Richard Stallman Warns About Non-Free Web Apps

An anonymous reader writes "Richard Stallman has published an article which warns about the 'Javascript trap' posed by non-free AJAX-based applications. The article calls for a mechanism which would enable browsers to identify freely-licensed Javascript applications and run modified version thereof. 'It is possible to release a Javascript program as free software,' Stallman writes. 'But even if the program's source is available, there is no easy way to run your modified version instead of the original ... The effect is comparable to tivoization, although not quite so hard to overcome.'"

What's in a name?

[sbalneav]

From TFA:

"Javascript (officially called ECMAscript, but few use that name)..."

Linux (officially called GNU/Linux, but few use that name)..."

Practice what we preach, Hmmmmm?

Re:OK, dumb question after reading the article

[paroneayea]

Why do you care if non-free python, C, or whatever apps run on your computer? Code is code, and websites aren't what they used to be. The web has become a platform for client/server applications. So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

Slippery slope to non-free

[dazedNconfuzed]

Because you are reliant on something which must be paid for (somehow) and/or you can't own. Stallman's view, nutty or not, is that you should be able to function ENTIRELY on free software - which a non-free JavaScript "app" by definition isn't. From his perspective, it's an insidious "slippery slope" undercutting of the free (speech AND beer) software paradigm: it's so easy to get caught in the "[shrug] so what? I didn't have to pay, and I don't have to keep a copy because I just go to the site to run it again" trap, risking reliance on something controlled by someone else.

Re:Slippery slope to non-free

[swillden]

Well, there's a simple response to Stallman: you're wrong.

If you want to use my service and my resources, then you don't get to dictate your terms to me.

Stallman is perfectly happy avoid using your service and resources. His issue is that he doesn't have an easy way to tell whether or not he *should* avoid you.

Hence his recommendation that Javascript that is Free Software be tagged with something that indicates the license, so that appropriately-configured browsers can avoid executing non-Free code.

On a more general note, why is it that everyone assumes that when Stallman explains how he thinks things should be, or the way he thinks people should act, that he's somehow "dictating" to them. He is extremely clear on the fact that he neither has nor wants the power to dictate, because that would be anti-freedom. Instead, he explains, exhorts and encourages, pushing the growth of Free Software and pointing out non-Free software that may go unnoticed.

Re:Slippery slope to non-free

[Azureflare]

I can't dictate the terms for your services nd your resources, that's true. However, your client side code is running in MY BROWSER consuming MY RESOURCES.

That is the point Stallman is making. I really think he should have provided more examples.

He doesn't care what you do on the server side. Just provide us with messages to the client (us) that enables us to provide whatever interface to the data that we want.

Nice to see it worked

[rumith]

Actually, it was me who alerted him on this issue (using GMail as an example). However, that was almost a year (!) ago. Took him a long time, but I couldn't expect any less, since the man almost never uses a browser at all...

P.S. For those interested, here is the transcript of our email conversation.

Re:OK, dumb question after reading the article

[Timothy+Brownawell]

Why do you care if non-free python, C, or whatever apps run on your computer?

Because it's generally harder to upgrade/maintain (not in the standard apt repositories), I can't fix it myself, and whoever controls it can just randomly disappear or EOL it.

So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

Except that all of those thing either don't apply to web apps at all, or apply to all web apps. There's nothing to install, upgrade, or fix locally, and you're dependent on some service provider regardless of the status of the code.

I thought I did.

[Samschnooks]

So if you do care about free software on the desktop, it's reasonable that you should care about free software in your browser.

I was having trouble with a F/OSS app several months ago and I thought "Great! It's F/OSS! I can just get the software source and have a gander and solve my own problems!"

So, I downloaded the code, unzipped it, spent a couple of days getting the development environment right, and brought up the editor. A few days go by, and I'm trudging through uncommented PHP code, digging into class after class calling other classes that called other classes that just set global constants or read environment variables, and so on and so on...

