Richard Stallman Warns About Non-Free Web Apps

An anonymous reader writes "Richard Stallman has published an article which warns about the 'Javascript trap' posed by non-free AJAX-based applications. The article calls for a mechanism which would enable browsers to identify freely-licensed Javascript applications and run modified version thereof. 'It is possible to release a Javascript program as free software,' Stallman writes. 'But even if the program's source is available, there is no easy way to run your modified version instead of the original ... The effect is comparable to tivoization, although not quite so hard to overcome.'"

OK, dumb question after reading the article

[MillionthMonkey]

Why do I care if I visit a web site and "non-free" JavaScript runs in my browser?

Re:OK, dumb question after reading the article

[Arainach]

You only really care if, like Stallman, you're a "software vegan" and are terrified about touching anything to do with non-GPL code.

Re:OK, dumb question after reading the article

I'm pretty sure only Richard Stallman cares. Not sure why anyone cares what he cares about though, he seems like a real barrel of laughs.

Re:OK, dumb question after reading the article

[paroneayea]

Why do you care if non-free python, C, or whatever apps run on your computer? Code is code, and websites aren't what they used to be. The web has become a platform for client/server applications. So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

Re:OK, dumb question after reading the article

[jkrise]

Programmability is an important aspect of free software. The javascript trap effectively converts web applications into proprietary client-server type applications, Google's apps included. Which reduces the scope for innovation, standards and progress. Hence Stallman's warning.

Re:OK, dumb question after reading the article

[Timothy+Brownawell]

Why do you care if non-free python, C, or whatever apps run on your computer?

Because it's generally harder to upgrade/maintain (not in the standard apt repositories), I can't fix it myself, and whoever controls it can just randomly disappear or EOL it.

So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

Except that all of those thing either don't apply to web apps at all, or apply to all web apps. There's nothing to install, upgrade, or fix locally, and you're dependent on some service provider regardless of the status of the code.

Re:OK, dumb question after reading the article

[mr_mischief]

The client-side code could just as easily be saved to your local drive and loaded from your local drive into your browser as downloaded (or loaded unchanged from cache) every time you visit a page. You local copy could then be altered to better suit your needs, so long as it's still compatible with what the server is doing or is independent of the server. This can be done now, but browsers don't support doing it easily.

What Stallman wants in this case boils down to two things as I read it. First, he wants a standard way to mark the license of the program that's easy to discern both visually and in software so you'll know what license you have to the software and the browser can inform you of that automatically. He also wants an easy way for every piece of client-side code a web page uses to be easily replaceable with your own local version from your own local disk. Right now, you can grab the JavaScript from a page and alter it, but without some work you're still going to be running the publisher's version when you're on their site. He wants some way to specify that the JavaScript that was loaded from, for example 'http://www.foo.com/js/some-script.js', instead gets loaded from your customized local version so you can interact with the web app with your changes in place.

Personally, I think he's got a good idea there. I'm no RMS fanatic, but I do like to be able to alter the software I run to suit me, and I like the GPL (and BSD, CC-SA, and some other licenses) for that reason.

He just wants a couple of technical features built into the OSS browsers to support loading custom client-side code and for you to more easily know which license the code is under. I think this is much easier to accept than some of the more drastic position statements out of the FSF. It really can benefit anyone who prefers any of the Open Source licenses, and not just what the FSF calls Free Software under the GPL.

Re:OK, dumb question after reading the article

[hummassa]

Why should I care what code OTHERS decide to present to the world?

I dunno, because it's executing on your computer?

Re:OK, dumb question after reading the article

[LaughingCoder]

He also wants an easy way for every piece of client-side code a web page uses to be easily replaceable with your own local version from your own local disk.

That sounds to me like a massive security hole just waiting to be exploited. People navigate to their brokerage page or their online banking page thinking they are running the brokerage/bank software, not knowing some malware made illicit and modified copies of the Java on their hard drive which is run instead. Scary stuff.

Re:OK, dumb question after reading the article

[lwsimon]

This, of course, can be done now. The first think you learn when dealing with webapp security is that you can never trust the client.

Nothing is stopping me now from loading my own Javascript (or Java, or anything else that runs in the browser) on a bank's webpage.

Re:OK, dumb question after reading the article

[mea37]

True. But my browser makes it hard for your malware to cause me to run your version of the bank's client on their website; GP's point is that under RMS's proposal it wouldn't be as difficult to do that.

It's not about you attacking the bank; it's about you attacking me when I try to use the bank's services.

Re:OK, dumb question after reading the article

[bentcd]

True. But my browser makes it hard for your malware to cause me to run your version of the bank's client on their website; GP's point is that under RMS's proposal it wouldn't be as difficult to do that.

It's not about you attacking the bank; it's about you attacking me when I try to use the bank's services.

The two are the same problem though. Malicious code could attack the local javascript-repository in an RMS-compliant browser in order to hijack your bank accounts etc. In current browsers, malicious code can achieve the same by attacking your browser directly. The problem only becomes more severe if the RMS-compliant browser has worse security management of its local javascript-repository than it does of its own executable code.

Re:OK, dumb question after reading the article

[DrgnDancer]

I can see it now:

ATS: Amazon.com Tech Support, can I help you?
Cust: Yeah. I can't seem to buy books from your website.
ATS: I see. Lets' see what we can do to help you.... ...
an hour later ...
ATS: Well sir, everything seems fine. We've looked at all of you settings, verified your account, even successfully completed a transaction on antother computer, I'm at a loss...
Cust: Hang on a sec ... ::what's that? Huh? Umm.. OK:: ... Uh, my son says he modified the javascript for your site for our local browser and it might have done something to... ::click:: ... Hello? Hello?

