The Free Software Foundation takes aim at Gmail

that's a pretty naive viewpoint; for exactly the reasons you mention, "security by obscurity" has been repeatedly shown to be a far worse strategy than open transparency where everyone who cares about the security can see for themselves if it truly is secure. One need only follow the security alert services to see how often exploits are reported AFTER being exploited in the hidden codebase vs how very very often exploits are reported BEFORE they are exploited in the opensource codebase.

The issue of whether or not to use GMail is also a bit of a naive approach, but perhaps your employer is more flexible than most. Mine regularly releases important documents only as Google Docs, and many orgs now depend on the Google Apps for Your Domain service; if someone sets themselves up to be core infrastructure, it just seems to me they have a social responsibility to be responsible about it, and that means being transparent about it. Most don't, probably the vast majority, but still ...

Patenting software is almost ridiculous, seeing as how:

1) Software coding practices are largely standardized, as are the languages themselves.

2) Anyone would want to optimize their code.

3) Optimized code for the same basic algorithm on the same language will be identical, with the exception of variation in variable names and commenting.

4) Optimized code for optimized algorithms compiled on identical compilers will have identical output.

If a patent clerk can reject an energy machine or the use of catalysts in said machine based on the claim that, "Anyone skilled in the art would think to do so...," then patenting software should be impossible based on the fact that, "eventually, anyone skilled in the art would come up with the same optimized code."

Patenting software is basically as absurd as patenting the quadratic formula or Pythagorean Theorem

[g]The Free Software Foundation is at it again, promoting their laudable, if potentially unrealistic, goal to have all software released under a free software license.[/g]

Dear Katie Gatto, If you are planning on being a journalist, you should drop out now and go work at McDonalds. Either that, or work for Fox News.

I don't know how much MORE biased you could have written this. If you're NOT a lawyer then you should not be so smug as to the assumption of legal contracts that are accepted by the use of a licensed piece of software - REGARDLESS of the license.

My company spents millions of dollars of software and lots of time (and the use of special software) to manage and track software licenses. You better believe its big time and a serious situation. It will be worked out based on contract law - NOT your "childish feelings" of what should and should not be free.

Sorry, wrong place, I thought this was a scientific news site, I do agree with the article but opinions are meant to be included as comments.

@QuantumConundrum,

Patenting software is basically as absurd as patenting the quadratic formula or Pythagorean Theorem

Depends on what kind of software. Frequently, patents cover not so much software per se, but a particular algorithm, UI paradigm, or architectural principle. For instance, there are numerous ways to compress a movie. If I invent a new way that's more efficient by some metric, I should be able to patent the algorithm if I so choose.

Keep in mind that patents have a limited shelf life (e.g. in US, they expire after 20 years), so if I somehow manage to discover the absolute best most efficient possible algorithm, it will still be free to use by anyone within just a couple of decades.

Providing a no-JS version seems like a worthy goal, asking them to release their code as open-source not so much, but then it's the FSF's right to ask Google if they want to (Google doesn't need to comply).

I'm also not a fan of opinions on news articles, or I'd be reading a blog. However, there was some separation between the "news" part and the "opinion" part. If the opinion was in a box or linked to, as opposed to being part of the main news body, I think it would be ok. As long as it's clearly labeled.

About software patents: patenting new algorithms has been done for decades; patenting the exact sequence of holes in a punch card to do it (source-code) seems highly suspicious.

patenting the exact sequence of holes in a punch card to do it (source-code) seems highly suspicious.

Nobody does that, AFAIK. It would defeat the whole point of the patent, as it would be relatively trivial to alter the sequence of holes (source code) to do the same thing but in a slightly different way, thereby escaping patent restrictions and evading licensing fee demands. When people file for patents, they always try to make their claims as broad as possible, to prevent competitors from playing fast and loose in precisely such ways.

Oops! Doesn't PhysOrg have a chief editor who checks articles on news value and quality before they get published? In case there is a chief editor I think he or she must have had an off day.

"Katie Gatto is an experienced technology blogger, and technophile, who uses both the Mac and Windows systems to manage her online life. She has a M.S. in Information Systems and a B.A. in English.

She has written for several technology sites and writes for a wide range of technology users. From showing Mac users helpful freeware on MacApper, to helping people be more productive through web-ware on AppMag, talking about open source technology on the Alternate Systems blog, she has covered all of the major operating systems."

Shee appears to be a shill

Let's not get crazy James! :P

I just don't see how anyone has the time to care so much about this subject.

JS is always available as source code to any web user (right-click page, view source). Maybe they're wanting the legal /right/ to reuse it in -addition- to having access to the source too?

I use JS on pretty much 100% of the web apps I write... You pretty much have to. It's usually pretty simple stuff like setting the focus to an edit field, responding to a button click to display an alert box before posting back, etc... sometimes some calculations and rendering new UI controls, client side, or calling a web service. If anyone wants to snip my JavaScript code, there's nothing stopping them. There's never anything worthy of licensing out, nor even reusing, for that matter... It's little snippets that are super-specific to that page to provide a wee bit of UI enhancement on the client side.

