The Free Software Foundation takes aim at Gmail

Apr 04, 2011 by Katie Gatto weblog

(PhysOrg.com) -- The Free Software Foundation is at it again, promoting their laudable, if potentially unrealistic, goal to have all software released under a free software license. Their latest target for information freebies is Gmail. For those of you not familiar with this service, Gmail is the free web mail that is provided by Google.

Why does the Free Software Foundation take issue with Gmail? One word: JavaScript. This isn't the organizations first exploration into the world of JavaScript. They commonly post tutorial and articles that explain how to use popular websites without having to run JavaScript, which often runs within your browser. Currently if you disable JavaScript you cannot use Gmail. The Free Software Foundation refers to this at the JavaScript Trap, since users may or may not be aware that the JavaScript is being run by the browser.

This is not a specific issue, it is the general stance of the Free Software Foundation that some of the most popular sites on the web, such as Gmail, and Facebook, rely on JavaScript more than they need to. They also believe that when JavaScript is used, the company providing the product should release it as free software. They also take the position, that when JavaScript is used to provide an optional enhancement to a website, the company should also release a version of a site that does not use JavaScript.

Pardon my editorializing at this point, while free software licenses are a good thing, and this reporter enjoys the wide world of , the idea that companies owe these modifications is a little presumptive. There has to be some consideration, not for the companies, but for their users. The public release of the code for these websites and creation of HTML-only versions of these sites could lead to serious security issues. Not everyone is ethical, and once data is released for the public it is impossible to control how it will be used. I for one, would be more than a little angry if my got out, because of your pressure to release everything into the open.

The bottom line is this. If bothers you that much, then don't use these sites. No one is forcing you Tweet. isn't the only game in town. Many people live full and rich lives without a Facebook account.

Explore further: Upgrade to iOS 8 now or wait?

Related Stories

Firefox 4 Beta 1: Overview of Changes and Performance

Jul 08, 2010

(PhysOrg.com) -- In the latest version of Firefox's free, open-source Web browser, you will notice some visual changes like tabs on top similar to Google Chrome and single button menu similar to Office 2007. ...

Apple Announces Safari 4 Browser

Feb 24, 2009

Apple today announced the public beta of Safari 4 web browser for Mac and Windows PCs. The Nitro engine in Safari 4 runs JavaScript 4.2 times faster than Safari 3.

Google Chrome 5 beta released

May 06, 2010

(PhysOrg.com) -- Internet search engine giant Google has released a new beta version of its Chrome browser, and it is visibly much faster than the previous version, and faster than most other browsers.

Recommended for you

Hit 'Just Dance' game goes mobile Sept. 25

14 hours ago

Smartphone lovers will get to show off moves almost anywhere with the Sept. 25 release of a free "Just Dance Now" game tuned for mobile Internet lifestyles.

Indie game developers sprouting at Tokyo Game Show

16 hours ago

Nestled among the industry giants at the Tokyo Game Show Thursday are a growing number of small and independent games developers from Asia and Europe, all hoping they are sitting on the next Minecraft.

Review: Ambitious 'Destiny' lacks imagination

17 hours ago

Midway through "Destiny," the new science fiction epic from "Halo" creators Bungie, a smug prince is musing on the hero's desire to visit a mysterious site on Mars.

User comments : 35

Adjust slider to filter visible comments by rank

Display comments: newest first

teledyn
3 / 5 (4) Apr 04, 2011
that's a pretty naive viewpoint; for exactly the reasons you mention, "security by obscurity" has been repeatedly shown to be a far worse strategy than open transparency where everyone who cares about the security can see for themselves if it truly is secure. One need only follow the security alert services to see how often exploits are reported AFTER being exploited in the hidden codebase vs how very very often exploits are reported BEFORE they are exploited in the opensource codebase.

