On 02/23/2018 02:40 AM, Narcis Garcia wrote:
> If a web developer publishes with scripts, those scripts should include
> at least Name+Version and md5/hash. First time IceCat visits that
> website, it should download script from trusted repository
youre getting close, but who puts all these untrusted scripts into said
trusted repository? the developer? - so by which trusted authority and
by which process should they be evaluated, verified, and otherwise
deemed trustworthy? should it be trusted merely because it exists in a
user-curated central repository?

how is that any different than getting the script directly from their
server, hashing it, and checking against your local cache? (i think that
is how libreJS operates) - in either case, the most that could be said
about any script is that it is versioned and hashed and so your browser
can indicate if it has seen it before and you can be sure that you will
get the same script each time you request it, and that others will get
that same script - but it is an unreasonable leap from "my browser has
seen it before" to "it has a valid license" or "it is respecting my privacy"

in practice, i would expect such a repository to be nothing different
than what you find today in the package managers for nodejs, ruby,
python, and etc; namely: a heap of un-vetted miscellania pushed there by
*whoever* and reviewed by no one; most of which has no declared license
at all - and keep in mind, that is what you get when developers have the
mind to *want* their software in repositories - before you could get
even that far, you first would need to convince javascript developers
that they should publish to central repositories (not the norm) - *then*
you need to convince them that javascript should be licensed (not the
norm) - then perhaps in addition you might try to convince them that a
copy-left license is the best choice for their javascript and so they
should be sure to publish their sources along with the obfuscated
versions so that others can actually read the code (not the norm)

Attachment: signature.asc
Description: OpenPGP digital signature


Reply via email to