JavaScript
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 199 | |
| Author | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/32555 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
FOSDEM 2014176 / 199
2
3
10
11
12
13
14
17
18
19
23
24
25
27
29
45
46
47
48
49
50
51
52
55
56
57
58
65
67
68
70
72
74
75
76
77
78
79
81
82
84
86
87
89
90
93
94
100
101
102
103
104
106
107
109
110
111
112
113
114
115
119
122
123
124
126
127
128
129
137
139
141
143
145
147
150
154
155
158
161
163
164
165
166
168
171
174
175
176
179
182
183
185
188
190
191
192
194
195
196
00:00
Multiplication signLink (knot theory)MereologyComputer programBitLaptopDigital rights managementSoftwareWeb pageAttribute grammarWeb browserCuboidFreewareQuicksortSource codePhysical systemMedical imagingBuffer solutionWebsiteProgramming languageForm (programming)Gastropod shellComputer virusDigital photographyOperating systemGroup actionFormal languageProjective planeKernel (computing)Revision controlMomentumCore dumpComputerVideoconferencingFirmwareConfiguration spaceScripting languageReading (process)Open sourceNumberGame theoryElectronic mailing listInternetworkingPoint (geometry)ResultantEndliche ModelltheorieSet (mathematics)Virtual machineArithmetic meanSimilarity (geometry)Copula (linguistics)Food energyRight angleService (economics)Device driverServer (computing)AreaWindowElectronic signatureWhiteboardRoot systemBootingTrailFunctional (mathematics)System callBlock (periodic table)Computer configurationFamilyPower (physics)Web 2.0Cartesian coordinate systemObject (grammar)Computer hardwareHard disk driveVideo gameBlogType theoryDifferent (Kate Ryan album)ImplementationPresentation of a groupAxiom of choiceMalwareStallman, RichardGaussian eliminationProper mapModal logicJava appletNatural numberLevel (video gaming)XML
10:00
Scripting languageWebsiteVirtual machineMereologyVideoconferencingFile formatFreewareSoftwareAreaParameter (computer programming)Web pageType theoryDivisorQuicksortComputer fileComputer programMultiplication signSource codeOpen sourceSheaf (mathematics)Form (programming)Uniform resource locatorProcess (computing)Different (Kate Ryan album)Revision controlCompilation albumTerm (mathematics)Service (economics)Network topologyCategory of beingArithmetic meanAdditionException handlingServer (computing)Binary codeMusical ensembleBasis <Mathematik>SpacetimeProcedural programmingElement (mathematics)Formal languageInformationNumberAeroelasticityCASE <Informatik>HypermediaClassical physicsCorrespondence (mathematics)ChecklistWeb browserRight angleDistribution (mathematics)Functional (mathematics)Order (biology)Default (computer science)Library (computing)Theory of relativityWritingObservational studyBand matrixPoint (geometry)Electronic mailing listTupleView (database)CodeWeb 2.0Compact spaceSound effectGoodness of fitVariable (mathematics)Control flowInternet service providerDescriptive statisticsGreatest elementLink (knot theory)XML
20:00
MereologyWebsiteTable (information)Multiplication signOrder (biology)Library (computing)EmailRevision controlData conversionFreewareQuery languageUsabilityBridging (networking)InformationPhysical systemSoftwareProcess (computing)Hand fanVirtual machineExtension (kinesiology)Link (knot theory)File formatReading (process)Web browserOpen sourceFlagInterface (computing)State of matterRepository (publishing)CuboidQuantum stateWritingOnline helpServer (computing)Scripting languageCondition numberAsynchronous Transfer ModeRight angleInformation privacy1 (number)CASE <Informatik>Source codeWeb 2.0Information securityIncidence algebraTraffic reportingRadiusMetadataDisk read-and-write headAnalogySelf-organizationTheory of relativityWeb pageAdditionBitComputer programDifferent (Kate Ryan album)Computing platformProjective planeStress (mechanics)Library catalogPointer (computer programming)Latent heatView (database)Combinational logicNP-hardInsertion lossUniform resource locatorData structureFunctional (mathematics)Computer fileEvent horizonFormal verificationJava appletFeedbackHacker (term)Row (database)Inheritance (object-oriented programming)MultiplicationElectronic mailing listDuality (mathematics)Regular graphSoftware bugComputerElement (mathematics)Default (computer science)Lecture/Conference
30:00
Table (information)Online helpGroup actionScripting languageWebsiteTask (computing)Forcing (mathematics)Computer fileSatelliteMobile appExtension (kinesiology)Virtual machineInformationSoftware developerWeb 2.0Self-organizationProjective planeWeb pageSystem administratorMeta elementRepository (publishing)Software bugAddress spaceStandard deviationProcess (computing)Multiplication signData conversionGoodness of fitUniform resource locatorSource codeMereologyKernel (computing)Sinc functionContext awarenessMIDIRight angleOpen sourceType theorySet (mathematics)CASE <Informatik>ComputerFunction (mathematics)QuicksortTerm (mathematics)Patch (Unix)Form (programming)Point (geometry)Disk read-and-write headElectronic mailing listAttribute grammarHypermediaSoftwareCondition numberDifferent (Kate Ryan album)Core dumpParallel portValidity (statistics)InternetworkingEmailFreewareDefault (computer science)WikiMultiplicationLevel (video gaming)Order (biology)Latent heatFlow separationPattern languageService (economics)Medical imagingFormal verificationTheoryView (database)Event horizonHorizonSemantics (computer science)Focus (optics)BitFunctional (mathematics)MathematicsExecution unitProcedural programmingAnalytic setVideo gameAreaGoogolArithmetic meanTouch typingSound effectGraphics tabletComputer programState of matterWordFeasibility studyLecture/Conference
40:00
