost to Google to actually release the code, and not a ton of benefit.
Yea, exactly.
“The GNU Affero General Public License is a modified version of the ordinary GNU GPL version 3. It has one added requirement: if you run the program on a server and let other users communicate with it there, your server must also allow them to download the source code corresponding to the program that it's running. If what's running there is your modified version of the program, the server's users must get the source code as you modified it.…” — http://www.gnu.org/licenses/why-affero-gpl.html
presumably they dont want the back end of gmail being proprietary either but its not the point of the article?
JavaScript may be the most flexible language which web browsers natively understand, but HTML has long included forms (now with support for validation) and CSS lets authors program complex, interactive rules for presentation.
Even without JavaScript, websites like Gmail are undeniably applications (in this case, a mail reader, manager, and composer), some part of which are downloaded to and rendered by your own computer.
(P.S. I believe I've heard about more security vulnerabilities in browsers' handling of images than in their JavaScript engines. Also, CSS is turning complete: https://github.com/elitheeli/oddities/blob/master/rule110-gr...)
JavaScript is not different from HTML and CSS, all of these are generated by a sometimes proprietary service and executed in the browser.
This article is completely stupid because it not only misses the point of JavaScript, it even contradicts itself:
- if the UI is plain HTML/CSS and is generated server side and then fed to your browser, you will never even have a clue how it works
- if the UI is done with JavaScript on the client you can always de-obfuscate it
> Further, we've recently seen companies such as Research In Motion (makers of the Blackberry) advising customers to entirely disable JavaScript in the WebKit browser on its devices because of a security problem that was discovered.
It seems the FSF wants to build a reputation by taking things out of context and leaving out important bits. The security was probably found in the browser and not in JavaScript, this is the same as advising someone to unplug the computer because of a computer virus.
I am really disappointed by this short sighted article, the FSF should be better than this.