* Alfred M. Szmidt <a...@gnu.org> [2021-03-17 12:04]: > What we can do in GNU in regards to new technologies considered trap, > as users will be lured to launch non-free software without possibility > to verify it is to expand or extend the LibreJS to verify Webassembly > programs for their licenses. > > It is easier, and far more practical to recommend to solve the problem > in a different manner than try and verify all running code in the > world.
How? I have proposed how I think it should be implemented. > RMS has to get involved on this, as to devise a method how to make > sure that Webassembly programs are free software. > > Why don't you take it up and try to devise this method? It would not > only be useful for web browsers, but programs in general. I did not think of technical method, rather strategic, something similar to LibreJS. I have already made proposal in that same email that you are referencing now. For me personally I will have to clean some lists of Webassembly sites to keep it safe. > A white list of websites offering Webassembly as free software could > be compiled as well. > > It is easier to simply deal with the problem by avoiding running > random code automagically. But if you think such a list is possible, > would you like to start working on it? I do not program in Javascript. It is for me natural that such a script or plugin should NOT allow the execution of Webassembly program unless the program is in the white list. A plugin could also keep hashes of reproducible Webassembly programs. Thus I am and already did mention that Webassembly should be default be disabled, unless plugin similar to LibreJS tells: this binary here is safe, it is free software, or maybe that plugin verifies its hash being reproducible as free software. Users should be able to allow websites to run Webassembly as they wish, as I may download SSH as Webassambly and wish to run it from the USB stick for example. > Firefox is already warning users of abusive websites reported by > users, which run Webassembly. > > If you can convince the firefox developers to do it, it sounds like it > would be useful. We can open up ticket and see reactions. But I do not believe so. Mozilla as foundation does not give me impression to be keen not to allow non-free software execution, as that is the fundamental reason why they included Webassembly in the first place. They want to be in the group of "vendors": https://developer.mozilla.org/en-US/docs/WebAssembly just as Google, Apple and Microsoft: https://research.mozilla.org/webassembly/ Convincing an organization to change their fundamental reason why they included into Firefox is not likely. The fundamental reason is like you said, to quickly run programs without consent. Now to convince them to run programs with consent would impede their position as one of "vendors" in the browser competition. No matter that Mozilla is a non-profit, they obviously act as profit, not really looking for users' freedom. There is option in Firefox to exclude Webassembly, thus that opens up option to have a plugin but there are no plugins yet. I wonder why in so many years there is no plugin for users to be warned and to consent. I did not see that this plugin works, it did not detect Webassembly in my Firefox: https://addons.mozilla.org/en-US/firefox/addon/webassembly-detector/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search Thus there is so far none workable plugin that would tell to user, that Webassembly wants to be executed, and ask for consent. Jean
