Richard Stallman Warns About Non-Free Web Apps

An anonymous reader writes "Richard Stallman has published an article which warns about the 'Javascript trap' posed by non-free AJAX-based applications. The article calls for a mechanism which would enable browsers to identify freely-licensed Javascript applications and run modified version thereof. 'It is possible to release a Javascript program as free software,' Stallman writes. 'But even if the program's source is available, there is no easy way to run your modified version instead of the original ... The effect is comparable to tivoization, although not quite so hard to overcome.'"

Re:OK, dumb question after reading the article

[paroneayea]

Why do you care if non-free python, C, or whatever apps run on your computer? Code is code, and websites aren't what they used to be. The web has become a platform for client/server applications. So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

Slippery slope to non-free

[dazedNconfuzed]

Because you are reliant on something which must be paid for (somehow) and/or you can't own. Stallman's view, nutty or not, is that you should be able to function ENTIRELY on free software - which a non-free JavaScript "app" by definition isn't. From his perspective, it's an insidious "slippery slope" undercutting of the free (speech AND beer) software paradigm: it's so easy to get caught in the "[shrug] so what? I didn't have to pay, and I don't have to keep a copy because I just go to the site to run it again" trap, risking reliance on something controlled by someone else.

Re:Slippery slope to non-free

[swillden]

Well, there's a simple response to Stallman: you're wrong.

If you want to use my service and my resources, then you don't get to dictate your terms to me.

Stallman is perfectly happy avoid using your service and resources. His issue is that he doesn't have an easy way to tell whether or not he *should* avoid you.

Hence his recommendation that Javascript that is Free Software be tagged with something that indicates the license, so that appropriately-configured browsers can avoid executing non-Free code.

On a more general note, why is it that everyone assumes that when Stallman explains how he thinks things should be, or the way he thinks people should act, that he's somehow "dictating" to them. He is extremely clear on the fact that he neither has nor wants the power to dictate, because that would be anti-freedom. Instead, he explains, exhorts and encourages, pushing the growth of Free Software and pointing out non-Free software that may go unnoticed.

Re:Slippery slope to non-free

[Azureflare]

I can't dictate the terms for your services nd your resources, that's true. However, your client side code is running in MY BROWSER consuming MY RESOURCES.

That is the point Stallman is making. I really think he should have provided more examples.

He doesn't care what you do on the server side. Just provide us with messages to the client (us) that enables us to provide whatever interface to the data that we want.

Re:OK, dumb question after reading the article

[Timothy+Brownawell]

Why do you care if non-free python, C, or whatever apps run on your computer?

Because it's generally harder to upgrade/maintain (not in the standard apt repositories), I can't fix it myself, and whoever controls it can just randomly disappear or EOL it.

So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

Except that all of those thing either don't apply to web apps at all, or apply to all web apps. There's nothing to install, upgrade, or fix locally, and you're dependent on some service provider regardless of the status of the code.

I thought I did.

[Samschnooks]

So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

I was having trouble with a F/OSS app several months ago and I thought "Great! It's F/OSS! I can just get the software source and have a gander and solve my own problems!"

So, I downloaded the code, unzipped it, spent a couple of days getting the development environment right, and brought up the editor. A few days go by, and I'm trudging through uncommented PHP code, digging into class after class calling other classes that called other classes that just set global constants or read environment variables, and so on and so on...

I deleted the code because instead of "solving my problem" I was getting lost and not accomplishing the activity that the software was supposed to accomplish.

I went and got a package that did what I wanted.

In short, I have no desire to look at source code. I don't give a rat's ass. I have better things to do than to dig through other people's mess - thank-you-very-much.

F/OSS only appeals to people who LIKE to trudge through others code to see how it works or make it "better". To me, software is an end to a means and I don't really give a rat's ass how it works as long as it's not doing shit behind may back that I don't want; which I can find out by other means than looking at source code.

Re:Every time he speaks I just want to shoot him

[Improv]

Given what he's already given us, I think you greatly understate the credit he's due. Without Stallman, we would have compilers, operating systems, editors, etc, but it's quite likely we would not enjoy the freedoms we have with them today. Right now, I can install Linux on any number of systems I have as well as systems at work, including all sorts of software, without any legal worries about licensing - Stallman did not write most of it, but he made it possible and drew people's attention to its desirability. It is because he constantly screams "freedom" and enough people listen (or are bound by the GPL's viral nature to listen) that we have a viable way to run computers without people who would significantly restrict our usage of this software getting in the way.

Stallman isn't perfect - he is known for being hard to work with, he let GCC stagnate for several years because of an inappropriate development model, and the "GNU/Linux" terminology thing wasn't necessary. However, taken as a whole he's a very important and positive figure.

Re:OK, dumb question after reading the article

[lwsimon]

This, of course, can be done now. The first think you learn when dealing with webapp security is that you can never trust the client.

Nothing is stopping me now from loading my own Javascript (or Java, or anything else that runs in the browser) on a bank's webpage.

Re:What about the server side?

[ShieldW0lf]

That's RMS' fault.

http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf

You're right, it is. If he hadn't taken action to solve the problem he was yelling about, people would have suffered enough to show some respect. He should have just gone into the forest to be a hermit and left you to get screwed so you would learn. Now you can just pretend there wasn't a problem that he didn't mitigate on your behalf and talk like an idiot, and most people won't realize or catch you at it.

Re:OK, dumb question after reading the article

[CySurflex]

The problem with that logic is that Stallman missed a huge point. If, from his example you're using Google Docs, even if the JavaScript is "freed" using his new standard with stylized comments and the @source directive - you are still accessing non-free server software (the Google web servers) that responds to the AJAX requests. Not only that, but your browser is also making a call to the Google Ad server, which also has non-free software. You might also argue that its being served by a modified version of MySQL thats non-free, and perhaps even the firewall and the proxy that its passing through is a custom version written by Google Engineers (likely.)

Re:OK, dumb question after reading the article

[Estanislao+Mart�nez]

The problem with that logic is that Stallman missed a huge point. If, from his example you're using Google Docs, even if the JavaScript is "freed" using his new standard with stylized comments and the @source directive - you are still accessing non-free server software (the Google web servers) that responds to the AJAX requests. Not only that, but your browser is also making a call to the Google Ad server, which also has non-free software. You might also argue that its being served by a modified version of MySQL thats non-free, and perhaps even the firewall and the proxy that its passing through is a custom version written by Google Engineers (likely.)

There are two problems I can perceive with your argument, though:

1. It is still potentially very useful to you to be able to modify the software that runs on your computer, and to share these modifications with other people. This is one of the major points of the GPL.
2. You're describing here a system with three kinds of compoments: (a) client software, (b) server software, (c) server data. It's much harder to argue that (b) should be free software, especially if it's in-house Google software that we're talking about, not distributed outside the company. And (c) is not software at all, so the argument doesn't apply. Should the GPL have clauses that forbid, say, a GPL-licensed web browser from being able to connect to a web server running a non-free http server? What if it's a free http server connected to a non-free database? What if the http server and database are free software, but the people who operate the server don't allow you to download all of their data in bulk and serve it yourself?

You have to draw a line somewhere here, and drawing the line between (a) and (b) seems reasonable.