AreaVirtual machineTerm (mathematics)Process (computing)Cartesian coordinate systemComputer programMultiplication signProjective planeSoftwareMathematicsDifferent (Kate Ryan album)Goodness of fitPhysical systemType theoryElectronic mailing listProof theoryParticle systemFunctional (mathematics)Right angleFreewareInformationFocus (optics)Video gameStandard deviationLine (geometry)WordMereologyLengthBit rateScripting languageQuicksortComputer fileMathematical analysisSlide ruleSet (mathematics)Web 2.0Physical lawLatent heatSystem callFile formatResultantSampling (statistics)Boss CorporationFiber bundleGreatest elementCASE <Informatik>Level (video gaming)ComputerStudent's t-testWater vaporForcing (mathematics)Presentation of a groupOpen sourceRule of inferenceExistenceBitConstructor (object-oriented programming)IdentifiabilityThumbnailProgramming languageScreensaverPoint (geometry)Software bugCodeWebsiteLink (knot theory)Modul <Datentyp>Game controllerUniform resource locatorLecture/Conference
49:59
Projective planeJSONXML
Transcript: English(auto-generated)
00:03
Are there any other MDCs? There's one? Okay, so one of you guys can take that MDC back there. Is there one in the middle to use? Nope.
00:22
Stand in the far wall. Four more on this wall. You want in?
00:40
Two more. You go ahead. You want to stand over here? Okay, two more is okay. You're the last one. All right. It was never open.
01:06
Hello everybody. I'm John Sullivan. I'm the executive director at the Free Software Foundation. This is such an awesome conference but it's so much fun to speak to so many people and talk about free software so thank you for having me here.
01:26
Our goal at the Free Software Foundation is to not just to promote free software or to tell people that it's a good thing. Our goal is actually to create a world where everything that anybody wants to do on their computer can be done with exclusively free software. So in the FSS utopia there actually is no proprietary software and yet
01:44
everything still works. So that's ultimately what we're aiming for and I have to emphasize that at the beginning of every presentation because I think it's something that really distinguishes the way that we approach things. Right now we have a problem. We for many years have been working to create a laptop or to bring about a laptop that could be a fully free system
02:04
not just the operating system, GNU Linux running on it, but also things like the boot firmware, you know, what used to be the BIOS, what now is a different kind of boot system. And it was that last part that was always the huge obstacle because that type of programming is very difficult and manufacturers are very uncooperative.
02:20
So just recently we were finally able to endorse a laptop under our Respect Your Freedom hardware program which not only runs a fully free operating system but also has a free boot system and runs the boot system without loading any binary blobs to power any of the drivers on board. Does the fact that it's a ThinkPad mean that other ThinkPad
02:40
models are within reach for this? I think so. So you might think that the problem that I was talking about is that this machine is several years old. That's not actually that big of a problem because it is still a workable machine for everything that I do and everything that a lot of people that I know do. You're not going to be able to play 3D games on it but you are able to at a fine speed do your email, web browsing, and everyday
03:03
computing. So this is a huge win for us and we're excited about it and we're hoping that the momentum coming from this and the work being done especially by Coreboot which is an amazing project to free the boot firmware on servers and laptops and systems will be able to get more of the ThinkPad models running. The current obstacle is that more ThinkPad models
03:23
are running but they don't all, some of them still require some proprietary bits for example to start the video before the kernel starts the video and things like that. But we have a lot of hope now which we haven't had for this level of hope for quite a while. So that's great. So what's the problem? Well the problem is that we have a fully free system
03:43
and yet users that make some sacrifices to commit to this kind of system are still being asked to run proprietary software everyday when they use their computer. And that proprietary software is JavaScript. When you visit just about any website now you're served programs in the background just like any other program that you're running on your computer. Those programs
04:04
execute locally on your machine and they are very often non-free software. So Richard Stallman back in 2009 called this the JavaScript trap and he was referring to an earlier trap called the Java trap. And the way he explained it is your program though in itself free may be restricted by non-free software
04:23
that it depends on. Since the problem isn't most prominent today for Java programs we call it the Java trap. Well now we have a similar kind of trap where even though you are using a free operating system and everything in front of you is free you are ending up still running non-free programs and your computing life is depending still on non-free programs. So why
04:43
is it a trap any more than any other programming language that can be used to produce non-free software? Well it's because JavaScript is assumed. It's a fact of using the web now and just to highlight an example of how much of an assumption and necessary part of the web it is today Mozilla recently kind of hid the option to disable
05:04
JavaScript and Firefox. And they did it understandably because users including me embarrassingly enough would turn off JavaScript forget that they'd done it and then wonder why Firefox wasn't working properly. So to eliminate user confusion they've moved it into a more advanced configuration area and that to me is just an example of how
05:23
necessary JavaScript has become and how hard it is to avoid it. But we don't want to avoid all JavaScripts. We just want to avoid proprietary JavaScript. We have no particular aversion to one programming language. It's what's done with that programming language.
