Exactly. With Trisquel's repos, the average user is trusting the developers of Trisquel. With JavaScript code on the Web, they're trusting anyone who has a Web page and has decided to use JavaScript (so, that's basically anyone who has a Web page). And we're talking sometimes dozens of scripts for each one.

With Trisquel, a very small number of people will look, because all new software installation and updates require manual intervention. If an intentional malicious feature is found, they will make a fuss about it, completely destroying the credibility of the Trisquel developers responsible, or perhaps the Trisquel project itself.

But with JavaScript on the Web, you download a program, install it, use it once, and then discard it, over and over again. In effect, this means you get automatic updates, and you have no easy way to tell when an update occurs; it could be that the script changes every day or even every minute. Add to that the sheer number of scripts you install each day, which can add up to the hundreds, and you have a gigantic increase in the amount of auditing needed, while at the same time the capacity for a minority of people to audit is almost completely diminished.

jxself said:
> [LibreJS] could also be enhanced with an option to not
> run even free JavaScript without some sort of indication
> from the person using the browser. Why not make that
> suggestion to the LibreJS developers?

I did make that suggestion on the bug-gnuzilla post. I didn't suggest it as an extension to LibreJS, but as a replacement for it, and I suggested it as the regular behavior, not an "option". If the user has to explicitly permit any script before it is installed, it would solve the problem.

But thinking about it, we already have a mechanism to manually install JavaScript: user scripts. Why go through all the work necessary to convert automatically loaded JavaScript into manually loaded JavaScript, when we already have a mechanism for the latter? It's a waste of effort, and our time would be better spent campaigning for websites to stop requiring JavaScript extensions to work.

Reply via email to