this post was submitted on 18 Oct 2023
33 points (100.0% liked)

libre

9836 readers
2 users here now

Welcome to libre

A comm dedicated to the fight for free software with an anti-capitalist perspective.

The struggle for libre computing cannot be disentangled from other forms of socialist reform. One must be willing to reject proprietary software as fiercely as they would reject capitalism. Luckily, we are not alone.

libretion

Resources

  1. Free Software, Free Society provides an excellent primer in the origins and theory around free software and the GNU Project, the pioneers of the Free Software Movement.
  2. Switch to GNU/Linux! If you're still using Windows in $CURRENT_YEAR, flock to Linux Mint!; Apple Silicon users will want to check out Asahi Linux.

Rules

  1. Be on topic: Posts should be about free software and other hacktivst struggles. Topics about general tech news should be in the technology comm or programming comm. That doesn't mean all posts have to be serious though, memes are welcome!
  2. Avoid using misleading terms/speading misinformation: Here's a great article about what those words are. In short, try to avoid parroting common Techbro lingo and topics.
  3. Avoid being confrontational: People are in different stages of liberating their computing, focus on informing rather than accusing. Debatebro nonsense is not tolerated.
  4. All site-wide rules still apply

Artwork

founded 3 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
33
The JavaScript Trap - How Does Hexbear Fare? (www.gnu.org)
submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]
13 comments fedilink hide all child comments
 

Context

The JavaScript Trap is the idea that webpages have the ability to transmit programs to the user in the form of uncompressed or compressed JavaScript ("ECMAscript") code. Nearly all web browsers with the exception of GNU Icecat will silently evaluate all of this code by default. Not all JavaScript code is malicious or noteworthy to the user, but much of a JavaScript code run today on the client side is nonfree and therefore creates an uneven relationship between the user and the program. Even if the JS code is intended to be Free, only a proof of license and documentation can ensure it will be Free for its users.

LibreJS

Therefore, the LibreJS extension was created for Firefox derived browsers to be able to dynamically block nonfree JavaScript while also permitting free or otherwise trivial JavaScript to be run.

LibreJS can be obtained directly from the GNU Project here, it can also be installed automatically from the Mozilla Addons page here as well as several workaround scripts for some websites here

LibreJS should not be confused with extensions like NoScript which is used to block any and all JavaScript for security purposes (mostly used when browsing the Tor network). LibreJS is concerned with blocking JavaScript on the basis of software freedom, not security (though many security benefits can be achieved by blocking nonfree JS).

LibreJS should also not be confused with something like Greasemonkey which allows users to create and run their own JavaScript or modify existing ones. Greasemonkey is an example of how users can control their own computing in their web browsers by being able to create their own scripts. Websites that block Greasemonkey (websites which will also include proprietary JS) are therefore unjust.

Hexbear

Lemmy itself is released on the AGPLv3 license, therefore all the JavaScript code from the project is Free. However, that doesn't mean that the code sent by hexbear.net to its users is Free. In fact, this code is unique to hexbear.net specifically.

In fact, LibreJS blocks two scripts from Hexbear that gets run when users connect and render the site in their web browser.

  • The hexbear.net script is uncompressed JavaScript code that sets meta tags, styles, themes, and a custom script to presumably do something important (I am not a web engineer evidently).

  • When it's done, it defers to the client.js script. This script is compacted JavaScript code which is unreadable to humans. It starts with this however:

/*! For license information please see client.js.LICENSE.txt */

LibreJS does not recognize this as free JS code, therefore it is blocked as well. This renders the site unusable as users cannot login nor see posts. They can see the site tagline so at least that code is trivial/free. The only solution is to whitelist the site completely.

Request

I ask the web admins of hexbear.net to liberate their JavaScript code so that it passes the LibreJS check. The resources on how to do that can be found below. LibreJS compliance will demonstrate that hexbear.net stands with creating a freer and more inclusive web for all and with the goals of libre software.

¡Viva software libre!

