Richard Stallman Warns About Non-Free Web Apps

An anonymous reader writes "Richard Stallman has published an article which warns about the 'Javascript trap' posed by non-free AJAX-based applications. The article calls for a mechanism which would enable browsers to identify freely-licensed Javascript applications and run modified version thereof. 'It is possible to release a Javascript program as free software,' Stallman writes. 'But even if the program's source is available, there is no easy way to run your modified version instead of the original ... The effect is comparable to tivoization, although not quite so hard to overcome.'"

Beware the hidden dollarsign?

[paroneayea]

"from the beware-hidden-dollarsign dept"

I would think slashdot would know better what Stallman means by when he says free or non-free software. Generally these webapps area available at no cost anyway, and obviously that's not what he's talking about. He's talking about the classic ideas of free software, not whether or not it is okay to sell software. I just think that should be clear here.

Anyway, if we do argue that applications are moving into the web sphere, (which most web 2.0 advocates of course do,) then this is indeed something important to think about within the domain of free software.

Re:Beware the hidden dollarsign?

[SirGarlon]

I thought the hidden dollarsign referred to malware possibly embedded in non-free Javascript. As Stallman points out in TFA,

the idea that non-free programs mistreat their users is familiar

This mistreatment can take many forms, including collecting user data without informed consent, for example, a user profile which can then be used for marketing (and/or sold). That's what I thought the "hidden dollarsign" was referring to.

Nice to see it worked

[rumith]

Actually, it was me who alerted him on this issue (using GMail as an example). However, that was almost a year (!) ago. Took him a long time, but I couldn't expect any less, since the man almost never uses a browser at all...

P.S. For those interested, here is the transcript of our email conversation.

Web Apps

[LaminatorX]

RMS may be a cranky extremist, but he's still right far more often than he's wrong. Web apps are in some ways a huge step backwards in terms of openness. If you're lucky there's a wsdl you can analyze but even then that's really just a client-facing API. What's less free/open than a binary-only distribution? One that's never even distributed in the first place. May I please continue to access this application, sir?

Re:What about the server side?

[ShieldW0lf]

He's concerned about vendor lock-in. He's concerned about a small group of people being able to hold the rest of the world hostage by threatening to cut them off from the infrastructure they depend on, and he's concerned about a vast group of people being abandoned by those they trusted to handle their essential infrastructure.

It's a valid concern, it's not hard to understand, and it's not easy to dismiss either. The fingers-in-the-ears-going-la-la-la tactic seems to be the standard approach for a lot of people.

Re:Every time he speaks I just want to shoot him

[MbM]

Take it with a grain of salt.

RMS intentionally confuses the terms free and open, because in his mind it isn't free until it's open; to him, free means freedom. The classic example is always "free" as in "free beer" vs "free" as in "free speech"; same word, different meaning.

Re:OK, dumb question after reading the article

[mr_mischief]

The client-side code could just as easily be saved to your local drive and loaded from your local drive into your browser as downloaded (or loaded unchanged from cache) every time you visit a page. You local copy could then be altered to better suit your needs, so long as it's still compatible with what the server is doing or is independent of the server. This can be done now, but browsers don't support doing it easily.

What Stallman wants in this case boils down to two things as I read it. First, he wants a standard way to mark the license of the program that's easy to discern both visually and in software so you'll know what license you have to the software and the browser can inform you of that automatically. He also wants an easy way for every piece of client-side code a web page uses to be easily replaceable with your own local version from your own local disk. Right now, you can grab the JavaScript from a page and alter it, but without some work you're still going to be running the publisher's version when you're on their site. He wants some way to specify that the JavaScript that was loaded from, for example 'http://www.foo.com/js/some-script.js', instead gets loaded from your customized local version so you can interact with the web app with your changes in place.

Personally, I think he's got a good idea there. I'm no RMS fanatic, but I do like to be able to alter the software I run to suit me, and I like the GPL (and BSD, CC-SA, and some other licenses) for that reason.