Re:OK, dumb question after reading the article

[mea37]

The technical implciations are a bit more involved than "modify how the browser loads code".

Right now, a web develoepr can rely on the fact that every visitor to his site is getting an up-to-date copy of the client software. We can have an interesting philosophical debate about whether they should rely on this assumption, or a much more practical one about how many do rely on it.

So I make non-backward-compatible changes to my website, and you run your cached/modified version of the client. Some features don't work. Your browser behaves in ways my server no longer expects. Depending on whether I forsaw this occurance, maybe the effect is harmless (except you're out of luck until you revert to a new download, and then start making your chnages again); or maybe if I was particularly clumsy or just have lousy luck, you corrupt some resource on the server.

We can mitigate the worst problems "merely" by re-educating every web developer everywhere; but realistically we're calling for a client-server handshake so that the server can let the modified client know that it's out of sync (and/or revert to a backward-compatible mode if possible).

Personally I don't see customization of web apps as a pressing need (prior to this article I've never thought about trying it, so clearly it isn't that important to my daily life). So to me, it isn't worth the trouble. YMMV.

Re:OK, dumb question after reading the article

[mr_mischief]

You are using software which uses Berkeley sockets, from the BSD project, to communicate with others over the Internet. Either the code is from BSD or it has been written to be compatible with BSD sockets. Very little software in the world speaks TCP/IP that doesn't use Berkeley sockets to do so.

If you are using a closed-source browser other than Opera, you're using one based on the open-source Mosaic or Mozilla browsers, or on the open-source KHTML or WebKit (which itself is based on KHTML). The very first web browser and the very first graphical web browser were both open source. The very first browser was called WorldWideWeb (and later Nexus to avoid confusion with "The Web" as a whole), and Tim Berners-Lee released it into the public domain in 1993. All web browsers are knockoffs of an open source project, some more directly than others.

You are using a site which is written in a language which has always been open with language tools that have always been open (that language is Perl, by the way, and any commercial Perl distribution you've seen is a copy of the open one).

The code for the Slashdot site itself is open. Although some changes may be different between the version control system and the exact code this site runs at any given moment, an open-source version of the codebase exists over at Slashcode.com for your enjoyment or use.

The site is served by use of an open-source web server called Apache. Perhaps you've heard of it. The original web server was also open-source software, and was called CERN HTTPd. CERN HTTPd was adopted by the W3C as W3C HTTPd and has sicne been supplanted by the open-source web server Jigsaw. All web servers are clones of an open-source project.

Any version of Emacs you might use, including any of the commercial Emacs clones that are proprietary and closed-source, are based on the open-source Emacs written by none other than RMS.

Most of the first games for computers had freely available source, and some of them are still available. That's a whole market in which the closed-source people were not the first movers.

Re:OK, dumb question after reading the article

[CySurflex]

The problem with that logic is that Stallman missed a huge point. If, from his example you're using Google Docs, even if the JavaScript is "freed" using his new standard with stylized comments and the @source directive - you are still accessing non-free server software (the Google web servers) that responds to the AJAX requests. Not only that, but your browser is also making a call to the Google Ad server, which also has non-free software. You might also argue that its being served by a modified version of MySQL thats non-free, and perhaps even the firewall and the proxy that its passing through is a custom version written by Google Engineers (likely.)

Re:OK, dumb question after reading the article

[Estanislao+Mart�nez]

The problem with that logic is that Stallman missed a huge point. If, from his example you're using Google Docs, even if the JavaScript is "freed" using his new standard with stylized comments and the @source directive - you are still accessing non-free server software (the Google web servers) that responds to the AJAX requests. Not only that, but your browser is also making a call to the Google Ad server, which also has non-free software. You might also argue that its being served by a modified version of MySQL thats non-free, and perhaps even the firewall and the proxy that its passing through is a custom version written by Google Engineers (likely.)

There are two problems I can perceive with your argument, though:

1. It is still potentially very useful to you to be able to modify the software that runs on your computer, and to share these modifications with other people. This is one of the major points of the GPL.
2. You're describing here a system with three kinds of compoments: (a) client software, (b) server software, (c) server data. It's much harder to argue that (b) should be free software, especially if it's in-house Google software that we're talking about, not distributed outside the company. And (c) is not software at all, so the argument doesn't apply. Should the GPL have clauses that forbid, say, a GPL-licensed web browser from being able to connect to a web server running a non-free http server? What if it's a free http server connected to a non-free database? What if the http server and database are free software, but the people who operate the server don't allow you to download all of their data in bulk and serve it yourself?

You have to draw a line somewhere here, and drawing the line between (a) and (b) seems reasonable.

Re:OK, dumb question after reading the article

[mea37]

That's one approach to letting the browser know that its version is out of sync. It's not trivial, though.

First of all, you don't see all of the code for a web app when you first load it; you see one page at a time. Consider this sequence of events:

1) I write an app made up of Page A and Page B.

2) Page A has some behavior that doesn't seem to matter, so you modify it.

3) I upgrade the app, making changes to Page B that take advantage of that behavior on Page A. (Apparently that behavior you replaced was groundwork for the feature I've just finished implementing.)

4) You visit the site, and see that the hash of Page A still matches. You run your version. Then you go to Page B, and you see a changed hash so you download the new version... but your session is in a bad state.

Also, even on a page-by-page basis, what do you hash? The entire page, so that even a cosmetic change invalidates your modified client? Or do you have to parse out all of the script code, concatenate it in some way, and hash that (which could still break if I moved elements around in the code)?

