This blocks JavaScript that isn't explicitly licensed exactly the way they want, right? In terms of the format of the license, the @licstart and @licend comments (with no comment afterwards), etc.? That's what this does?
It also doesn't block well-known libraries. Using this addon sounds like a really good way to have a bad time on the Internet. By the logic of this, why bot block websites which have non-free content or other supporting files?
The whole premise of a website is that the owner gives you a licese of some kind to view it. Blocking only a technical part of it makes no logical sense. It's not like you are going to take the JS code under a free license that is likely dependent on the HTML structure under a non-free license and do stuff with it.
Your argument about non-free content does not apply to the gnu purposes with this plugin. Free Software is concerned with the problem of "what does my computer compute, what does it do, can i modify it". The content (images, text, video, html structure) on any website is not software
You can do a lot of dark magic with CSS or SVG too. Specifically, CSS has calc too. Website haven't just been documents for a long long time and basically nobody is going to bother keeping any computation in the JS space only.
It’s not mental illness, it’s the logical extension of principle. If you think non-free software is unjustifiable and should be avoided, you’re probably going to try to avoid using it (or, at least, promoting it).
There are three exceptions people sometimes make in their avoidance: Using non-free drivers, using non-free software for work/school, and using non-free software in the browser. It’s rational that someone would want to limit these exceptions as best they can, and LibreJS is useful for that.
I use LibreJS not to help me completely avoid non-free JS, but to make me more concious of my software use. If a site has non-free code and LibreJS pings me about it, I’ll consider if there’s a better site I should be supporting instead.
> If a site has non-free code and LibreJS pings me about it, I’ll consider if there’s a better site I should be supporting instead.
I wonder how viable this is in the age of the network effect, where most people and content can be found on like 10 big sites.
If I need an answer for something but it's on StackOverflow, YouTube, Reddit or even a Discord server, then that's just where I'll go, principles be damned. For many it's probably the same way with X vs Mastodon, the latter of which does feel more wholesome but can get lonely, or at the very least limits your reach. Same with social media or professional sites like LinkedIn. Same with using one of the more popular browsers, OSes, drivers or a lot of other proprietary software.
Not to dismiss anyone who cares deeply about free software, but honestly I wonder what % of people are actually committed to those ideals and how many are just cruising through life with whatever is the most popular option with least troubles for everything.
This is a very common occurrence: convenience or perceived necessity trumping principles.
> I wonder what % of people are actually committed
Almost 0%, if by “actually committed” you mean consistently applying these principles in practice, in the face of inconvenience.
I nevertheless believe that having principles, however vague and sometimes inconsistently applied, is a good thing, in that it structures thought and informs action. It gives a way to discuss how things “should” be.
I don't think many developers would even consider "properly licensed" javascript to be subjectively "better" in any way simply because they don't care.
Not saying that you don't or shouldn't care yourself, but IMO it is seen as a total non-issue for the vast majority of people. And I'm not sure LibreJS is doing much in the way of trying to convince people otherwise (besides breaking half the internet), but maybe I'm wrong.
For me, including firmware as software is where the movement loses me. Do we then move on to microcode? Why don’t we need to know the VHDL or Verilog used for the chips?
If I buy a computer designed using non-free software, isn’t that just as bad as buying shoes made in a sweatshop?
My problem with applying principles to an artificially low level is that it lays bare the inherent dishonesty in the principle.
In sending this message, an unknown but certainly non-zero number of proprietary systems will be invoked. Can RMS ethically post on Lemmy from any platform? Why is this ok? And if it is, why can we not use web pages that rely on transient but nevertheless client-side JavaScript?
It's not mental illness, just capture by a figurehead they won't remove who's so detached from how modern computing works that he doesn't even know how to update his own website.
In addition to the documented+recommended format, it also supports a few others. But yeah, it's pretty picky about how the license statement is formatted.
> This blocks JavaScript that isn't explicitly licensed exactly the way they want, right?
The way you want. Nobody forces you to run this plugin. You can run this plugin, or not, or even change the plugin source code to better fit your needs (something that you cannot do with the javascript programs this add-on is designed to protect you from).
Wow it's really cool that Stallman and others created a definition of Free Software for the modern web. Sadly it seems this is old news. There hasn't been any commits to this project's git in the last two years. There's also no date on the article, so I can't easily tell how old this is. https://www.gnu.org/software/librejs/ I wish there was more respect for the devotion and principles that go into making something like this. You'd think at least the hacker community would understand, of all people.