05:40
JavaScript programs are almost always non-free. And I'm going to explain why because there are some very popular free software JavaScript programs, but I'll talk more about the ways in which it's actually distributed to you make it non-free. This is also enabled by the fact that at least anecdotally
06:00
the license count numbers that you might see comparing the GPL to other licenses and permissive vs. copyleft licenses, those numbers are almost always based on horrible data. So if you see any of those you should take them with a pound of salt. But anecdotally I think it's not too much of a stretch to say that in the world of JavaScript, permissive licenses
06:20
are a very common choice. So this kind of trap hurts. And like any other non-free software, we shouldn't wait for proprietary software to burn us before we start working to get away from it. We have a very nice, in a terrible way, list of proprietary software abuses
06:40
being accumulated on GNU.org. Just to make some specific points, we can highlight some of the ways that JavaScript is used to harm users, and specifically proprietary JavaScript. So harms are done to users, which could have been avoided if the JavaScript were free. A very relatively popular one is the implementation of the copy and paste buffer when you try to copy something out of your browser
07:04
and paste it somewhere else. This site you can visit has a nice little demonstration of that, and it's harmless. But you can imagine a very harmful version where you copy something and you're reading a page of technical instructions, let's say, about how to configure a piece of software, and it tells you to type this into your shell. So you copy that command,
07:24
you go to your shell, you paste it, hit return, and oh wait. What just pasted into my shell was not what I copied off of the webpage. What I just pasted was a deletion command. What I was trying to copy was a get checkout command. So JavaScript has the capability to modify what's in your copy buffer. You also see less sinister
07:44
uses of this these days when you are, for example, copying a link to a new site article like the New York Times or some other place, and you paste it. They have suddenly decided to start attaching little attribution notices to the end of the links. So when you go to write a blog article about it, a news article you read, and you paste
08:04
the link in, you'll get an additional advertisement for whatever site you copied it from. So that's pretty dangerous. And annoying. JavaScript can be used to block browser functions. You don't see this quite as much anymore, but it's still out there. If you're visiting a site that has
08:20
somebody's photos, and you try to right-click to save that image to your hard drive, and this box pops up that says you cannot violate my copyright. That's sort of this JavaScript-enabled DRM, which is easy to defeat when you just disable JavaScript. Since you don't want to run around the web without JavaScript, it does become a little bit
08:40
more annoying. JavaScript can record your keystrokes when you're typing in a text box or filling out a form, and that obviously has a lot of useful applications, but you can imagine the many sinister things that could be done by a program whose source code you can't read and nobody else can read the source code and it has the power to record your keystrokes and do things with them.
09:02
That's not nice. Oh, and it can be used to deliver actually very powerful malware. There was a compromise in the Tor network. Well, a compromise directed at Tor users, I should say, which involved use of JavaScript.
09:22
So these things are true of any programming language. Any programming language can do bad things to you. If the source code is out there, then we have the ability to take a program and make a new version of it that doesn't do those bad things. It's not that you couldn't implement free software to do this. You could, but someone else could come along and change it and take out the negative feature or the
09:44
anti-feature. And of course there's also lots of benefits to having free JavaScript, just like there's benefits to having free programs in any other language. Userscripts.org is a site that has Greasemonkey scripts that you can run in your browser to customize the behavior of various sites, do things like enable you to
10:03
download videos from video streaming sites and that sort of thing. And this was a big inspiration or a big reason for us to take a serious look at this problem because you can just get a taste of the types of things that you could do on a regular basis if your browser was set up to allow you to run your own
10:23
JavaScript, your own modified JavaScript program in place of a JavaScript program that a server would normally ask you to run. Browse the site and you get some idea of the different types of things we could do if we had more freedom in this area. Now this site and Greasemonkey alone don't solve the problem because these scripts don't necessarily replace, they don't
10:43
have the capability to replace scripts that are being delivered to you as much as they can modify them afterward and change their behavior. So if you are living in a free world you want the ability to actually stop a non-free thing from running entirely and replace it with your own free program or even to stop a particular version of a free program from running and replace it with your own free version or
11:03
another person created for you. So the question is what's needed to solve this problem? How do we make JavaScript free? How do we avoid those dangers that I highlighted and also get some of these benefits that are out there? So there's just a two point basic checklist for freedom here. It's very simple for people that have
11:22
gone over and are familiar with licensing but you just need to provide a license notice because if you don't do that in most parts of the world you are default copyright applies to the work and a copy of the free license now not every license requires you to distribute a copy of it along with the software but in order to build an effective
11:42
free community and encourage people to value their freedom you kind of have to let them know that they have it. So that's an important element of distributing software that you want to be free whether you're using GPL or not. And then of course you have to provide the complete and corresponding source code and this gets back to
12:02
the permissive licensing question. A program may be licensed under permissively to enable you to distribute it in binary only form or in source code form as you choose but if you're distributing it as a binary and not giving the person the source code you are giving them a piece of proprietary software. You're just giving them a binary
12:22
just because that software is available somewhere else as free software that's not what you're giving them. So it's important when you're distributing the software if you want it to be free you need to convey the source code to the user. And the failure to do these two things is the reason why most JavaScript in use today is not free
12:42
and it doesn't have to be that way. A lot of JavaScript could very easily be made free. So we have some obstacles to doing that. One is my bandwidth is bigger than your freedom. JavaScript is, you know, the files are served as you load a page so the page needs to load quickly. You don't want to sit there and wait a long time.
