Re: [Bug-gnuzilla] IceCat 38.3.0 release

[Julian Marchant]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> No it does not. It cannot possibly detect either non-free or free
> code. If a program is to make a substantiated claim that some code
> is free, there is only one way:
> 
> (1) check the crypto signature on the code or the domain it came
> from (2) match the signature against the white list of benevolent
> code distributors
> 
> As long as LibreJS is not doing that, it doesn't really do
> anything. How can I make my point clearer? Tags don't make software
> free. Presence of a license does not make the software free. For
> javascript, being properly licensed AND in fact readable AND in
> fact maintainable is what makes it free. But a computer cannot
> check that, can it? So authenticating the script distributor is the
> only way, since it creates a real assurance (a very high
> probability) that the script is free. Automatic checking of tags
> does nothing. It checks that the tags are there, I guess.
> 
> Here's why LibreJS is ineffective in principle: suppose everyone is
> on the same page, and everyone is aware of tagging, and let's
> suppose all web users, 100% of them, refuse to run untagged or
> non-free javascript, so we know webmasters are tuning in. And
> NOTHING will change. The trustworthy webmasters like FSF will
> continue to serve all free code, because anything else would make
> them untrustworthy. And untrustworthy webmasters will simply slap
> your tags onto the 300 KiB of spaghetti code that rapes your
> computer. While properly licensed, that code will remain unreadable
> and unmaintainable, and therefore non-free, just as it is now.
> 
> Here's why LibreJS is ineffective in practice: webmasters and web 
> designers could not care less about standards. They relish
> breaking them. The only thing they care about is ratings. So the
> only practical way to modify their behavior (short of legislation)
> is to convince users to start boycotting anyone and anything having
> to do with non-free software. Any direct appeal to web designers is
> doomed to fail.
> 
> And so while this is definitely just my private opinion, I believe
> I argued it pretty well: LibreJS in its present form is not
> essential for anything.

I completely agree with this. Actually, I've argued this same point
before. The methodology of LibreJS is misguided.

There's another problem: JavaScript code embedded in Web pages can't
be replaced with other JavaScript code properly, unless you can get
the entire Web page downloaded to your local hard drive (which is
often impossible because of dependence on server-side code). There
needs to be a browser feature that makes such replacements possible.
I've suggested in the past that all scripts accepted by the user
should be stored permanently; that way, the script could be modified,
and it could even provide a nice bonus of telling you any time
JavaScript code on a website is modified.

That should be a goal of IceCat. Until then, I think it should just be
shipped with JavaScript disabled by default.

- -- 
Julian Marchant
https://onpon4.github.io

Protect your privacy with GnuPG:
https://emailselfdefense.fsf.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJWIEVIAAoJELP1a+89AVMClKsIAJY24XuyanyMgH1VnuI/q3Y0
rMazTvT3BRmzHNLb0aWgFBOFTqskBdq3truIOm1Hq0uzGegmWcac/Ts9DsCIZUPt
HdclMsejdL1OR6m+sGDyx0004Drg+N9NGJolu8FIjcJ+rFb1yCjbGL5YALNrALFk
0tvl+m7dbYsjCRHYiNgbeNTa2KdgE9O7KjlegmfAQ2RxgSwuxWIWeUiDGoqv/rkP
tzD2/b2VEZeYsKf/uwYFAyfCqxnQLFSX0I6CS4Fg3lBFK8SS64L3Frb/kJTY/zHD
GcO8ydUfs39zk4WDyRzPP+2uGRwacGKSNtpPBkVWq0R/KA7iLSZttj3fyb1XpI0=
=IhvU
-----END PGP SIGNATURE-----