Re:OK, dumb question after reading the article

[hairyfeet]

I'll probably get flamed all to hell for daring to say this on a website frequented by website designers, but what the hell, my karma is good. I think we are missing the forest for the trees. A much bigger problem is too damned many websites are using JavaScript that have no reason to. I don't know how many times I have come across websites where basic functions that should have been straight HTML/CSS were coded in JavaScript.

And with all the malware using JavaScript and what seems like a new vulnerability coming out every day it is feeling more and more like JavaScript is going to be the next ActiveX. In fact with all the JavScript exploits I'm shocked we even use it at all. Let us be honest here: If this was a MSFT technology instead of cross platform would we still use it? Or would we be calling for its ban because of all the security holes?

So IMHO the question isn't whether the JavaScript code is free or not, but it is whether we should be running it in its current implementation at all. I mean when you have to use Noscript, which is basically a condom for JavaScript, just to surf the web something is seriously fucked up with the JavaScript security model. Maybe instead of looking at whether the code is free or not let us look at how to keep it from being a malware paradise first. And all this talk of sandboxing is frankly just a band aid for a bad security model. If your code is so damned dangerous that the ONLY way to run it safely is to use a VM, I don't want it, thank you very much.

I think if the underlying security model of JavaScript isn't fixed we won't have to worry about whether the code is free or not, because it will end up going the way of ActiveX. There is nothing being done in JavaScript today that couldn't be done in other languages or using other tools like Java and flash. And ATM it is simply too dangerous to allow myself or my clients to use JavaScript without whitelisting. And that is pretty sad.

Re:OK, dumb question after reading the article

[Belial6]

Wow. Just wow.

First, if sending bad data back to your server can bork your web server, then either you are ok with that, or your web app is broken. Your scenario of sending bad data is already trivial to accomplish by malicious people, or those who think they know better than you. If the user can send data back to you server and bork it, you have NOT mad sure the data is clean on the server side so there is no chance of an exploit.

Second, my computer is MY computer. The web browser is NOT sandboxed to make a safe known environment on the client side for the web site developer. It in no way does that. It IS sandboxed to prevent clueless and malicious web developers from screwing up the rest of MY computer.

You are exactly why RMS is correct in his concerns.

Re:OK, dumb question after reading the article

[Ifni]

Right now, a web develoepr can rely on the fact that every visitor to his site is getting an up-to-date copy of the client software. We can have an interesting philosophical debate about whether they should rely on this assumption, or a much more practical one about how many do rely on it.

So I make non-backward-compatible changes to my website, and you run your cached/modified version of the client. Some features don't work. Your browser behaves in ways my server no longer expects. Depending on whether I forsaw this occurance, maybe the effect is harmless (except you're out of luck until you revert to a new download, and then start making your chnages again); or maybe if I was particularly clumsy or just have lousy luck, you corrupt some resource on the server.

Personally I don't see customization of web apps as a pressing need (prior to this article I've never thought about trying it, so clearly it isn't that important to my daily life). So to me, it isn't worth the trouble. YMMV.

Greasemonkey begs to differ - there is a very real and very popular desire to customize many aspects of popular websites, including the Javascript code in them. Greasemonkey also provides a solution to RMS's issue to an extent. It is not as accessible as he might like, and it doesn't solve the problem of programmatically determining whether you have the developer's permission to modify his code, but people are currently using it to make changes - maliciously or otherwise.

So you have two camps under RMS's plan - those that tag their client as free, in which case one would hope that they anticipate client side alteration, and those that do not, in which case they are still naive to expect that there will be no alteration of the client and such a change (bringing the possibility of that type of change into the public limelight) might achieve your "re-educating [of] every web developer". Just because it isn't common doesn't mean it isn't done, and whether browser developers embrace RMS's ideas or not doesn't change the fact that proper security should be a part of the design for every public facing resource.

So the argument, as you mentioned, is not that developers should know what they are doing, but simply that there already exists a desire to customize Javascript (even beyond just AJAX) applications and it needs to be made more accessible to the masses. Right now, people are modifying proprietary apps, which is likely a violation of TOU, because typically no license is included in the script portions of the page. He wants licensing to be made clear to the user so that they can easily detect what they are allowed to change and what they shouldn't (or should only at their own legal risk). More importantly for RMS, he could direct his browser to refuse to run any Javascript that is not free. That is the first step. Once it is clear what you can modify, then he wants the browser to have a simple method for activating your changes. Greasemonkey does this, I believe, but it is not built into the browser (and I don't think it should be, so I disagree with RMS on this point).

In TFA he extends the argument to Java applets, Flash, and Silverlight, which Greasemonkey does not cover as well (though by changing the calling pages you could force the page to load your local copy of the applet, etc), which adds a little more weight to his claim of inadequate current tools, even including third party add-ons.

The important part to remember, however, is that those that do not wish to play are free to not tag their programs as free, in which case they are free to continue on in the blissful belief that they can trust the client.

Re:OK, dumb question after reading the article

[grumbel]

I disagree with putting the blame on Javascript, the whole problem starts already with HTML/CSS. Webpages these days are something that is generated, not something that is written, meaning what the user gets to see isn't the real data, but just some more or less usable rendering of it and thats pretty much where the trouble starts. The whole notion that its the browsers job to render a webpage in a style chosen by a user, has pretty much completly fade away, today you are basically left with the choice between pixel-perfect representation of what the webdesigner had in mind and absolutely no style at all, there is no in between, no clean separation between actual content and user interface. Even something simply as changing the font size will break close to 100% of all non-trivial webpages out there, on some its just a little glitch (like "Reply to this" button falling appart on Slashdot) while other get completly unusable because elements end up being hidden below others. This whole mess has to stop. I don't mean that webpages should go back to HTML2 or whatever, but simply that they should allow raw access to their content, I don't want a news article flooded with navigation bar and crap, I want the raw news article and nothing else. I doubt that this will happen on a large scale anytime soon, since it would make it to easy to filter away all advertisment, but then even webpages without any advertisment suffers from this very same problem.