13:03
People have to pay for their bandwidth when they're serving the site to you so there's a big incentive to compress the JavaScript to make it smaller. The process called minification is essentially a kind of compilation. It also means of course they don't want to give you a copy of the license every time they give you a file. That would be ridiculous to have to receive
13:21
a copy of the GPL with each individual JavaScript file that was loaded on a page. That would actually add up to a significant amount of bytes. So we're not asking people to do that. But we do need to look at this minify question. So minify JavaScript is not source code. Now it's not text. It's not object code. It's not a binary
13:41
in the same sense that a compiled C program is. But the definition of source code is the preferred form for modification. What does the programmer use when they are working on the program? They do not work on the program in a minified fashion. Just a taste for why. And that's cut off because
14:01
there's no line breaks. It just keeps going. And you can see what's been done. The variable names and function names have been reduced to letters. Sort of things that were in other languages are considered classic obfuscation techniques are used in order to save bandwidth and speed things up.
14:21
So this is not source code. There are JavaScript files that are frequently served as source code. JavaScript being a scripting language. It's a very common format. But especially for larger sites, that's not the way you usually receive it. So the first step to fixing this problem is to provide the source code. Now there's
14:41
two ways to do it. You could just serve the source code. Honestly, all of our lives would be a lot easier if that happened in some ways. But failing that you can add a comment to the minified file which links people to the source code. And we have just a simple stylized comment format
15:01
for that that people can follow. And then you also need to, and an important part of this, I'm talking about this in general free software terms, but we did come to this problem to come to thinking about this problem also because we were trying to think through what does it mean to comply with the GPL when you're using JavaScript?
15:21
Like I said, we wouldn't ask people to send a full copy of the source code with every minified JavaScript file. We wouldn't ask people to send a full copy of the GPL with every JavaScript file that's served. So adding a comment like this which directs people to the source code in a manner
15:41
as described in the license itself, you have to make sure that that URL continues to exist as available for as long as you distribute the minified version, etc. is a legitimate way to satisfy the source requirement. Why does the GPL not require that you send a full copy of the GPL with every piece of minified JavaScript source code?
16:02
We're getting to that. It's a good question because it's not entirely clear. You have to think about things like what is the program? Are all of the scripts that are being delivered and run all part of the same program? Or package? So if you ship a package in a distribution that's licensed under the GPL
16:21
you don't have to include a copy of the GPL for every file that's in there. Part of this just comes back to the question of what's the work. We also have another proposal to link up the copy of the license to the code itself. So you also need to provide a free license notice even when it's minified.
16:41
One way to convey the license information even with a minified file is just to tack a comment on to the top of the minified file which has the license notice that you would normally use in a program to say it's licensed under the GPL or it's licensed under another free license.
17:02
So is this suggestion that would have in the case of GPL the suggested notice? So I'd imagine, and I'm not a developer, that if you're already doing this minified file, the number of
17:24
character, that's a very long notice. Do you think that for GPL compliance purposes a shorter version of that would be? So I have another version to show you which is a different approach and one that we actually like better for similar reasons.
17:44
There is a note that one sort of easy way to deal with all of this if you are the copyright holder for the JavaScript program you can actually add an exception or an additional permission which GPL version 3 allows you to do. It's described in section 7 and that permission can say you may distribute, minimize, or compacted forms of this code without
18:04
the copy of the GPL normally required, provided you include this notice at a URL which links to the corresponding source code. So if you're the copyright holder you can essentially say this is a JavaScript program, I'm not expecting you to provide a copy of the GPL with every time you serve it as long as you include this notice and as long as you are actually distributing
18:24
the source code when it's minified. But you're probably not the copyright holder, so we need to talk about other solutions. So we have a format called JavaScript Web Labels. It's a structured format to consistently conveniently convey
18:43
both the copy of the license and the corresponding source code at the same time without some of the drawbacks that we've highlighted here. The description is online at canoe.org of the format and the announcement was actually made back in 2012.
19:01
So the goal of this format is to be machine readable to provide machine readable information about the licensing of JavaScript served by a site, but it is also really intended to be human readable because it's the human in the end who needs to know what the license is and needs to know where to get the source code from.