OTOH, there hasn't been a test release since 2016, so keeping that section does contribute to the idea that it's no longer active.
It's clear the page is pretty old, with both "http" and "ftp" download links. FWIW, the http link redirects to https, and (warming the heart of this old Unix developer) the ftp link still works.
This seems to work very well. So far no UI issues with browsing my top 20 websites. Observed benefits: prevents adds, some toxic material, and even bypasses some paywalled news sites I visit.
Wouldn't you get the same benefits by turning off JavaScript altogether? I'd expect there to be very little trivial JS (by that extension's definition) on the vast majority of sites that use JS.
for me this works better than blanket turning off js and there seems to be alot of trivial js on cnn, reuters, and bbc wesbites. you can investigate the js which the addon regards as trivial
Client-side JavaScript is always distributed[1] source[2] code - because your web page is distributing it to the user's browser. So AFAIK you shouldn't use GPL nor LGPL code in your pages unless all your client-side JavaScript in the page is appropriately licenced. Minified or obfuscated is still source code (you must provide original source as per license).
Client-side LGPL JavaScript is neither statically linked nor dynamically linked but potentially could be a "mere aggregation" i.e. it is hard to use LGPL legally. Perhaps you could meet the legal definition of calling a library by using web assembly or web workers (see your IP lawyer!).
Unfortunately the FSF appear to be intentionally vague when documenting this issue.
It is possible to write Javascript code which is strongly bound to a particular HTML document. The Javascript code in this case would have hard-coded references to parts of the HTML document and would rely on that document's particular structure to work. This would be a strong indication that the Javascript and the document should be considered a single work.
All code ran by users is distributed source code. Not sure what is the distinction you are mentioning
> Unfortunately the FSF appear to be intentionally vague when documenting this issue.
This is only unfortunate when you don't allign with their purpose, in which case there is no reason to talk of using GPL at all. For people who allign with these purposes, this "vagueness" is fortunate
That is object code (I wrote source code incorrectly).
But if the object code is part of a work then you may need to provide your "Corresponding Source" TypeScript code plus build files plus sometimes compiler tools. See my other comment https://news.ycombinator.com/item?id=40340774
The GPL and FSF are difficult to comply with depending on your situation. Also depends on your jurisdiction and the jurisdiction of the client using the browser (amongst other complexities).
> Client-side JavaScript is always distributed source code - because your web page is distributing it to the user's browser. […] Minified or obfuscated is still source code (you must provide original source as per license).
Yes. Transformed/minified/obfuscated is object code.
And when you convey object code then you need to provide the "corresponding source" as per section 6.
But my comment is more about: how much of a web page is a "work based on the Program" or "modified version" when you distribute/convey GPL licensed JavaScript as part of your page?
“The Program” refers to any copyrightable work licensed under this License.
A “covered work” means either the unmodified Program or a work based on the Program.
Propagation includes copying, distribution (with or without modification), making available to the public
To “convey” a work means any kind of propagation that enables other parties to make or receive copies
The “Corresponding Source” for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work.
6. Conveying Non-Source Forms. You may convey a covered work in object code form [snip] provided that you also convey the machine-readable Corresponding Source under the terms of this License ...
This is not legal advice.
The FSF appears to be deliberately unclear about how GPL and JavaScript interact. And LibreJS is fairly useless to help you legally decide if your web page is a derived/modified work or not.
This is like the meme with a guy riding a bike sticking it in the front wheel, getting hurt and in this case blaming javascript.
I don't get the hate against javascript tbh. With this, web components won't work I assume unless the license is known before hand? Or is that considered trivial?
What about wasm? Does it block that? Javascript is at least better than wasm since you can inspect javascript. So people that hate javascript should really hate wasm.
You clearly aren’t familiar with GNU or the Free Software Foundation. There’s nothing wrong with that: everybody starts out without being familiar with anything.
In a nutshell, Richard Stallman worked in MIT’s AI lab in the 1970s. The lab had a certain ethos that he loved ( https://www.gnu.org/gnu/rms-lisp.html , https://www.gnu.org/philosophy/stallman-kth.en.html ), but when it became common for software to be sold without the source code, he actually decided to start a foundation to recreate that lab ethos ( https://www.gnu.org/gnu/manifesto.en.html ). A lot of programmers agree with his view that refusing to give users source code, and legal permission to use that source code without restriction, is a terrible afront to freedom.