Errata

  • the client.js code is autogenerated by lemmy and has a free license. It has to do more with Lemmy itself rather than being an instance issue. Perhaps a feature request is in order?
  • you can view the client.js license through LibreJS as well, so there's no issue with whitelisting.
top 13 comments
sorted by: hot top controversial new old
[–] [email protected] 9 points 1 year ago (6 children)

I’ll go a step further:

Remove all javascript all together.

This place should look like the wsws.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago)

This place should look like the wsws.

without the Weinstein apologia (CW: sa apologia) hopefully

[–] [email protected] 5 points 1 year ago

How do you expect the upvote button to work? Reload the page and lose your position on every upvote?

[–] [email protected] 4 points 1 year ago

If you hate javascript may I interest you in NoScript perhaps hehe.

[–] [email protected] 4 points 1 year ago

The lemmy backend stuff is all in Rust. CSS (always) and HTML do not pose any meaningful freedom concerns.

Client side javascript is responsible for the webpage reactivity and interacting with the backend (the server database). JavaScript is not the enemy here, proprietary JS loaded without the users knowledge is.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

BASED

Although actually maybe it would be better to host a separate frontend without any JS alongside the current fancy, slow, wildly overcomplicated, and unportable one for people who like the usual sleek UI

My dream is Hexbear over 9P one day....

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

A phpbb frontend exists for Lemmy. This is very doable if someone wants to host it and federate with Hexbear

[–] [email protected] 8 points 1 year ago (1 children)

This would be better off as a feature request on the lemmy project. It's likely something hexbear admins can't change without significant work which would have to be repeated on every site update.

In fact, this code is unique to hexbear.net specifically.

This is almost certainly just the generic lemmy JS code with some hexbear specific constants (like the site URL) compiled in during deployment. The header script is data-only so the initial render isn't empty.

/*! For license information please see client.js.LICENSE.txt */

FYI you can add ".LICENSE.txt" to the javascript URL and read the licenses for all the compiled-in code. It doesn't appear to all be free, but again, likely nothing hexbear admins specifically can do about that.

[–] [email protected] 5 points 1 year ago (1 children)

Yeah, I noticed this on every lemmy instance I went to so it's not specific to hexbear. Thanks for pointing that out.

The code is licensed under the MIT expat license so its free. LibreJS does not detect the license file unfortunately.

It's all free javascript no doubt but it's not created in a way that can get picked up by LibreJS. I'll look into having a feature request for that in Lemmy.

[–] [email protected] 3 points 1 year ago (1 children)

It’s all free javascript no doubt

Sorry if you already know all this, but just to be clear, the client.js.LICENSE.txt file is generated by the build system by collecting code comments related to licenses from every JavaScript dependency that ends up in bundled into client.js. I noticed this partway down:

/*!
  Copyright (c) 2015 Jed Watson.
  Based on code that is Copyright 2013-2015, Facebook, Inc.
  All rights reserved.
*/

So I'm not sure if the code in client.js is all free. Although I suspect that comment comes from exenv, which is actually BSD licensed per the LICENSE file.

[–] [email protected] 2 points 1 year ago

Oh! Good find, it seems like this rabbit hole goes deeper than I thought.

[–] [email protected] 6 points 1 year ago (1 children)

So it's just that you don't have a legal license to use the code? JavaScript has to be source available by design, there's no compilation with js.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago)

Good question.

JavaScript can be compacted and compressed into human unreadable code. Freedom 1 states that the user must be able to study the source code, "ObfuScript" violates this freedom and therefore makes the JS nonfree. Hexbear's client.js is Obfuscript for example if you examine it using LibreJS.

Remember that this is nontrivial JavaScript being run on your machine which thus makes it your computing. Server side computing is not relevant here (the distinction between hexbear.net and its lemmy backend)

The lack of a Free software license (which disregards freedom 2 and 3 of editing and redistribution) and the inability to meaningfully study the source code (freedom 1) plus the fact that many web browsers do this by default without your control (freedom 0) is what makes this a pressing issue.

there's no compilation with js.

JavaScript is not compiled directly into machine code, but it can still be compiled into bytecode to be run by an JS runtime (think google V8 engine). Web browsers have become so adept at doing this that the user hardly notices.

Languages like Python can be obfuscated if they are pre-compiled into byte code.