On 02/23/2018 02:40 AM, Narcis Garcia wrote: > If a web developer publishes with scripts, those scripts should include > at least Name+Version and md5/hash. First time IceCat visits that > website, it should download script from trusted repository youre getting close, but who puts all these untrusted scripts into said trusted repository? the developer? - so by which trusted authority and by which process should they be evaluated, verified, and otherwise deemed trustworthy? should it be trusted merely because it exists in a user-curated central repository?
how is that any different than getting the script directly from their server, hashing it, and checking against your local cache? (i think that is how libreJS operates) - in either case, the most that could be said about any script is that it is versioned and hashed and so your browser can indicate if it has seen it before and you can be sure that you will get the same script each time you request it, and that others will get that same script - but it is an unreasonable leap from "my browser has seen it before" to "it has a valid license" or "it is respecting my privacy" in practice, i would expect such a repository to be nothing different than what you find today in the package managers for nodejs, ruby, python, and etc; namely: a heap of un-vetted miscellania pushed there by *whoever* and reviewed by no one; most of which has no declared license at all - and keep in mind, that is what you get when developers have the mind to *want* their software in repositories - before you could get even that far, you first would need to convince javascript developers that they should publish to central repositories (not the norm) - *then* you need to convince them that javascript should be licensed (not the norm) - then perhaps in addition you might try to convince them that a copy-left license is the best choice for their javascript and so they should be sure to publish their sources along with the obfuscated versions so that others can actually read the code (not the norm)
signature.asc
Description: OpenPGP digital signature
-- http://gnuzilla.gnu.org