Re:OK, dumb question after reading the article

[CarpetShark]

Yes, I understood what he was saying, I just don't agree that it follows. Saying that people CAN eat meat and vegetables, therefore they MUST eat both is the most basic fallacy out there. It's a redundant system, not a mutually requisitive system. Regardless of that system, our brains are ALSO part of our human nature, so any way we decide to live (using our human brains) is certainly within the set of human nature. Next he'll be claiming that it's not "natural" for humans to cook their meat.

Now, if he'd made his argument based on some interesting philosophy that can't be easily disproven, such as that the average man is simply happier when he has a good thick steak between his teeth, then the post might have had something to say about "human nature".

Re:OK, dumb question after reading the article

[registrar]

Richard Stallman may or may not be talking about something important here-but we have some extraordinary pay-offs from his insight 25 or so years ago. People legitimately disagree with him (including me) but only a fool would ignore him.

Just because the man is an uncompromising idealist in no way justifies your cowardly and stupid ridicule. And the moderators who thought you were insightful should the meaning of the word "insight" and moderate accordingly.

Re:OK, dumb question after reading the article

[lennier]

"... vegans are rabbit food people."

Fixed that for you.

copyright enforcement?

Has "borrowing" some Javascript (or HTML for that matter) ever resulted in litigation? There's been sort of an understanding since the inception of the Web that people will borrow from each other, because they can, and that's more or less fine.

I like Stallman's idea, it just doesn't seem particularly urgent.

Beware the hidden dollarsign?

[paroneayea]

"from the beware-hidden-dollarsign dept"

I would think slashdot would know better what Stallman means by when he says free or non-free software. Generally these webapps area available at no cost anyway, and obviously that's not what he's talking about. He's talking about the classic ideas of free software, not whether or not it is okay to sell software. I just think that should be clear here.

Anyway, if we do argue that applications are moving into the web sphere, (which most web 2.0 advocates of course do,) then this is indeed something important to think about within the domain of free software.

Re:Beware the hidden dollarsign?

[u38cg]

I think /. is more than aware what they mean. Just because you aren't forking out to use these web applications, doesn't mean that there isn't a cost. Software as a service costs real money to host, and you should be asking where the money is, and why.

Re:Beware the hidden dollarsign?

[SirGarlon]

I thought the hidden dollarsign referred to malware possibly embedded in non-free Javascript. As Stallman points out in TFA,

the idea that non-free programs mistreat their users is familiar

This mistreatment can take many forms, including collecting user data without informed consent, for example, a user profile which can then be used for marketing (and/or sold). That's what I thought the "hidden dollarsign" was referring to.

What's in a name?

[sbalneav]

From TFA:

"Javascript (officially called ECMAscript, but few use that name)..."

Linux (officially called GNU/Linux, but few use that name)..."

Practice what we preach, Hmmmmm?

Re:What's in a name?

"Richard Stallman (officially called Dick, but few use that name)..."

data

[Lord+Ender]

The license for the javascript software you are running might be important, but the far more important factor, in my mind, is the IP rights and responsibilities attached to your data.

Who has access to your data? How can you verify that? Who is responsible for keeping it secure? Who is responsible for making backups? How can you verify that?

Stallman has finally lost it.

According to this, a Javascript program that talks to a closed source AJAX backend is Not Free, even if the Javascript code itself is Free.

This is the craziest thing Stallman has come up with yet. Is a web browser that talks to a None Free web server Not Free? What about a program that uses SQL to talk to a database server that is Not Free?

Re:Stallman has finally lost it.

[illegalcortex]

While I frequently think RMS takes good philosophy and generates stupid conclusion, I actually think your example proves him right. Imagine MS SQL ships you SQL server with all the source code Query Analyzer and the DB access libraries open sourced and GPL. But they continue to distribute the SQL server engine as closed source and with the current license. Does that make SQL server free or not free?

Your browser example just doesn't work because the browser can access a whole host of other information and isn't built only for talking to that one server. Your other example program could be used to talk to any number of database servers instead of MSSQL. As long as it was a free, open source app and didn't use some incredibly henious MS-specific SQL, you could point it at another DB.

Now imagine something even more symbiotic than Query Analyzer and MSSQL. Something where there really is no practical use for the client except to talk to that server. For AJAX apps, it's more of a parallel to say the Javascript is just the top layer GUI on the behind-the-scenes application. That's what we're talking about here. The client is only half of the application, the server is the other half. An application can't be "half-free."

Re:Stallman has finally lost it.

[assassinator42]

Well, lets take the OSCAR plugin in Pidgin/libpurple. It's only (or at least by far the primary) use is to talk to AOL's server(s), which are not free. Does that make the plugin or even libpurple or Pidgin non-free?

Slippery slope to non-free

[dazedNconfuzed]

Because you are reliant on something which must be paid for (somehow) and/or you can't own. Stallman's view, nutty or not, is that you should be able to function ENTIRELY on free software - which a non-free JavaScript "app" by definition isn't. From his perspective, it's an insidious "slippery slope" undercutting of the free (speech AND beer) software paradigm: it's so easy to get caught in the "[shrug] so what? I didn't have to pay, and I don't have to keep a copy because I just go to the site to run it again" trap, risking reliance on something controlled by someone else.