However, people have spent decades telling Stallman that if they adopted his principles, they couldn’t use their computers in the modern world. Every so often, he makes a declaration about various distinctions (it’s okay to use a computer even though the firmware isn’t free; it’s okay to read documents on the web, but any JavaScript should be treated as a program and you should insist on an acceptable license; he, personally doesn’t own a cell phone, but sees no problem with using somebody else’s non-free phone in a case-by-case basis; etc.). This is simply an extension to enforce one of his rules. Some programmers will feel bad about themselves if they don’t live up to Stallman’s expectations.
I’m honestly surprised I didn’t get any “how dare you say it’s all about feeling bad if we don’t do what Stallman says?” comments. I was trying to play it as straight as I could, without sounding like a crank. I’m not always successful.
GNU licenses don't mandate for the source code to be sent all te time. It only says that it must be available upon request, and the author must give pointers to get it (an url to download content or inspect it, an email to ask, ...)
Couple of issues with that, how does this plugin know that this wasm-blob is together with a certain source? Since wasm is often the compile target and don't have comments afaik how do you really tell the plugin what license it is?
I guess what I am really asking is how would it say so? Because even if it is free software I assume this plugin would block it anyway since it don't know.
You could write an html comment just above it but how will I as a website owner know that this plugin:
1. Exists.
2. How to respect it.
There are plenty of plugins but this seems just like a plugin if you like to suffer when you really don't have to. I can kind of understand the goal of the FSF and I do hate some modern software today and companies trying to remove ownership but I have never thought the way FSF is doing stuff is a good way to reach their goal.
* If an identifier is ever followed by the square bracket indexing operator, it's non-trivial. (Looking at Stallman's requirement, it looks like this should only apply to accessing properties on an object, but the authors don't seem to have found a way to differentiate using [] on an object's identifier and [] on an array's identifier)
* If there are more than three loops, it's non-trivial.
* If it uses fetch(), chrome, browser, XMLHttpRequest, or eval(), it's non-trivial.
Oddly, referencing "document" is commented out, even though Stallman explicitly said any DOM modification makes a script non-trivial. I wonder what broke (outside of what they expected to break).
<script id="harmlessNullScript" type="text/javascript"></script>
<skript id="derp" style="display:none;">
/**
* @license Proprietary
* @copyright Copyright 2018 Ryan Castellucci, All Rights Reserved
*/
// WARNING: Code here needs to avoid the "less than" symbol.
(function(){
// LibreJS modifies the text of script tags onced they've been
// checked, which offers a very convienant way to detect it.
if (harmlessNullScript.textContent.indexOf("LibreJS: ") > 0) {
eval("alert('LibreJS detected, but non-free eval works');");
}
})();
</skript>
<script type="text/javascript">
/**
* @license Proprietary
* @copyright Copyright 2018 Ryan Castellucci, All Rights Reserved
*/
// An eval that works in the WebExtension port of LibreJS.
// Untested on the original XPI version.
Function(derp.textContent)();
</script>
In any event, there are a lot of ways to eval code...
This is one of those things that I agree with the ideas behind it. Free Libre software and all of that BUT in trying to deal with this via a web addon considering the scale of, the internet, It feels like there is no way this could ever achieve its goals. I mean how much JS out there doesn't even have a license explicitly defined on run time?
And when you run it that is exactly what happens. It assumes the worst and the vast majority of things do not work. All it really does is slow your browser down to an absolute crawl as it tries to do its thing. I just ended up with Noscript and making a few exceptions where needed. It is a much better middle ground than this.
I would consider myself a Stallmanite, I guess. I use a fully 100% Libre software stack/OS/Firmware where possible - but Libre JS was just a little too unusable too me. When you are running a 2.4Ghz Core 2 Duo - it runs SLOW!
Trying this out, it seemed ok right up until trying iDRAC7 on my homelab servers. :(
Even after whitelisting the domain for the iDRAC interface on the servers, just having it installed is completely breaking the remote console (something I need to use multiple times a day).
60 comments
[ 3.1 ms ] story [ 131 ms ] threadThe whole premise of a website is that the owner gives you a licese of some kind to view it. Blocking only a technical part of it makes no logical sense. It's not like you are going to take the JS code under a free license that is likely dependent on the HTML structure under a non-free license and do stuff with it.