The issue of whether or not to use GMail is also a bit of a naive approach, but perhaps your employer is more flexible than most. Mine regularly releases important documents only as Google Docs, and many orgs now depend on the Google Apps for Your Domain service; if someone sets themselves up to be core infrastructure, it just seems to me they have a social responsibility to be responsible about it, and that means being transparent about it. Most don't, probably the vast majority, but still ...
Quantum_Conundrum
4.8 / 5 (5) Apr 04, 2011
Patenting software is almost ridiculous, seeing as how:

1) Software coding practices are largely standardized, as are the languages themselves.

2) Anyone would want to optimize their code.

3) Optimized code for the same basic algorithm on the same language will be identical, with the exception of variation in variable names and commenting.

4) Optimized code for optimized algorithms compiled on identical compilers will have identical output.

If a patent clerk can reject an energy machine or the use of catalysts in said machine based on the claim that, "Anyone skilled in the art would think to do so...," then patenting software should be impossible based on the fact that, "eventually, anyone skilled in the art would come up with the same optimized code."

Patenting software is basically as absurd as patenting the quadratic formula or Pythagorean Theorem
nada
3.7 / 5 (6) Apr 04, 2011
[g]The Free Software Foundation is at it again, promoting their laudable, if potentially unrealistic, goal to have all software released under a free software license.[/g]

Dear Katie Gatto, If you are planning on being a journalist, you should drop out now and go work at McDonalds. Either that, or work for Fox News.

I don't know how much MORE biased you could have written this. If you're NOT a lawyer then you should not be so smug as to the assumption of legal contracts that are accepted by the use of a licensed piece of software - REGARDLESS of the license.

My company spents millions of dollars of software and lots of time (and the use of special software) to manage and track software licenses. You better believe its big time and a serious situation. It will be worked out based on contract law - NOT your "childish feelings" of what should and should not be free.
prometeomail
5 / 5 (2) Apr 04, 2011
Sorry, wrong place, I thought this was a scientific news site, I do agree with the article but opinions are meant to be included as comments.
PinkElephant
3 / 5 (3) Apr 04, 2011
@QuantumConundrum,
Patenting software is basically as absurd as patenting the quadratic formula or Pythagorean Theorem
Depends on what kind of software. Frequently, patents cover not so much software per se, but a particular algorithm, UI paradigm, or architectural principle. For instance, there are numerous ways to compress a movie. If I invent a new way that's more efficient by some metric, I should be able to patent the algorithm if I so choose.

Keep in mind that patents have a limited shelf life (e.g. in US, they expire after 20 years), so if I somehow manage to discover the absolute best most efficient possible algorithm, it will still be free to use by anyone within just a couple of decades.
Jotaf
5 / 5 (1) Apr 04, 2011
Providing a no-JS version seems like a worthy goal, asking them to release their code as open-source not so much, but then it's the FSF's right to ask Google if they want to (Google doesn't need to comply).

I'm also not a fan of opinions on news articles, or I'd be reading a blog. However, there was some separation between the "news" part and the "opinion" part. If the opinion was in a box or linked to, as opposed to being part of the main news body, I think it would be ok. As long as it's clearly labeled.

About software patents: patenting new algorithms has been done for decades; patenting the exact sequence of holes in a punch card to do it (source-code) seems highly suspicious.
PinkElephant
5 / 5 (1) Apr 04, 2011
patenting the exact sequence of holes in a punch card to do it (source-code) seems highly suspicious.
Nobody does that, AFAIK. It would defeat the whole point of the patent, as it would be relatively trivial to alter the sequence of holes (source code) to do the same thing but in a slightly different way, thereby escaping patent restrictions and evading licensing fee demands. When people file for patents, they always try to make their claims as broad as possible, to prevent competitors from playing fast and loose in precisely such ways.
Piet
5 / 5 (2) Apr 05, 2011
Oops! Doesn't PhysOrg have a chief editor who checks articles on news value and quality before they get published? In case there is a chief editor I think he or she must have had an off day.
jamesrm
3.3 / 5 (4) Apr 05, 2011
"Katie Gatto is an experienced technology blogger, and technophile, who uses both the Mac and Windows systems to manage her online life. She has a M.S. in Information Systems and a B.A. in English.