19:21
So we think we can accomplish both goals, but if it comes down to it setting somebody a copy of the GPL is not just a perfunctory act of compliance, it has a purpose which is to communicate to users what their rights are when they use the software. So it's important to us that it has that human element and not just be a machine
19:41
driven thing. So the way this format starts out, I'm just going to walk through it. In the footer of your website, you have a link which says, say, JavaScript licenses. Just like you might have a link for other copyright information on the bottom of your site, and this is the footer at FSF.org. Under the hood
20:02
that could look something like this. The important part is that it has this REL element to it because that's part of what enables it to be a machine readable format. And then that link goes to a page that looks something like this
20:21
but it could be prettier if you so desired. This is the human readable version of it. So we have three columns here. The first column is the name of the script as it's being served to the user. So these are all of the scripts that are served to a user of FSF.org in different cases. So this
20:41
would usually be your minified version on the left here, if you have a minified script. In the middle, you have the licensing information so a link to the license. You can have multiple licenses, so jQuery is licensed under both the expat license and the GPL.
21:01
So you can list dual license items. And then the right hand column is the source code. So that's the unminified version. So you can see, if you're a user looking for the source code, you just find the minified file name in the left column, you see what the license is, and then you find the source code. And
21:21
this is just an HTML table. A row of it, or a very simple version of the table, can look like this. The important part is the ID of the table in order to be a machine readable way. And then the rest of it is just the HTML for what I explained.
21:42
The licensing link in the middle here can also be a magnet link, which I'll explain in a minute, but a magnet link being a URI that identifies a resource on the web by its metadata rather than a specific URL. So that's a little bit more resilient
22:02
than pointing to a copy of a license on a specific server. There are some, I've been showing you the FSF's web labels, but there are some cases of this in the wild. UFF has been experimenting with it, so this is their version of the web label. Looks a little nicer.
22:22
I mentioned, been talking about how we want this to be automated, and I highlighted some of the particular things about the format that are there for that purpose. So where does the automation come in? Right now we have a piece of software called D'Abridge AS. You said that it was supposed to be machine readable. So the EFF on the right has C below,
22:41
which presumably is not a machine readable way. The format is very, everything in the right hand column is going to be interpreted as the source link by the machine. If the machine actually followed that C below link they probably wouldn't find the source for the thing on the left. Well it would, because the screwed up part here is the human readable
23:04
portion, the C below. The HTML underneath this does point to the right place. So I don't really understand. I think maybe you can see by these file names I suspect they're doing this in some kind of automated fashion to catalog their scripts. But if you also go lower, they do have non C below entries down there.
23:22
So my other question is, if a machine is trying to decide whether or not to run some JavaScript based on this information, how do they, it seems to me like they would have to be able to interpret the URLs in the middle license column and know whether those URLs led to free licenses or not. So if you're hosting your own copy of the GPLv3 you would have to download it and see if it figured out
23:44
it was the GPLv3 and that kind of thing. Yeah that's a strength of the magnet link I think as a way to partially solve that problem. So LibreJS is a browser extension that you can use for Mozilla based browser
24:03
and it's like a new project and it actually looks, checks when you turn it on, it looks at every site that you visit and it checks the JavaScript and it looks for any of those methods that I've described so far. So it checks for a license notice in the JavaScript files themselves. It checks for
24:22
a web label page and then it tries to evaluate and see which scripts are free, which scripts are not and it gives you a report. By default right now it will also actually block all of the non-free scripts and allow the free ones. They're actually adding a mode to it now so that you can just have a warning
24:42
as opposed to outright blocking all of the non-free scripts because what we found very quickly is that this is, you know, in the end it ends up right now it's essentially a way to turn off JavaScript on the web. Which is not what we want it to be. We want it to be a way to selectively enable JavaScript on the web. So
25:02
but I think it's important for people to try it out, to start using it to do the usual thing of reporting bugs with it and seeing how the experience works for you but also just to kind of, you know, open eyes a bit to what the problem is here. There is another aspect to this which is, like I said, the reason a lot of JavaScript is non-free
25:22
currently isn't because it has to be that way, it's because it's just not clearly flagged as being free but in fact if you were to go to this Git repository over here you could get the very same software as free software. So when you visit a site with LibreJS it's not really, and there are a lot of scripts blocked, it's not really appropriate to go burn down the
25:42
webmaster's house because they're distributing non-free software. What's appropriate is to have a conversation about, it looks like you're trying to distribute it looks like you understand free software and you're trying to use jQuery and other free software, JavaScript libraries it would be really helpful if you would explicitly say that in those files so that people
26:02
were aware that you were using free software. It's that conversation that needs to be had more than the super critical approach right now. Of course as soon as you start talking to people about this there's lots of ideas for how this could be done so we're often asked why did you do it some other way than the way LibreJS
26:22
does it, why this particular web label format and we're not actually committed to doing it only this way. What we care about at the FSF is actually the problem itself. We need a way to be able to get free JavaScript and not free JavaScript and we need a way to be able to distribute copy left JavaScript. So anything that
26:42
satisfies those conditions we're interested in talking about and there have been other conversations, people have suggested using HTTP headers to convey JavaScript licensing information, people have suggested using RDF some people aren't a huge fan of the kind of structured HTML table approach, it's a little bit arbitrary.