What about things like htmx that put logic directly into html attributes?
There are three exceptions people sometimes make in their avoidance: Using non-free drivers, using non-free software for work/school, and using non-free software in the browser. It’s rational that someone would want to limit these exceptions as best they can, and LibreJS is useful for that.
I use LibreJS not to help me completely avoid non-free JS, but to make me more concious of my software use. If a site has non-free code and LibreJS pings me about it, I’ll consider if there’s a better site I should be supporting instead.
I wonder how viable this is in the age of the network effect, where most people and content can be found on like 10 big sites.
If I need an answer for something but it's on StackOverflow, YouTube, Reddit or even a Discord server, then that's just where I'll go, principles be damned. For many it's probably the same way with X vs Mastodon, the latter of which does feel more wholesome but can get lonely, or at the very least limits your reach. Same with social media or professional sites like LinkedIn. Same with using one of the more popular browsers, OSes, drivers or a lot of other proprietary software.
Not to dismiss anyone who cares deeply about free software, but honestly I wonder what % of people are actually committed to those ideals and how many are just cruising through life with whatever is the most popular option with least troubles for everything.
This is a very common occurrence: convenience or perceived necessity trumping principles.
> I wonder what % of people are actually committed
Almost 0%, if by “actually committed” you mean consistently applying these principles in practice, in the face of inconvenience.
I nevertheless believe that having principles, however vague and sometimes inconsistently applied, is a good thing, in that it structures thought and informs action. It gives a way to discuss how things “should” be.
Not saying that you don't or shouldn't care yourself, but IMO it is seen as a total non-issue for the vast majority of people. And I'm not sure LibreJS is doing much in the way of trying to convince people otherwise (besides breaking half the internet), but maybe I'm wrong.
If I buy a computer designed using non-free software, isn’t that just as bad as buying shoes made in a sweatshop?
My problem with applying principles to an artificially low level is that it lays bare the inherent dishonesty in the principle.
In sending this message, an unknown but certainly non-zero number of proprietary systems will be invoked. Can RMS ethically post on Lemmy from any platform? Why is this ok? And if it is, why can we not use web pages that rely on transient but nevertheless client-side JavaScript?
The way you want. Nobody forces you to run this plugin. You can run this plugin, or not, or even change the plugin source code to better fit your needs (something that you cannot do with the javascript programs this add-on is designed to protect you from).
I am honestly not sure were you got the 2 year commit gap, the latest commit is 3 months ago on master
https://git.savannah.gnu.org/cgit/librejs.git
> There's also no date on the article, so I can't easily tell how old this is
The article is many many years old, archive.org has a snapshot of it from 2012
OTOH, there hasn't been a test release since 2016, so keeping that section does contribute to the idea that it's no longer active.
It's clear the page is pretty old, with both "http" and "ftp" download links. FWIW, the http link redirects to https, and (warming the heart of this old Unix developer) the ftp link still works.
Probably from https://pagure.io/librejs/commits/master which is also mentioned on the page and supposed to be a mirror.
Client-side LGPL JavaScript is neither statically linked nor dynamically linked but potentially could be a "mere aggregation" i.e. it is hard to use LGPL legally. Perhaps you could meet the legal definition of calling a library by using web assembly or web workers (see your IP lawyer!).
Unfortunately the FSF appear to be intentionally vague when documenting this issue.
For more details see:
https://greendrake.info/publications/js-gpl
https://opensource.stackexchange.com/questions/4360/what-are... (be careful reading it because part of that answer is about what circumstances client-side GPL mean that the server-side should be GPLed).
This issue can affect the HTML and CSS too:
Edit: [1] Well conveyed: https://www.gnu.org/licenses/gpl-faq.html#ConveyVsDistributeEdit: [2] or object code (transpiled/minified) but distributing/conveying object code usually requires you to provde source.
> Unfortunately the FSF appear to be intentionally vague when documenting this issue.
This is only unfortunate when you don't allign with their purpose, in which case there is no reason to talk of using GPL at all. For people who allign with these purposes, this "vagueness" is fortunate
For interpreted (or JIT-compiled) code, then yes, by definition, the source needs to be distributed to end users in order to be executed.
For compiled code, only the resultant binary needs to be shared after compiling the source.
What about if my source code is in TypeScript and gets transpiled + bundled + minified into JS? Is that still source code?
That is object code (I wrote source code incorrectly).