Re:Slippery slope to non-free

[Greg_D]

Well, there's a simple response to Stallman: you're wrong.

If you want to use my service and my resources, then you don't get to dictate your terms to me.

Re:Slippery slope to non-free

[swillden]

Well, there's a simple response to Stallman: you're wrong.

If you want to use my service and my resources, then you don't get to dictate your terms to me.

Stallman is perfectly happy avoid using your service and resources. His issue is that he doesn't have an easy way to tell whether or not he *should* avoid you.

Hence his recommendation that Javascript that is Free Software be tagged with something that indicates the license, so that appropriately-configured browsers can avoid executing non-Free code.

On a more general note, why is it that everyone assumes that when Stallman explains how he thinks things should be, or the way he thinks people should act, that he's somehow "dictating" to them. He is extremely clear on the fact that he neither has nor wants the power to dictate, because that would be anti-freedom. Instead, he explains, exhorts and encourages, pushing the growth of Free Software and pointing out non-Free software that may go unnoticed.

Re:Slippery slope to non-free

[Azureflare]

I can't dictate the terms for your services nd your resources, that's true. However, your client side code is running in MY BROWSER consuming MY RESOURCES.

That is the point Stallman is making. I really think he should have provided more examples.

He doesn't care what you do on the server side. Just provide us with messages to the client (us) that enables us to provide whatever interface to the data that we want.

Re:Slippery slope to non-free

[Greg_D]

And who decided to venture over to my page and use my services? YOU DID. The javascript source doesn't do anything without the server communicating with it.

Stallman's argument has been that one should distribute the source if one distributes the binary.

There's no binary. There's only source with Javascript, and it is cached in the browser so that you can read it. Whether or not it is beneficial to allow people to license that code and use the API to interface with the server is strictly up to the person who controls the server. As it should be.

Stallman has never been so worried about free software as he has been about promoting business models which suit his political philosophy. He never anticipated the web service as a business model, and he really doesn't know how to attack it because it neuters his mantra.

Nice to see it worked

[rumith]

Actually, it was me who alerted him on this issue (using GMail as an example). However, that was almost a year (!) ago. Took him a long time, but I couldn't expect any less, since the man almost never uses a browser at all...

P.S. For those interested, here is the transcript of our email conversation.

FFS

[LizardKing]

This is from the man who by his own admission doesn't use a web browser. He's becoming more and more like the Ayatollah - issuing edicts about things that he barely comprehends and has never actually tried himself.

I thought I did.

[Samschnooks]

So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

I was having trouble with a F/OSS app several months ago and I thought "Great! It's F/OSS! I can just get the software source and have a gander and solve my own problems!"

So, I downloaded the code, unzipped it, spent a couple of days getting the development environment right, and brought up the editor. A few days go by, and I'm trudging through uncommented PHP code, digging into class after class calling other classes that called other classes that just set global constants or read environment variables, and so on and so on...

I deleted the code because instead of "solving my problem" I was getting lost and not accomplishing the activity that the software was supposed to accomplish.

I went and got a package that did what I wanted.

In short, I have no desire to look at source code. I don't give a rat's ass. I have better things to do than to dig through other people's mess - thank-you-very-much.

F/OSS only appeals to people who LIKE to trudge through others code to see how it works or make it "better". To me, software is an end to a means and I don't really give a rat's ass how it works as long as it's not doing shit behind may back that I don't want; which I can find out by other means than looking at source code.

Re:I thought I did.

[commodore64_love]

Insert key.
Push the pedal.
Go.

I share the same philosophy about computers. I don't want to waste hours of my life on coding software. I'd rather just work 1 hour of overtime, and then go out and buy the program I need.

Re:I thought I did.

[Giloo]

If you don't want to look at code, however bad it is, it doesn't mean you should necessarily turn to proprietary software (or even "not fight for F/OSS).. Which is somehow his point. If locked on proprietary software, his only option was to ask the editor to correct the bug. Which may or may not be willing to do so.

With opensource software, he could have hired someone to waste his time on it, even if the original developper wouldn't have been willing to do so.. Plus it could have been a nice contribution, so probably for a lower price, he could have had his software up&running, and made the software better..

And anyway, just by reading that: "which I can find out by other means than looking at source code", we can probably assume the technical details aren't exactly relevant to him.

Re:I thought I did.

[Austerity+Empowers]

No one is asking you to. But what if you ran a business and the software vendor for some mission critical app decided he wasn't going to support your desired OS, or some trivially simple feature that a competing system has that makes a lot of financial sense to you? But your cost to switch over outweigh the cost of that feature. Your vendor was either going to hold you hostage for some obscene amount of money required to switch (but enough that he thinks you'd pay, since he knows your costs too), or let you stay on your existing platform which will bleed you dry slowly. What if your software vendor decided that you can run 8 documents at once, but to run each additional document at once would cost $100/document. Not because of any technical limitations, but simply because they want to charge you that way?

If you made a point to never use F/OSS you could simply pay someone else to fix the software, perhaps someone you already have on staff. You could have it your way. You wouldn't get stuck with idiotic licensing scams and other extortion.

This kind of thing happens all the time, at all levels of business. While he sounds like a raving lunatic at times, his zealotry can produce a better world. It works not only for people who like to code, but for those who'd rather pay others to do it for them. We really ought to be looking for ways to use open source as much as possible, in place of proprietary alternatives. He's pointing out ways to help you identify closed source apps you may not know exist.

As usual it sounds ridiculous and paranoid, but it does make sense. You may not wish to put your life on hold for lack of F/OSS alternatives, that's not a reasonable expectation, but it makes sense to favor F/OSS solutions and be looking for a way to remove proprietary as much as possible. The economics of the world won't really change much, people will still get paid to write software... but they won't be able to extort you for it either, or pimp it for decades because you have been locked-in.