I deleted the code because instead of "solving my problem" I was getting lost and not accomplishing the activity that the software was supposed to accomplish.

I went and got a package that did what I wanted.

In short, I have no desire to look at source code. I don't give a rat's ass. I have better things to do than to dig through other people's mess - thank-you-very-much.

F/OSS only appeals to people who LIKE to trudge through others code to see how it works or make it "better". To me, software is an end to a means and I don't really give a rat's ass how it works as long as it's not doing shit behind may back that I don't want; which I can find out by other means than looking at source code.

Re:I thought I did.

[betterunixthanunix]

"F/OSS only appeals to people who LIKE to trudge through others code to see how it works or make it "better". To me, software is an end to a means and I don't really give a rat's ass how it works as long as it's not doing shit behind may back that I don't want; which I can find out by other means than looking at source code."

Free-libre software is about more than just looking through source code. The availability of source code is a means to an end; there are non-free licenses that provide access to source code, and even the right to modify that source code. Free-libre licensing grants you freedoms that you really do not have with proprietary systems, including those that make code available to you:

• The freedom to install the software on as many systems, and for as many users, as you wish. For a web apps, some vendors limit how many simultaneous users (or how many users in total) may use the system; a free-libre system cannot impose such a limit.
• The freedom to use the software perpetually.
• The freedom to use the software for whatever purpose you see fit (compare this with the AAC codec license, which forbids "client software" for being used for "professional" purposes).
• The freedom to use modifications to the software that other people have developed.
• The freedom to give the software to someone else.
• The freedom to discuss the software with someone else (there are proprietary systems that forbid or limit this as "trade secrets").

Maybe these are not things that really matter to you. I have encountered restrictions on every one of the above items from different software packages, and it has caused me and the other users/administrators of the software serious headaches. In cases where free-libre software was introduced, people just got their work done -- no worries about breaking the law, no worries about the software suddenly becoming inoperable, no restrictions on who we may discuss the software with.

Web Apps

[LaminatorX]

RMS may be a cranky extremist, but he's still right far more often than he's wrong. Web apps are in some ways a huge step backwards in terms of openness. If you're lucky there's a wsdl you can analyze but even then that's really just a client-facing API. What's less free/open than a binary-only distribution? One that's never even distributed in the first place. May I please continue to access this application, sir?

Re:he is right.

[radarsat1]

I think it's pretty clear, if you just keep the fundamental principles of free software in mind. If you use software, you should have the freedom to modify it and run a modified version. Just remember that, and this article will make a lot more sense to you.

I think he enunciates quite clearly the "danger": that we are becoming more and more dependent on software that is temporarily downloaded to our computers in a semi-obfuscated manner and executed to perform non-trivial tasks. This is not quite breaking the "freedom to modify" principle, since technically the source code is available, but he's calling it a trap because in practice it's extremely difficult to get in there and modify a web application since current browsers don't provide an easy way to do it, and the "source code" is almost impossible to read.

Look -- people are calling him crazy for this but I don't know why. (Possibly because they'll jump on any opportunity to call him crazy.) But frankly he's right. If you value the ability to modify software that you use, web applications don't make it easy to do. Not only that, but they can change on you while you're in the middle of using them, making it difficult for any local modifications (based on GreaseMonkey e.g), to "stick".

I don't think he comes off as crazy at all in this article, nor is he even suggesting we don't use JavaScript or anything silly like that. He's merely pointing out some potential problems with web applications vis-a-vis the freedom to modify, and providing a possible solution in the form of metadata.

In fact I'd say this is one of the more practical and shorter things I've seen him write, so I can't understand why people are jumping all over this.