But if the object code is part of a work then you may need to provide your "Corresponding Source" TypeScript code plus build files plus sometimes compiler tools. See my other comment https://news.ycombinator.com/item?id=40340774
The GPL and FSF are difficult to comply with depending on your situation. Also depends on your jurisdiction and the jurisdiction of the client using the browser (amongst other complexities).
Minified or obfuscated is certainly not source code under GPLv3’s definition <https://www.gnu.org/licenses/gpl-3.0.html#section1>:
> The “source code” for a work means the preferred form of the work for making modifications to it. “Object code” means any non-source form of a work.
The transformation very obviously makes it be considered object code.
And when you convey object code then you need to provide the "corresponding source" as per section 6.
But my comment is more about: how much of a web page is a "work based on the Program" or "modified version" when you distribute/convey GPL licensed JavaScript as part of your page?
Abridged excerpts from: https://www.gnu.org/licenses/gpl-3.0.html#license-text
This is not legal advice.The FSF appears to be deliberately unclear about how GPL and JavaScript interact. And LibreJS is fairly useless to help you legally decide if your web page is a derived/modified work or not.
Congratulations, you've been shipping the built objects and need to provide the source now too for license compliance. ;)
I don't get the hate against javascript tbh. With this, web components won't work I assume unless the license is known before hand? Or is that considered trivial?
What about wasm? Does it block that? Javascript is at least better than wasm since you can inspect javascript. So people that hate javascript should really hate wasm.
Also, how can the plugin know if the provided source code is correct without compiling it and comparing the outputs?
In a nutshell, Richard Stallman worked in MIT’s AI lab in the 1970s. The lab had a certain ethos that he loved ( https://www.gnu.org/gnu/rms-lisp.html , https://www.gnu.org/philosophy/stallman-kth.en.html ), but when it became common for software to be sold without the source code, he actually decided to start a foundation to recreate that lab ethos ( https://www.gnu.org/gnu/manifesto.en.html ). A lot of programmers agree with his view that refusing to give users source code, and legal permission to use that source code without restriction, is a terrible afront to freedom.
However, people have spent decades telling Stallman that if they adopted his principles, they couldn’t use their computers in the modern world. Every so often, he makes a declaration about various distinctions (it’s okay to use a computer even though the firmware isn’t free; it’s okay to read documents on the web, but any JavaScript should be treated as a program and you should insist on an acceptable license; he, personally doesn’t own a cell phone, but sees no problem with using somebody else’s non-free phone in a case-by-case basis; etc.). This is simply an extension to enforce one of his rules. Some programmers will feel bad about themselves if they don’t live up to Stallman’s expectations.
How can it know when to block a website? Does an human curate a white/black list of valid websites?
I guess what I am really asking is how would it say so? Because even if it is free software I assume this plugin would block it anyway since it don't know.
You could write an html comment just above it but how will I as a website owner know that this plugin:
1. Exists.
2. How to respect it.
There are plenty of plugins but this seems just like a plugin if you like to suffer when you really don't have to. I can kind of understand the goal of the FSF and I do hate some modern software today and companies trying to remove ownership but I have never thought the way FSF is doing stuff is a good way to reach their goal.
* If an identifier on the banned list exists, it is non-trivial. The list is here: https://git.savannah.gnu.org/cgit/librejs.git/tree/common/fn...
* If an identifier is ever followed by the square bracket indexing operator, it's non-trivial. (Looking at Stallman's requirement, it looks like this should only apply to accessing properties on an object, but the authors don't seem to have found a way to differentiate using [] on an object's identifier and [] on an array's identifier)
* If there are more than three loops, it's non-trivial.
* If it uses fetch(), chrome, browser, XMLHttpRequest, or eval(), it's non-trivial.
Oddly, referencing "document" is commented out, even though Stallman explicitly said any DOM modification makes a script non-trivial. I wonder what broke (outside of what they expected to break).
https://rya.nc/files/librejs-poc.html
In any event, there are a lot of ways to eval code...And when you run it that is exactly what happens. It assumes the worst and the vast majority of things do not work. All it really does is slow your browser down to an absolute crawl as it tries to do its thing. I just ended up with Noscript and making a few exceptions where needed. It is a much better middle ground than this.
Even after whitelisting the domain for the iDRAC interface on the servers, just having it installed is completely breaking the remote console (something I need to use multiple times a day).
Damn, I wanted this to be ok too.