27:02
All these things can happen and what's more there doesn't necessarily have to be just one way of doing it. LibreJS is written so that it can actually add other methods of verification so if there was another one that got some traction like HTTP headers then that could be rolled into the plugin as well. So
27:21
we're interested in hearing feedback and criticism and suggestions about this format but it's also not from the standpoint of wanting this to be the only way. So beyond that, how do we get this trap actually closed? So the Java trap was in the end solved by a combination of really hard work by free software hackers
27:41
to write free versions of the Java platform and then partly because of that Sun did the right thing and re-licensed the platform under a free software license. So the analogy, in this case we're closing the JavaScript trap we need to convince our browser makers that
28:02
this is an important thing that as part of their general mission to protect their users' privacy, security, and freedom that this is something that they should try to enable, whether it's incorporating LibreJS or that exact method is a different question but incorporating some way for users to deal with this would be a huge help toward closing
28:21
the trap. And we need people to help, for one thing, just fix the JavaScript that is already free and just not labeled that way. We need people to write free software JavaScript and we need to convince people to use the free software JavaScript. Some specific next steps that we have in
28:41
software terms, there's many improvements that can be made to LibreJS. It can get faster, it can have a nicer interface, it can enable different kinds of whitelisting, there's lots of things that can happen with it. It's a very new project and so there's a lot of opportunities to get involved with it. We need it for mobile devices. I've just been talking generically but
29:01
JavaScript on a mobile device is the same thing as JavaScript on the computer but the programming for the extension and manner of dealing with it might need to be a bit different. We really want a command line and automated version of LibreJS, so you can imagine if you're a webmaster a big difficulty in dealing
29:21
with all this is the way that certain web publication systems deliver JavaScript. They can grab scripts from all over the place and stick them all in one file and then serve that to you and as a webmaster it can get pretty maddening to try to make sure you are doing the right thing all of the time. So we really need an
29:41
automated version. LibreJS is a browser extension that you have to manually run. It's meant to work for a live, breathing user. So something that can be run as part of a regular system check job, alert system that would monitor and do essentially the same function as LibreJS. We could modify
30:02
minifiers that are used commonly in the JavaScript community to output the right kinds of copyright notices by default and take some of the legwork out of it for people. People have done this historically with the GPL notices and anything that you can do that makes this type of
30:21
it's not bureaucratic in the end but it feels like that when you're a programmer. To make that easier for people I think would be a big help. And then there are many patches to be submitted to upstream free software projects that have JavaScript as a part of them. We had a conversation at dinner last night about how a good starter bug
30:41
for new people getting involved in kernel development and other kinds of projects is to correct the FSF's address in the license notices. If any of you think we're still at Temple place, don't try to visit us because we're out there anymore. Not for a while. So fixing a little bug like that is actually
31:01
a nice way for someone just to learn how to check out their repository make the changes, commit them back and just learn the whole procedures of participating in the project and do something that's a little bit useful at the same time. So to me this is a very parallel kind of thing. There are all these projects out there that are free software, media wiki, etherpad that you can
31:21
go and they want to be free software, they're intending to be free software and you can just submit some patches to help make that more explicit. From a public awareness standpoint, I already touched on this, but we have an ongoing campaign to raise this issue with webmasters to get them a particular site.
31:44
It's not a winning approach in the long term to try to pick one site at a time to talk to to fix. But as you do that, you build awareness about the problem and you get some more allies on board and you just start to make this world an actual reality.
32:03
On Fsif.org we've been highlighting one site a month since mid last year for people to talk to and try to convince and we're currently working with Greenpeace.org one of the sites that was picked by people participating in the action and Greenpeace is currently going through their
32:23
main sites and updating the JavaScript licensing information making sure it's all free and they're also discussing possible new internal standards for all the satellite related organizations to make sure that those do the right thing. It's always nice to have a success like that and I hope it gives everybody encouragement
32:42
that you're not just going to get shooed away. People out there, actually if you approach them in a friendly way, do want to have their site be accessible to as many of their supporters as possible and are willing to do some work to get that done. We're also currently trying to work with Reddit.com
33:00
that's the latest one so they haven't responded yet but you can help by sending them a comment and trying to bring it to their attention to the Reddit admins. Reddit is an example of a project that does publish its source code to a large extent under a free license so they probably do want to support fully free JavaScript.