No way am I wasting time to write TWO of everything!

Things worthy of reuse are full js libs and Google DOES give away (some?) their js libs.

code.google.com/webtoolkit
code.google.com/p/js-cor

Maybe they're wanting the legal /right/ to reuse it in -addition- to having access to the source too?

Here's a more detailed exposition on what the GNU/FSF people view as the "JavaScript Trap":

http://www.gnu.or...rap.html

Maybe they're wanting the legal /right/ to reuse it in -addition- to having access to the source too?

Here's a more detailed exposition on what the GNU/FSF people view as the "JavaScript Trap":

http://www.gnu.or...rap.html

Thanks!

Errrr, GMail DOES offer an HTML view for those browsers who do not support Javascript. What's the problem. Haven't they gotten in the news enough?

The public release of the code for these websites and creation of HTML-only versions of these sites could lead to serious security issues.

You do not seem to be clear on how open source works, as well as the benefits to security it provides.

If you don't like the Javascript interface, and want pure standards from GMail, use the IMAP interface with Thunderbird or SeaMonkey.

i might be wrong but being as JavaScript is run in your browser cant you just do a View Source and read it?

I have to say that anyone referencing Stallman loses lots of credibility. FOSS has been here a while, I'll admit, but the fact that we have had proprietary software on our personal computers since the 80s (earlier for some) proves that the world hasn't exploded due to proprietary software. As someone else said, if you want a FOSS interface to GMail use IMAP and the client of your choice. Oddly enough it also means you don't see all those pesky ads which support the service you aren't paying for at all.

Katie, previous commenters were right when they said that it isn't for security by obscurity, since you can see any javascript you want. It is just the fact that Stallman is a "purist" and he should keep using lynx which wouldn't let him get onto GMail or Facebook.

it isn't for security by obscurity, since you can see any javascript you want

Not quite. One of Stallman's main problems with gmail is that apparently Google obfuscates its javascript (removing whitespace and reducing function/variable names to single-letters, and so on) to the point that reading it (much less comprehending it) becomes a reverse-engineering challenge. This may not be intentional obfuscation to prevent other parties from using the code, so much as an optimization tactic designed to reduce bandwidth demands for page loads. Still, the effect is the same.

Stallman's other big problem with Javascript in general is that Javascript embedded into apps like gmail can't be customized by any third party (including the user); FOSS principles aspire to give any user the flexibility to modify any software or app they're using (or in fact, explicitly reject any software that isn't FOSS.) Javascript has a way of "sneaking in" under the radar along with the HTML content.

i might be wrong but being as JavaScript is run in your browser cant you just do a View Source and read it?

Yes. But I think part of what they're objecting to is the /optimized/ javascript that's trimmed down to reduce download time, makes it unreadable. But, most, if not all, of Google's js libraries are publicly available in their un-optimized (debug) form.

obfuscates its javascript (removing whitespace and reducing function/variable names to single-letters, and so on) to the point that reading it (much less comprehending it) becomes a reverse-engineering challenge.

That is a joke of an excuse. People writing in c have obfuscated their code by using cute tricks for years making it impossible to read it and I've seen quite a bit of that released as FOSS. If limited white space and single-letter variable names is what he is whining about, then don't let him near any of the ancient legacy F77 or F66 code that somehow still gets used in physics and engineering. He will have to cry himself to sleep after seeing that.

i might be wrong but being as JavaScript is run in your browser cant you just do a View Source and read it?

Yes. But I think part of what they're objecting to is the /optimized/ javascript that's trimmed down to reduce download time, makes it unreadable. But, most, if not all, of Google's js libraries are publicly available in their un-optimized (debug/human readable) form.

If limited white space and single-letter variable names is what he is whining about, then don't let him near any of the ancient legacy F77 or F66 code that somehow still gets used in physics and engineering.

Although Fortran code certainly has its drawbacks, readability is no problem - if you are a real programmer. But aligning F66 with F77 in the same statement is a sure sign you are no real programmer.

And IF you wonder why "somehow" fortran "still" gets used THEN begin to wonder why "somewhere" they are "still" using supercomputers instead of Windows-decorated PCs.

@nada,

[g]Dear Katie Gatto, If you are planning on being a journalist, you should drop out now and go work at McDonalds. Either that, or work for Fox News.

I don't know how much MORE biased you could have written this. If you're NOT a lawyer then you should not be so smug as to the assumption of legal contracts that are accepted by the use of a licensed piece of software - REGARDLESS of the license.[/g]

Really?! Is that necessary? It's one thing to disagree with someone's opinion, but to demonize them for sharing that opinion is uncalled for. If you can't provide a reasoned response for why thier position is incorrect, please don't respond...

Gmail is free, and client side JavaScript is open source by definition.

It is possible to de-obfuscate optimised js, and it is possible to extend it.