Re:I thought I did.

[betterunixthanunix]

"F/OSS only appeals to people who LIKE to trudge through others code to see how it works or make it "better". To me, software is an end to a means and I don't really give a rat's ass how it works as long as it's not doing shit behind may back that I don't want; which I can find out by other means than looking at source code."

Free-libre software is about more than just looking through source code. The availability of source code is a means to an end; there are non-free licenses that provide access to source code, and even the right to modify that source code. Free-libre licensing grants you freedoms that you really do not have with proprietary systems, including those that make code available to you:

• The freedom to install the software on as many systems, and for as many users, as you wish. For a web apps, some vendors limit how many simultaneous users (or how many users in total) may use the system; a free-libre system cannot impose such a limit.
• The freedom to use the software perpetually.
• The freedom to use the software for whatever purpose you see fit (compare this with the AAC codec license, which forbids "client software" for being used for "professional" purposes).
• The freedom to use modifications to the software that other people have developed.
• The freedom to give the software to someone else.
• The freedom to discuss the software with someone else (there are proprietary systems that forbid or limit this as "trade secrets").

Maybe these are not things that really matter to you. I have encountered restrictions on every one of the above items from different software packages, and it has caused me and the other users/administrators of the software serious headaches. In cases where free-libre software was introduced, people just got their work done -- no worries about breaking the law, no worries about the software suddenly becoming inoperable, no restrictions on who we may discuss the software with.

Re:I thought I did.

[cozziewozzie]

I share the same philosophy about computers. I don't want to waste hours of my life on coding software. I'd rather just work 1 hour of overtime, and then go out and buy the program I need.

You don't get the whole point of Free Software in the first place.

But the beauty of it is that even you can profit from its fruits. Every time you surf on the internet, or listen to music or watch a movie. Most of those are running on or were created with Free Software.

Re:I thought I did.

[ClosedSource]

If a software vendor wants to lock you in, he isn't going to cooperate by making his web app easier to work around. There is also the server side that you know nothing about, so if he ever goes out of business you'd have some nice javascript that interacts with a phantom server.

Even if you're a die-hard F/OSS fan, you should spend your energy on initiatives that really make sense.

Re:I thought I did.

[billcopc]

I try to use open-source solutions where possible, for a whole slew of reasons that need not be repeated here. The biggest issue I encounter is a total lack of motivation in the F/OSS community to actually fix what's broken, and let's be honest here: a ghetto mailing list or forum usually does not lead to solutions, it only leads to a bunch of people with unanswered questions, or long flame wars between rival developers.

A commercial outfit wants your money, so they will take the 2 seconds to read your trouble ticket after you've plowed through the first-level support drones. Free software developers seem too bitter to care anymore, you ask a valid question and they get all pissy. It doesn't matter that the thing doesn't do what it says on the tin, the user is always wrong regardless.

Those of you who clamor "Fix it yourself, fool!", you're missing the point. Not everyone is a developer, and while I can tweak my way through just about any C/C++ or PHP project, the same is not true of the other 99.8% of the world's computer users. Free software needs to be made accessible and friendly to the common user, not just us ninja hackers.

Re:I thought I did.

[Tom]

Yes, most of the times I don't care for the source, either.

However, several times already I came across a piece of Free Software that did almost exactly what I needed, or that did what I needed but hadn't been updated for quite a while. I could take it and add the feature I wanted, or take it over and continue developing it, or simply fix a few bugs that prevented it from running/compiling in the current compiler/webserver/whatever environment.

Just because you don't use a freedom 99% of your time doesn't mean it isn't valuable. I very rarely make use of my freedom to assemble, and elections are only every few years - but still these are important freedoms to have.

Re:I thought I did.

[Ifni]

Thank you. That's right.

He wasn't defending you, by the way. He was pointing out how ludicrous your argument was. Basically, you were saying that since you, personally, will never use this freedom, it has no value for anyone, anywhere, ever, and therefore should not be defended. Not only is that shortsighted and egocentric, it is - well, actually, I think shortsighted and egocentric pretty much covers it.

I'm like you, I don't like digging through other people's messy code. However, I like having the option to so that I can see how something was done so that I can use it to learn new techniques so that when or if I decide to build my own program I have another valuable tool in my toolbox. Also, though I am sorry that the tool you decided to dissect was a mess, a lot of open source code is clean and well documented. That may not be the norm (I haven't looked through much), but from what I have seen, it has improved dramatically over time.

Lastly, even though you may not see the value in being able to view and change code, as you mentioned in the last paragraph of your article, there are those that do. Because of them, FOSS improves and gives you the ability to dump one FOSS app for another that meets your needs better because someone that was willing to improve someone else's code had similar needs to yours. It allows those that like to tinker the ability to make changes to any FOSS app that you use to make it better by adding features that you will use. The point is, if you simply write off the FOSS ideals as useless because you don't take advantage of them directly, then fail to defend them because of that belief, you are missing the bigger picture and risk losing a resource that whether you know it or not you do benefit from.

FOSS appeals to more than just the people who maintain and improve the code, it appeals to anyone that uses it. In fact, I'd even argue that it benefits those that choose to use non-free alternatives as it provides competition - and when competing with free, proprietary has to be that much better in order to succeed with a price tag (and though the extent of this success is debatable, there is certainly increased pressure to improve for many, or FUD/lock-in for some few).