33:24
If you are a JavaScript developer we could really use your help right now We have a task force which is a small group of people that know a lot about JavaScript development. You can just email our campaign address and we'll get you hooked up with that. So essentially we have a list that the task force members are on and that's some place
33:41
that the Greenpeace folks can write to to get help trying to figure out where exactly the problems are and we want to offer that as a service essentially to anybody that we're also trying to get to distribute free JavaScript. It's also a place where some LibreJS improvements can be discussed so there's officially a separate mailing list for LibreJS specifically when it gets to that level
34:02
but this task force list is a good place to bridge the gap from user freedom concerns to what might be implemented in software. And of course submit some patches yourself if you can spend a little time learning how it works. If you run a site then try to fix up the JavaScript. And to be clear
34:21
what we're trying to do here is to get sites to work without requiring non-free JavaScript. That's one of our main goals. So we want free software users to be able to effectively live on the internet and not have to run non-free software. So that means we're not in this campaign really taking on things like Google Analytics head on
34:40
we probably will in a different way, but because Google Analytics is not a required piece of software to use a site it's just a piece of proprietary JavaScript that gives the site owner some information about you. So LibreJS will just block that because it's not free and you don't have to worry about it, but it's not a victory condition or a success condition
35:00
for us in this campaign to convince everybody to stop using that. We want to make sure that core functions, that the things you actually need to do to use your bank account to collaboratively draft text with people, whatever you can do with all free software for the same reasons that you've always wanted to do it on the computer that you have in front of you. I'm happy
35:21
to take some questions and hear people's ideas about this. And anything else related to the FSF actually, but I'd like to focus on this. Tom? No, but that's
35:44
I guess that kind of reproducible builds idea sort of connecting the minified JavaScript officially to the source would be a good idea. I have a feeling it's probably a lot simpler in that case to do that since minification is done by a set of standard tools. But yeah, that's a very good idea.
36:19
I got it here. Dennis, could you repeat that?
36:40
Yeah, that's a good point If we really have a free JavaScript world then you can you run the JavaScripts from your own machine and you don't have to worry about them being served to you by somebody else. Have you contacted or done any work with the W3C to try to get additional attributes added to script text?
37:02
That's really where this belongs anyway. I don't know if we've asked about that specifically. We did ask about the rel attribute because that's currently not a valid one. But that's a good idea also. Yeah, I wasn't clear about that.
37:21
So for inline scripts what we're asking people to do is to put the license notice in the HTML to cover all the scripts on this page. That could be better because you can have scripts with different licenses on the same page. There may technically be an official way of providing rel and ref
37:40
values, but in practice people just make them up and document them on the Microsoft wiki. So I wouldn't worry about that. If you wanted an additional thing with a script you can now use data-anything. That's in HTML5 and validators will ignore attributes called data-anything
38:01
so that allows you to add arbitrary data to those in HTML to make it more semantic so you could adopt a convention for that if you wanted to add stuff to script tags. I think that the way that you're going to succeed here is by making it easier for webmasters and every way you can make it easier is going to make it more likely. So I was wondering, is there also scope for a different method
38:23
in the notification which is essentially convention-based. So it's just a meta-tag in the page says, I subscribe to the convention. Where the convention is that if you take any of my JavaScript URLs and remove min. from near the end, you will find the unlimited form of JavaScript which will have within it the licensing information for that JavaScript.
38:43
So when you're on my site, all you have to do is make that edit to all the JavaScript URLs and the site will run a little bit slower, but every time you get a JavaScript file you'll get licensing information with it and you will decide whether to run it. So that would mean that they would just have to tweak their build process slightly to make sure those files work with their app. And sometimes they are anyway because that's how the files work.
39:04
And then just add one meta-tag to their page. They wouldn't have to keep and maintain that whole table. So that's another way you can do that. I think that makes a lot of sense. And you know, like we're generating our web labels table is generated by a script. And that's what I expect in order for that
39:20
to be feasible. That's kind of what has to happen. You can't really expect someone to manually maintaining a table at a large site of that size is pretty overwhelming. So I think that kind of pattern just makes that job a lot easier because just take out the minification extension and you're good. Have you come across SPDX? Yes. So they do machine readable license information. Some of their standards may be useful
39:44
in defining your standards, but how do you define the license for the JavaScript file? Yeah, it would be nice if we could make these multiple efforts at machine readable license information all kind of converge. But you know, I could see adding a layer to LibreJS for example that I would check for that if someone developed a system based on that. I don't know
40:05
if we would... So we want our list of licenses to be all free licenses. And I know that SPDX has some that are not free licenses by either OSI or FSF standards. So there's some issues like that to sort out, but the...
40:23
You can use the short identifiers from the SPDX license list and there's also the URLs for that as well. But we really like the magnet links idea too, so it would be nice if maybe those two things could maybe come together. One more I think.
40:40
You've got ten minutes. I have ten minutes. Oh yeah, this was my presentation clock where I was stopping time for questions. Good. ... ...