She has written for several technology sites and writes for a wide range of technology users. From showing Mac users helpful freeware on MacApper, to helping people be more productive through web-ware on AppMag, talking about open source technology on the Alternate Systems blog, she has covered all of the major operating systems."

Shee appears to be a shill
Jotaf
not rated yet Apr 05, 2011
Let's not get crazy James! :P
Kingsix
not rated yet Apr 05, 2011
I just don't see how anyone has the time to care so much about this subject.
CSharpner
5 / 5 (1) Apr 05, 2011
JS is always available as source code to any web user (right-click page, view source). Maybe they're wanting the legal /right/ to reuse it in -addition- to having access to the source too?

I use JS on pretty much 100% of the web apps I write... You pretty much have to. It's usually pretty simple stuff like setting the focus to an edit field, responding to a button click to display an alert box before posting back, etc... sometimes some calculations and rendering new UI controls, client side, or calling a web service. If anyone wants to snip my JavaScript code, there's nothing stopping them. There's never anything worthy of licensing out, nor even reusing, for that matter... It's little snippets that are super-specific to that page to provide a wee bit of UI enhancement on the client side.

No way am I wasting time to write TWO of everything!

Things worthy of reuse are full js libs and Google DOES give away (some?) their js libs.

code.google.com/webtoolkit
code.google.com/p/js-cor
PinkElephant
4.3 / 5 (4) Apr 05, 2011
Maybe they're wanting the legal /right/ to reuse it in -addition- to having access to the source too?
Here's a more detailed exposition on what the GNU/FSF people view as the "JavaScript Trap":

http://www.gnu.or...rap.html
CSharpner
not rated yet Apr 06, 2011
Maybe they're wanting the legal /right/ to reuse it in -addition- to having access to the source too?
Here's a more detailed exposition on what the GNU/FSF people view as the "JavaScript Trap":

http://www.gnu.or...rap.html

Thanks!
Snakiej
5 / 5 (2) Apr 06, 2011
Errrr, GMail DOES offer an HTML view for those browsers who do not support Javascript. What's the problem. Haven't they gotten in the news enough?
TheMojoHand
5 / 5 (2) Apr 06, 2011
The public release of the code for these websites and creation of HTML-only versions of these sites could lead to serious security issues.


You do not seem to be clear on how open source works, as well as the benefits to security it provides.
David_Brower
5 / 5 (4) Apr 06, 2011
If you don't like the Javascript interface, and want pure standards from GMail, use the IMAP interface with Thunderbird or SeaMonkey.

srainsdon
5 / 5 (3) Apr 06, 2011
i might be wrong but being as JavaScript is run in your browser cant you just do a View Source and read it?
firegryphon
3.7 / 5 (3) Apr 06, 2011
I have to say that anyone referencing Stallman loses lots of credibility. FOSS has been here a while, I'll admit, but the fact that we have had proprietary software on our personal computers since the 80s (earlier for some) proves that the world hasn't exploded due to proprietary software. As someone else said, if you want a FOSS interface to GMail use IMAP and the client of your choice. Oddly enough it also means you don't see all those pesky ads which support the service you aren't paying for at all.

Katie, previous commenters were right when they said that it isn't for security by obscurity, since you can see any javascript you want. It is just the fact that Stallman is a "purist" and he should keep using lynx which wouldn't let him get onto GMail or Facebook.
PinkElephant
2.7 / 5 (3) Apr 06, 2011
it isn't for security by obscurity, since you can see any javascript you want
Not quite. One of Stallman's main problems with gmail is that apparently Google obfuscates its javascript (removing whitespace and reducing function/variable names to single-letters, and so on) to the point that reading it (much less comprehending it) becomes a reverse-engineering challenge. This may not be intentional obfuscation to prevent other parties from using the code, so much as an optimization tactic designed to reduce bandwidth demands for page loads. Still, the effect is the same.

Stallman's other big problem with Javascript in general is that Javascript embedded into apps like gmail can't be customized by any third party (including the user); FOSS principles aspire to give any user the flexibility to modify any software or app they're using (or in fact, explicitly reject any software that isn't FOSS.) Javascript has a way of "sneaking in" under the radar along with the HTML content.
CSharpner
4 / 5 (1) Apr 06, 2011
i might be wrong but being as JavaScript is run in your browser cant you just do a View Source and read it?

