I think it's a great idea: managing scripts as software packages that user authorises to install and/or update. This could open the door to, in the future, exist JS FLOSS repositories.
El 27/10/14 a les 02:37, Julian Marchant ha escrit: > I highly appreciate what LibreJS is trying to do, and it's better than > nothing. But I seriously think that LibreJS is entirely the wrong > approach to the problem of non-free JavaScript. > > Right now, LibreJS is failing because it requires a format that isn't > recognized anywhere, but theoretically, this could be solved in the > future, so let's suppose that it does. Let's suppose even further that > LibreJS succeeds so much that it causes a large portion of the Web to > release scripts under libre licenses and document the licenses in a > format LibreJS can understand. > > So LibreJS is popular, and people are labeling their scripts and > linking to source code. But people are still behaving the same as > before, blindly trusting several JavaScript programs that are silently > being installed into their browsers every day. The only difference is > that LibreJS thinks the scripts are libre. These are still scripts > that are updated automatically, basically completely unaudited, and > never edited by anyone. > > I get that LibreJS is supposed to be only a first step, but I think > it's the *wrong* first step. I think we need an entire paradigm shift > in how we deal with the problem of JavaScript code, one which involves > not automatic script analysis, but direct user intervention. > > This is what I propose: the first time a website requests use of a > particular JavaScript file, the web browser should tell the user, show > the JavaScript code requested, and offer three choices: > > 1. Install the requested script > > 2. Install a different script for this purpose > > 3. Don't install any script > > If the user chooses to install a script, it should be installed > *permanently*, i.e. saved to a local directory. > > On repeat visits to the same website, the scripts requested should be > compared to your installed scripts. If you have the same script > installed, it should just run the script you have installed. If you > don't, it should ask you if you want to update your copy of the script > or continue to use the locally installed script, showing you either > the two scripts side-by-side, or perhaps a diff. Here, it can offer > you the option to reject the suggested script permanently. > > This kind of system would take away the often undeserved trust that > JavaScript use gives to website maintainers. It would encourage > everyone to actually think about what JavaScript code they run, the > same way they think about any other program they might run. > > Another great thing about this system: it would be useful for more > people than just us. People interested in security would find it > useful for every script to be accepted or rejected on a case-by-case > basis, too. > > Please discuss. > > -- > Julian Marchant > Email: [email protected], [email protected] > GnuPG keys: 0x3D015302, 0xD0AF3FA4 > XMPP: onpon4 @ riseup.net > Diaspora: onpon4 @ nerdpol.ch > Website: https://onpon4.github.io > > Protect your privacy with GnuPG: > https://emailselfdefense.fsf.org > > -- > http://gnuzilla.gnu.org > -- http://gnuzilla.gnu.org