Nothing to see here.

HTML "Standard View" says hi.

@nada,
Really?! Is that necessary? It's one thing to disagree with someone's opinion, but to demonize them for sharing that opinion is uncalled for. If you can't provide a reasoned response for why thier position is incorrect, please don't respond...

I don't provide reasoned response to an article that is so clearly yellow journalism.

I also would flame Glenn Beck - as oppose to wasting my time trying to "reason" with him.

Holy crap gMail is awesome... get over it... move on from the dinosaur era of email apps and open your mind to a new and better way of working with email.

Security by public auditing in Open Source is a double edged sword.

Because most people who look at the code are amateurs who couldn't find a hole from their own behinds. In the worst case, nobody is being paid to do a proper audit, so most of the more obscure problems are never discovered.

Meanwhile, all criminals can look at the code, and they don't have to tell anybody about what they find. They have much more motivation to gain expertise and find the security problems than the unpaid amateur coder that puts his trust on the software because "someone's probably looked at it".

In fact, a rational person would estimate that since the source is available to all, there will be both good and bad people who know about the security holes, and the bad guys aren't telling, so there will be exploits in the software known only to the criminals and thus Open Source won't be secure.

As a sometime application and web-application developer (and now Manager) it seems to me that there are some merits to both sides of this argument.

On the one hand, it can be difficult to make money from totally free software, depending on what the software does and how it does it, and as a general rule I've found that even software developers and their families like to eat.

On the other hand, there appear to be some serious flaws with Stallman's approach and suggestions to the use of JavaScript (or, if you read the linked article on "The JavaScript Trap", other languages that work similarly). The suggestion that, "...a JavaScript program [be considered] nontrivial if it makes an AJAX request, and ... if it defines methods and either loads an external script or is loaded as one" looks fraught with problems.

To start with, even Stallman's suggestion that the source be provided through an '// @source:' link in a header would invoke this rule. (The link downloads an external script.)

Secondly, it is difficult to NOT define a method of some description in any JS event handler or larger piece of code.

Thirdly, the JS programming is itself (by definition) loaded as an external "application" (yes, I know, it's arguable what constitutes an "application", hence I've quoted it).

Much more serious though, IMHO is the suggestion that a browser be able to run some modified version (up to a complete replacement set of scripts) of the downloaded JavaScript programming. This seems to offer an open invitation to anybody to hack the code for malicious intent at the server (and if you've never had to deal with a JS-invoked SQL injection attack, go find out about it; and that's an almost trivial attack vector).

Yes, good server-side coding will stop most attacks but it's difficult to be able to guarantee to stop every possible thing. Can any coder claim to know all possible hack modes? Including those yet to be invented?

It's easy enough for anyone to provide a link to a source code copy of any JavaScript code already, without the need to invent yet another "tag" (the @source: idea). In fact, since Stallman is so hot on openness, free-ness and Standards, why not suggest this as part of the RDF Standard? Or as a Meta tag? (Oh, wait! You can already do that...)

A major criticism seems to be that browsers "silently load and run..." such programs. Well, quite frankly most users wouldn't want to "ok" every script to run but it's already possible to set the browser to do so if you want (and personally, my FF4 browser includes the "NoScript" add-on which prevents scripts from running silently - including itself at installation - and asks what I want to do with them). So what's the big deal?

And as many others here have noted, the JS is easy enough to grab (view source). Even if it's obfuscated by the minimisation process, this won't stop savvy-enough users looking at it.

A criticism of this is that the compacted code (and hence obfuscated through removal of whitespace, reduction of variables to single characters, etc) is not the source code. Well, that too is arguable IMHO. What constitutes source code? Stallman doesn't say but he does argue it's the preferred code to modify (this seems tautological to me).

The source code in this downloaded-app context is what gets compiled, whether it's obfuscated/compacted code or not is irrelevant. (Not considering the vexed issue of pcode or bytecode-style downloads.)

What he's arguing is (human) readability. That's not germane to his argument - free software doesn't imply that it also must be human-readable. (Open source does imply this but open source isn't his argument in that article - it is clearly & specifically about free vs not-free and humanly-readable.)

I'm not against either free or open source software - I use and like a lot of it. But this is a bad and unnecessary idea he's promoting.

Security by public auditing in Open Source is a double edged sword.

Security by trust in the proprietary source vendor is a sword with how many edges?

Because most people who look at the code are amateurs

That's irrelevant as long as some knowledgeable person looks at it.

In the worst case, nobody is being paid to do a proper audit, so most of the more obscure problems are never discovered.

This worst case doesn't seem to happen in real life as there are always very ambitious unpaid people to detect and remedy zero day exploits. Pragmatism rules, not theory.

In fact, a rational person would estimate that since the source is available to all, there will be both good and bad people who know about the security holes, and the bad guys aren't telling, so there will be exploits in the software known only to the criminals and thus Open Source won't be secure.

A rational person knows that one good guy is enough to tell the truth for all to know.