He just wants a couple of technical features built into the OSS browsers to support loading custom client-side code and for you to more easily know which license the code is under. I think this is much easier to accept than some of the more drastic position statements out of the FSF. It really can benefit anyone who prefers any of the Open Source licenses, and not just what the FSF calls Free Software under the GPL.

How does Stallman use the web?

[louzerr]

So, I assume Stallman can't use any typical search engine ... maybe he built his own from Lucene. He also must not do any credit transactions online.

He must also be careful that any packets his computer sends turn right around should they encounter a Cisco router (or any other proprietary router).

I suppose in his daily life, using a phone, or a car, or Television would be right out.

I sure hope Mr. Stallman never needs any medical attention.

I DO admire much of what Mr. Stallman stands for, and I'm glad there is a champion for free software ... but I live in the real world, where to buy goods, you need some government's currency, and to do anything electronically, you have to use SOME commercial software somewhere.

I wonder, too ... does Mr. Stallman's PC have a proprietary BIOS, or did he write that code, too?

I feel the need to come to rms' defense, here

[jra]

Not that he would necssarily give a crap that I do.

My personal conviction is that Linux came to be what it has come to be *precisely* because it was released as GPLv2 code; I don't think it would have grown to nearly the size and penetration </beavis> that it has were it under some other license.

Therefore, the state of much of the world today -- not just the computing world, but Real Life -- descends almost entirely from the fact that rms is a extremist about the principles of Free Software.

We often look on extremists with amusement or scorn, but I personally tend to try to remember Tom Peters' observation from one of the Excellence books:

When anything useful is accomplished in this world, it is done, I have found, by a monomaniac with a mission.

We don't all have to be as hardcore as rms is -- Linus isn't -- but if *he* *weren't*, then I don't think we'd be where we are today.

So yeah, comparing him to a vegan is probably pretty accurate -- they have similar types of motivation.

But *dissing* him for it?

No, I don't think that's really the best outlook to have.

Re:OK, dumb question after reading the article

[hairyfeet]

I'll probably get flamed all to hell for daring to say this on a website frequented by website designers, but what the hell, my karma is good. I think we are missing the forest for the trees. A much bigger problem is too damned many websites are using JavaScript that have no reason to. I don't know how many times I have come across websites where basic functions that should have been straight HTML/CSS were coded in JavaScript.

And with all the malware using JavaScript and what seems like a new vulnerability coming out every day it is feeling more and more like JavaScript is going to be the next ActiveX. In fact with all the JavScript exploits I'm shocked we even use it at all. Let us be honest here: If this was a MSFT technology instead of cross platform would we still use it? Or would we be calling for its ban because of all the security holes?

So IMHO the question isn't whether the JavaScript code is free or not, but it is whether we should be running it in its current implementation at all. I mean when you have to use Noscript, which is basically a condom for JavaScript, just to surf the web something is seriously fucked up with the JavaScript security model. Maybe instead of looking at whether the code is free or not let us look at how to keep it from being a malware paradise first. And all this talk of sandboxing is frankly just a band aid for a bad security model. If your code is so damned dangerous that the ONLY way to run it safely is to use a VM, I don't want it, thank you very much.

I think if the underlying security model of JavaScript isn't fixed we won't have to worry about whether the code is free or not, because it will end up going the way of ActiveX. There is nothing being done in JavaScript today that couldn't be done in other languages or using other tools like Java and flash. And ATM it is simply too dangerous to allow myself or my clients to use JavaScript without whitelisting. And that is pretty sad.

Re:OK, dumb question after reading the article

[registrar]

Richard Stallman may or may not be talking about something important here-but we have some extraordinary pay-offs from his insight 25 or so years ago. People legitimately disagree with him (including me) but only a fool would ignore him.

Just because the man is an uncompromising idealist in no way justifies your cowardly and stupid ridicule. And the moderators who thought you were insightful should the meaning of the word "insight" and moderate accordingly.