Every time he speaks I just want to shoot him

[BitZtream]

Let me give you guys a hint. Its a good time to start distancing yourself from Stallman, he's definitely wondering off to the tree-hugging-nutjob-hippie commune.

He's lost grasp of the point of software. The point of software is not 'to run free software', its to get something done.

His entire life has turned into 'omg you must use free software or you are doing the wrong thing'. He has no logic for this other than 'its bad for you not to use free software' or 'its bad for you if you cant modify it even though you have no useful reason to do so!!!'

He goes so far in the article to try to confuse the meaning of 'free' versus 'open', implying they are essentially the same thing. They aren't, and never will be. He has gotten himself so deep into his own bullshit that it would appear that it is now impossible for him to understand that his 'way' isn't the only one. Once you've got yourself to the point where you think 'free' or OSS software is 'the only way' you are no better than those people who refuse to use OSS software, you're just a moronic twit at that point.

Stallman has reduced himself to a religious leader rather than a promoter of openness for the common good. He's simply gone too far.

So again, I encourage you to distance yourself from Stallman, he is not someone you should associate with any more than the Church of Scientology as they are both just spreading propaganda for their own personal gain at this point. Now that OSS has become even slightly accepted his usefulness as a supporter of OSS is diminished, so he's taking it to the next level and trying to say all non-free software is bad. Read that carefully, 'non-free'. Not open. In this article he in a round about way attacks 'open' standards that are not 'free' by his definition.

You need to watch out for the guy who screams 'freedom' while at the exact same time adding new restrictions to the very license he claims is all about 'freedom'. I'm not saying not to use GPL or GPLv3, if the fit your needs/goals, thats entirely fine and should be used if they fit. I license my software under many different licenses based on what I'm trying to accomplish. My applications are generally closed source, I have some libraries that I've released LGPL, and many that are BSD licensed. I have not used GPL proper as it doesn't really fit my Each has their place in MY agenda. I'm just saying that what he does is hypocritical to an extreme only shared by politicians and lawyers, and because of that he should be treated as such.

I am in no way saying you should abandon OSS or the quest for open standards. I just feel that what Stallman is doing is not the quest for openness, but more like gathering a cult to be lead off to a mass suicide.

Re:Every time he speaks I just want to shoot him

[Improv]

Given what he's already given us, I think you greatly understate the credit he's due. Without Stallman, we would have compilers, operating systems, editors, etc, but it's quite likely we would not enjoy the freedoms we have with them today. Right now, I can install Linux on any number of systems I have as well as systems at work, including all sorts of software, without any legal worries about licensing - Stallman did not write most of it, but he made it possible and drew people's attention to its desirability. It is because he constantly screams "freedom" and enough people listen (or are bound by the GPL's viral nature to listen) that we have a viable way to run computers without people who would significantly restrict our usage of this software getting in the way.

Stallman isn't perfect - he is known for being hard to work with, he let GCC stagnate for several years because of an inappropriate development model, and the "GNU/Linux" terminology thing wasn't necessary. However, taken as a whole he's a very important and positive figure.

Re:Every time he speaks I just want to shoot him

[MbM]

Take it with a grain of salt.

RMS intentionally confuses the terms free and open, because in his mind it isn't free until it's open; to him, free means freedom. The classic example is always "free" as in "free beer" vs "free" as in "free speech"; same word, different meaning.

Web Apps

[LaminatorX]

RMS may be a cranky extremist, but he's still right far more often than he's wrong. Web apps are in some ways a huge step backwards in terms of openness. If you're lucky there's a wsdl you can analyze but even then that's really just a client-facing API. What's less free/open than a binary-only distribution? One that's never even distributed in the first place. May I please continue to access this application, sir?

What about the server side?

[patro]

So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

Okay, but Javascript is only one part of this problem. What about the code running on the server? I wonder if RMS visits any websites at all besides fsf.org

He can't be sure after all if other sites use only free software on the server side, so he can't visit them to avoid accidentally supporting non-free software.

Re:What about the server side?

[ShieldW0lf]

He's concerned about vendor lock-in. He's concerned about a small group of people being able to hold the rest of the world hostage by threatening to cut them off from the infrastructure they depend on, and he's concerned about a vast group of people being abandoned by those they trusted to handle their essential infrastructure.

It's a valid concern, it's not hard to understand, and it's not easy to dismiss either. The fingers-in-the-ears-going-la-la-la tactic seems to be the standard approach for a lot of people.

Re:What about the server side?

[ShieldW0lf]

That's RMS' fault.

http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf

You're right, it is. If he hadn't taken action to solve the problem he was yelling about, people would have suffered enough to show some respect. He should have just gone into the forest to be a hermit and left you to get screwed so you would learn. Now you can just pretend there wasn't a problem that he didn't mitigate on your behalf and talk like an idiot, and most people won't realize or catch you at it.

Re:What about the server side?

[Zero__Kelvin]

"That's RMS' fault.

http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf"

It turns out that if a boy cries wolf, and one is really there, it will run in fear and not be there when the villagers arrive. The villagers have only the boy to thank, but instead they ostracize him and call him a nut. Hey, come to think of it, there is a striking parallel here ...

Re:What about the server side?

[Jamie's+Nightmare]

I wonder if RMS visits any websites at all besides fsf.org

I'm glad you asked. Let's get a direct quote from the man himself:

"For personal reasons, I do not browse the web from my computer."

At the risk of obvious ridicule he doesn't give the reasons behind this choice, but that's not really important here. Stallman is truly out of touch with the real needs of people who actually use computers on a daily basis. He is out of touch by his own choice. What really burns my taters is that so few properly chastise Stallman for this foolishness. Even worse, some actually defend it.

Re:he is right.