41:04
... Well, yes and no. This is true. For one thing, this is a piece that needs to be written. So we need software which will actually enable you similar to
41:22
Greasemonkey but at a lower level to replace one particular script with another script. That's the first step. And then after that, there's the world as it is right now and there's the world as it could be. So the world as it is right now, yes, people play pretty fast and loose with their JavaScript files because nobody else
41:42
it's a private API essentially. So they don't have to worry about anybody else talking to it. But it doesn't have to be that way. You can actually imagine if this were to become a thing online where people could run their own JavaScript files then that would change site behavior back in the other way. But I also think that there is more standard JavaScript out there
42:02
than a lot of people think. I think that even something which could just recognize very commonly used scripts and substitute them with something else could accomplish some pretty cool things. People have Greasemonkey scripts to do things with Gmail and Google Docs. For example, there's other problems with using some of those things but
42:22
I think they still provide proof of concept that you can the APIs and things don't change so often that it's useless. It's just breakage that you have to deal with sometimes until people come around and start actually supporting that behavior.
42:52
Yeah, that can happen in any kind of free software. Ultimately,
43:01
you have to decide if you trust the person that's telling you what the license is and whether there's an incentive for them to try to deceive you. And there's a lot of things that you can do. That's not something I don't think that's unique to the JavaScript problem. That's just a problem with licensing of things in general.
43:21
It would be nice if everything were free software, we wouldn't have to worry about such problems. Repeat that please. With a very old screensaver. Well, as a sponsor for our projects, we handle it by having people
43:43
in a lot of cases sign an agreement to us that what they're contributing to our projects, they have the right to contribute and that they can legally give it to us as free software and we can legally redistribute it as free software. Otherwise, this is a part, at least in the United States, of the DMCA which is
44:03
not necessarily a bad thing unlike the circumvention provisions which is that if you are hosting material and you believe that you have the right to host that material and then the copyright holder comes along and says you don't, then there's just a set of standards you comply with to remove it or to contest it and as long as you do that, then there's
44:22
not a penalty. So that's one way that you could deal with people lying about licensing information or getting it wrong. So the LibreJS itself,
44:41
for the human readable part, no, there's not a standard but the machine readable part, LibreJS looks for particular links right now.
45:11
Right, so the question is how do you deal with the fact that people call the same license by different names is what it boils down to and I think that's a problem in free software licensing and that's things like SPDX
45:23
or other projects are trying to standardize those names. We're not going to try to do that within the web labels format itself. Well that's a problem to be solved elsewhere but it is an issue. People can get legitimately confused by names being used loosely.
45:50
Yeah, right. I think we could definitely use it if one exists. I think the right place to define that and come to agreement on that is not within the web labels specification
46:03
in particular but I think it is something that's needed, yeah. Why is JavaScript HTML and CSS? Why is JavaScript? Why just the JavaScript part of a webpage? Because the application also includes HTML and CSS. Right. The primary reason
46:23
is because JavaScript is, HTML and CSS aren't functional software in the same way as a JavaScript program in terms of what they can do on your machine and in terms of the implications that has for your freedom. We do always campaign to have documentation and functional educational
46:43
information be under a fully free license that permits people to modify it and improve it just like software. So that is an issue we could make a bigger campaign out of. It's a separate issue I think because it's more about a different kind of work than an actual program running on your machine.
47:04
My question to you is almost the same. Where is the line between data and code? If it's not part of the goal for the SFF to have every bit of HTML you download be free, although it might be something else, then you get to CSS which has some programming language like constructs in it and has acquired more capabilities over time and then you get to
47:24
much more but is yet still sandboxed if you like. It doesn't have full control over your machine, modular bugs and engine bugs. So at what point do you say, okay this is sufficiently code-like that I want to only execute free of it? Free stuff a lot?
47:44
There is actually a definition in the article of what constitutes for example trivial JavaScript versus non-trivial JavaScript. It's the non-trivial JavaScript that we want to make sure is freely licensed and that rule of thumb right now is whether it defines a function.
48:03
That's kind of a way that you can usefully identify it but part of this is also a judgment call about how particular things are playing out in the life of a typical computer user and people's freedoms are being pretty seriously threatened by proprietary JavaScript on the web in a way that's not true yet in our judgment in these other ways, which is not to say that we won't
48:23
care about them or don't care about them but for focus purposes I'm not sure there's like a bright line that would, I think what you're saying is the standard that as it gets closer to being a program that you need to be able to modify and that you need to be able to dictate how it runs then that's the closer it gets to being an issue.
48:44
So I'm kind of looking into this and is there beyond the article that was linked I guess in your presentation, a new licensing guideline like for the GPL there's a nice document on the FSS website about if your
49:04
code is less than this size then please don't bother with the GPL but do this and there's a fairly sort of easy way of figuring out what to do. Yeah, we the little snippets that I showed are from a larger article
49:23
so the JavaScript article itself has an appendix, JavaScript trap article itself has an appendix at the end it has similar how-to information and then the web labels article is pretty step-by-step for doing it and then for the reasoning there's a third article, the rationale to explain some of the deeper reasoning behind it. Yeah, I would say the closest thing
49:43
to the GPL instructions is what's at the bottom of the JavaScript trap article, pretty similar. Okay, I think that's all we have time for. Thank you, John.
50:37
Thank you.
50:46
Hi, John. I'm Jim Blair. It's been like 10 years or something. It's good to see you. So I work for the OpenStack Foundation running the infrastructure for the OpenStack project.
51:03
Wow. Are you still in Berkeley? Yeah, so I work from home there.