Yes. But I think part of what they're objecting to is the /optimized/ javascript that's trimmed down to reduce download time, makes it unreadable. But, most, if not all, of Google's js libraries are publicly available in their un-optimized (debug) form.
firegryphon
3.3 / 5 (3) Apr 06, 2011
obfuscates its javascript (removing whitespace and reducing function/variable names to single-letters, and so on) to the point that reading it (much less comprehending it) becomes a reverse-engineering challenge.


That is a joke of an excuse. People writing in c have obfuscated their code by using cute tricks for years making it impossible to read it and I've seen quite a bit of that released as FOSS. If limited white space and single-letter variable names is what he is whining about, then don't let him near any of the ancient legacy F77 or F66 code that somehow still gets used in physics and engineering. He will have to cry himself to sleep after seeing that.
CSharpner
4 / 5 (1) Apr 06, 2011
i might be wrong but being as JavaScript is run in your browser cant you just do a View Source and read it?

Yes. But I think part of what they're objecting to is the /optimized/ javascript that's trimmed down to reduce download time, makes it unreadable. But, most, if not all, of Google's js libraries are publicly available in their un-optimized (debug/human readable) form.
frajo
not rated yet Apr 07, 2011
If limited white space and single-letter variable names is what he is whining about, then don't let him near any of the ancient legacy F77 or F66 code that somehow still gets used in physics and engineering.
Although Fortran code certainly has its drawbacks, readability is no problem - if you are a real programmer. But aligning F66 with F77 in the same statement is a sure sign you are no real programmer.

And IF you wonder why "somehow" fortran "still" gets used THEN begin to wonder why "somewhere" they are "still" using supercomputers instead of Windows-decorated PCs.
smackzippy
5 / 5 (1) Apr 07, 2011
@nada,
[g]Dear Katie Gatto, If you are planning on being a journalist, you should drop out now and go work at McDonalds. Either that, or work for Fox News.

I don't know how much MORE biased you could have written this. If you're NOT a lawyer then you should not be so smug as to the assumption of legal contracts that are accepted by the use of a licensed piece of software - REGARDLESS of the license.[/g]


Really?! Is that necessary? It's one thing to disagree with someone's opinion, but to demonize them for sharing that opinion is uncalled for. If you can't provide a reasoned response for why thier position is incorrect, please don't respond...
Daniel_De_Zwaan
5 / 5 (1) Apr 08, 2011
Gmail is free, and client side JavaScript is open source by definition.

It is possible to de-obfuscate optimised js, and it is possible to extend it.

Nothing to see here.
Norezar
5 / 5 (1) Apr 09, 2011
HTML "Standard View" says hi.
nada
1 / 5 (1) Apr 09, 2011
@nada,
Really?! Is that necessary? It's one thing to disagree with someone's opinion, but to demonize them for sharing that opinion is uncalled for. If you can't provide a reasoned response for why thier position is incorrect, please don't respond...


I don't provide reasoned response to an article that is so clearly yellow journalism.

I also would flame Glenn Beck - as oppose to wasting my time trying to "reason" with him.
tigger
2 / 5 (1) Apr 10, 2011
Holy crap gMail is awesome... get over it... move on from the dinosaur era of email apps and open your mind to a new and better way of working with email.
Eikka
3.5 / 5 (2) Apr 10, 2011
Security by public auditing in Open Source is a double edged sword.

Because most people who look at the code are amateurs who couldn't find a hole from their own behinds. In the worst case, nobody is being paid to do a proper audit, so most of the more obscure problems are never discovered.

Meanwhile, all criminals can look at the code, and they don't have to tell anybody about what they find. They have much more motivation to gain expertise and find the security problems than the unpaid amateur coder that puts his trust on the software because "someone's probably looked at it".