[radarsat1]

I think it's pretty clear, if you just keep the fundamental principles of free software in mind. If you use software, you should have the freedom to modify it and run a modified version. Just remember that, and this article will make a lot more sense to you.

I think he enunciates quite clearly the "danger": that we are becoming more and more dependent on software that is temporarily downloaded to our computers in a semi-obfuscated manner and executed to perform non-trivial tasks. This is not quite breaking the "freedom to modify" principle, since technically the source code is available, but he's calling it a trap because in practice it's extremely difficult to get in there and modify a web application since current browsers don't provide an easy way to do it, and the "source code" is almost impossible to read.

Look -- people are calling him crazy for this but I don't know why. (Possibly because they'll jump on any opportunity to call him crazy.) But frankly he's right. If you value the ability to modify software that you use, web applications don't make it easy to do. Not only that, but they can change on you while you're in the middle of using them, making it difficult for any local modifications (based on GreaseMonkey e.g), to "stick".

I don't think he comes off as crazy at all in this article, nor is he even suggesting we don't use JavaScript or anything silly like that. He's merely pointing out some potential problems with web applications vis-a-vis the freedom to modify, and providing a possible solution in the form of metadata.

In fact I'd say this is one of the more practical and shorter things I've seen him write, so I can't understand why people are jumping all over this.

Implementation

[MillionthMonkey]

But what's the solution? This is the real question.

Just put a checkbox in the Firefox preferences window somewhere. I suggest this wording:

(x) Warn me before running JavaScript written by capitalist pigs

How does Stallman use the web?

[louzerr]

So, I assume Stallman can't use any typical search engine ... maybe he built his own from Lucene. He also must not do any credit transactions online.

He must also be careful that any packets his computer sends turn right around should they encounter a Cisco router (or any other proprietary router).

I suppose in his daily life, using a phone, or a car, or Television would be right out.

I sure hope Mr. Stallman never needs any medical attention.

I DO admire much of what Mr. Stallman stands for, and I'm glad there is a champion for free software ... but I live in the real world, where to buy goods, you need some government's currency, and to do anything electronically, you have to use SOME commercial software somewhere.

I wonder, too ... does Mr. Stallman's PC have a proprietary BIOS, or did he write that code, too?

Re:How does Stallman use the web?

[shutdown+-p+now]

How does Stallman use the web?

Here's how.

I feel the need to come to rms' defense, here

[jra]

Not that he would necssarily give a crap that I do.

My personal conviction is that Linux came to be what it has come to be *precisely* because it was released as GPLv2 code; I don't think it would have grown to nearly the size and penetration </beavis> that it has were it under some other license.

Therefore, the state of much of the world today -- not just the computing world, but Real Life -- descends almost entirely from the fact that rms is a extremist about the principles of Free Software.

We often look on extremists with amusement or scorn, but I personally tend to try to remember Tom Peters' observation from one of the Excellence books:

When anything useful is accomplished in this world, it is done, I have found, by a monomaniac with a mission.

We don't all have to be as hardcore as rms is -- Linus isn't -- but if *he* *weren't*, then I don't think we'd be where we are today.

So yeah, comparing him to a vegan is probably pretty accurate -- they have similar types of motivation.

But *dissing* him for it?

No, I don't think that's really the best outlook to have.

Stallman's not wandering anywhere

[roystgnr]

He's been crazy for years. My first exposure to his loony ideas was in that old story of his, "The Right To Read". He wrote that when I'd just entered college and just started using this "GNU" stuff, and I remember being being stunned by his paranoia. Grade schools wasting time preaching about intellectual property? Software being outlawed for being able to edit RAM that someone else's program allocated? People who didn't have the root passwords for their own computers? And then there's the central point of the story, that eventually people would be stuck with books they couldn't lend or resell! That Stallman guy was clearly a nutjob.

Re:whoosh

[mrsteveman1]

His beard looks non-free to me, it's obfuscating his face

simplistic thinking considered harmful

[Onymous+Coward]

... vegans are rabid food people.

It seems my original post failed to be clear. Allow me try again:

I'm vegan and I like pork.

True, I try to minimize buying pork. And, yes, I think that buying pork promotes suffering. But this issue of reducing pork consumption isn't a matter of terror or rabidness.

When we get some quality vat meat produced, you can come to my luau. I'm also a big fan of skirt steak.

The overarching point is that it's easy to be a fuzzy thinker and to have comfortingly simple, black-and-white ideas of what a vegan is. That overly simple kind of thinking is comforting, but really it's unhelpful. Do I resemble your mental picture of a vegan? Do I seem rabid or terrorized? I hope not (or we've got additional problems). Sure there are people out there who are rabid vegans, but they probably also have an overly simple idea of what it means to be a vegan, causing them to condemn non-vegan behavior with severe, fuzzy-headed religious zeal.

Maybe we can agree that unrealistically simple thinking is harmful?

At this point, after having a little more light shined on the really-not-black-and-white concept of veganism, and after some discussion of the harm of simplistic thinking, does it make sense to respond with "yeah, but vegans are rabid food people"?

Re:Stallman has to go

[lennier]

"Richard Stallman has done more damage to the open source movement than anyone else. He is pompous, arrogant, rude, inflexible, and intolerant of diversity of opinion."

But he's also *right*. History has proved this, time and again. He seems like a hardass because reality is unforgiving. Too bad. He's still right.

What does 'tolerance of diversity of opinion' have to do with anything? Maths doesn't tolerate 1+1 not equalling 2. There are some places you *can't* tolerate wrong answers. Computer science and law are two of them.

You can disagree with his conclusions as much as you like, but that doesn't invalidate them.