Re:Every time he speaks I just want to shoot him

[Improv]

Given what he's already given us, I think you greatly understate the credit he's due. Without Stallman, we would have compilers, operating systems, editors, etc, but it's quite likely we would not enjoy the freedoms we have with them today. Right now, I can install Linux on any number of systems I have as well as systems at work, including all sorts of software, without any legal worries about licensing - Stallman did not write most of it, but he made it possible and drew people's attention to its desirability. It is because he constantly screams "freedom" and enough people listen (or are bound by the GPL's viral nature to listen) that we have a viable way to run computers without people who would significantly restrict our usage of this software getting in the way.

Stallman isn't perfect - he is known for being hard to work with, he let GCC stagnate for several years because of an inappropriate development model, and the "GNU/Linux" terminology thing wasn't necessary. However, taken as a whole he's a very important and positive figure.

Re:OK, dumb question after reading the article

[lwsimon]

This, of course, can be done now. The first think you learn when dealing with webapp security is that you can never trust the client.

Nothing is stopping me now from loading my own Javascript (or Java, or anything else that runs in the browser) on a bank's webpage.

Re:What about the server side?

[ShieldW0lf]

That's RMS' fault.

http://en.wikipedia.org/wiki/The_Boy_Who_Cried_Wolf

You're right, it is. If he hadn't taken action to solve the problem he was yelling about, people would have suffered enough to show some respect. He should have just gone into the forest to be a hermit and left you to get screwed so you would learn. Now you can just pretend there wasn't a problem that he didn't mitigate on your behalf and talk like an idiot, and most people won't realize or catch you at it.

Re:OK, dumb question after reading the article

[CySurflex]

The problem with that logic is that Stallman missed a huge point. If, from his example you're using Google Docs, even if the JavaScript is "freed" using his new standard with stylized comments and the @source directive - you are still accessing non-free server software (the Google web servers) that responds to the AJAX requests. Not only that, but your browser is also making a call to the Google Ad server, which also has non-free software. You might also argue that its being served by a modified version of MySQL thats non-free, and perhaps even the firewall and the proxy that its passing through is a custom version written by Google Engineers (likely.)

Re:OK, dumb question after reading the article

[Estanislao+Mart�nez]

The problem with that logic is that Stallman missed a huge point. If, from his example you're using Google Docs, even if the JavaScript is "freed" using his new standard with stylized comments and the @source directive - you are still accessing non-free server software (the Google web servers) that responds to the AJAX requests. Not only that, but your browser is also making a call to the Google Ad server, which also has non-free software. You might also argue that its being served by a modified version of MySQL thats non-free, and perhaps even the firewall and the proxy that its passing through is a custom version written by Google Engineers (likely.)

There are two problems I can perceive with your argument, though:

1. It is still potentially very useful to you to be able to modify the software that runs on your computer, and to share these modifications with other people. This is one of the major points of the GPL.
2. You're describing here a system with three kinds of compoments: (a) client software, (b) server software, (c) server data. It's much harder to argue that (b) should be free software, especially if it's in-house Google software that we're talking about, not distributed outside the company. And (c) is not software at all, so the argument doesn't apply. Should the GPL have clauses that forbid, say, a GPL-licensed web browser from being able to connect to a web server running a non-free http server? What if it's a free http server connected to a non-free database? What if the http server and database are free software, but the people who operate the server don't allow you to download all of their data in bulk and serve it yourself?

You have to draw a line somewhere here, and drawing the line between (a) and (b) seems reasonable.

Re:What about the server side?

[Jamie's+Nightmare]

I wonder if RMS visits any websites at all besides fsf.org

I'm glad you asked. Let's get a direct quote from the man himself:

"For personal reasons, I do not browse the web from my computer."

At the risk of obvious ridicule he doesn't give the reasons behind this choice, but that's not really important here. Stallman is truly out of touch with the real needs of people who actually use computers on a daily basis. He is out of touch by his own choice. What really burns my taters is that so few properly chastise Stallman for this foolishness. Even worse, some actually defend it.

Re:whoosh

[mrsteveman1]

His beard looks non-free to me, it's obfuscating his face