In fact, a rational person would estimate that since the source is available to all, there will be both good and bad people who know about the security holes, and the bad guys aren't telling, so there will be exploits in the software known only to the criminals and thus Open Source won't be secure.
malapropism
4 / 5 (1) Apr 10, 2011
As a sometime application and web-application developer (and now Manager) it seems to me that there are some merits to both sides of this argument.

On the one hand, it can be difficult to make money from totally free software, depending on what the software does and how it does it, and as a general rule I've found that even software developers and their families like to eat.

On the other hand, there appear to be some serious flaws with Stallman's approach and suggestions to the use of JavaScript (or, if you read the linked article on "The JavaScript Trap", other languages that work similarly). The suggestion that, "...a JavaScript program [be considered] nontrivial if it makes an AJAX request, and ... if it defines methods and either loads an external script or is loaded as one" looks fraught with problems.

To start with, even Stallman's suggestion that the source be provided through an '// @source:' link in a header would invoke this rule. (The link downloads an external script.)
malapropism
not rated yet Apr 10, 2011
Secondly, it is difficult to NOT define a method of some description in any JS event handler or larger piece of code.

Thirdly, the JS programming is itself (by definition) loaded as an external "application" (yes, I know, it's arguable what constitutes an "application", hence I've quoted it).

Much more serious though, IMHO is the suggestion that a browser be able to run some modified version (up to a complete replacement set of scripts) of the downloaded JavaScript programming. This seems to offer an open invitation to anybody to hack the code for malicious intent at the server (and if you've never had to deal with a JS-invoked SQL injection attack, go find out about it; and that's an almost trivial attack vector).

Yes, good server-side coding will stop most attacks but it's difficult to be able to guarantee to stop every possible thing. Can any coder claim to know all possible hack modes? Including those yet to be invented?
malapropism
not rated yet Apr 10, 2011
It's easy enough for anyone to provide a link to a source code copy of any JavaScript code already, without the need to invent yet another "tag" (the @source: idea). In fact, since Stallman is so hot on openness, free-ness and Standards, why not suggest this as part of the RDF Standard? Or as a Meta tag? (Oh, wait! You can already do that...)

A major criticism seems to be that browsers "silently load and run..." such programs. Well, quite frankly most users wouldn't want to "ok" every script to run but it's already possible to set the browser to do so if you want (and personally, my FF4 browser includes the "NoScript" add-on which prevents scripts from running silently - including itself at installation - and asks what I want to do with them). So what's the big deal?

And as many others here have noted, the JS is easy enough to grab (view source). Even if it's obfuscated by the minimisation process, this won't stop savvy-enough users looking at it.
malapropism
not rated yet Apr 10, 2011
A criticism of this is that the compacted code (and hence obfuscated through removal of whitespace, reduction of variables to single characters, etc) is not the source code. Well, that too is arguable IMHO. What constitutes source code? Stallman doesn't say but he does argue it's the preferred code to modify (this seems tautological to me).

The source code in this downloaded-app context is what gets compiled, whether it's obfuscated/compacted code or not is irrelevant. (Not considering the vexed issue of pcode or bytecode-style downloads.)

What he's arguing is (human) readability. That's not germane to his argument - free software doesn't imply that it also must be human-readable. (Open source does imply this but open source isn't his argument in that article - it is clearly & specifically about free vs not-free and humanly-readable.)

I'm not against either free or open source software - I use and like a lot of it. But this is a bad and unnecessary idea he's promoting.
frajo
not rated yet Apr 11, 2011
Security by public auditing in Open Source is a double edged sword.
Security by trust in the proprietary source vendor is a sword with how many edges?

Because most people who look at the code are amateurs
That's irrelevant as long as some knowledgeable person looks at it.
In the worst case, nobody is being paid to do a proper audit, so most of the more obscure problems are never discovered.
This worst case doesn't seem to happen in real life as there are always very ambitious unpaid people to detect and remedy zero day exploits. Pragmatism rules, not theory.
In fact, a rational person would estimate that since the source is available to all, there will be both good and bad people who know about the security holes, and the bad guys aren't telling, so there will be exploits in the software known only to the criminals and thus Open Source won't be secure.
A rational person knows that one good guy is enough to tell the truth for all to know.