Opened 4 years ago

Last modified 8 months ago

#17393 needs_review enhancement

Make the various javascript on Tor sites be LibreJS-compatible?

Reported by: arma Owned by: traumschule
Priority: Low Milestone: WebsiteV3
Component: Webpages/Website Version:
Severity: Minor Keywords: defer-new-website, website-bug
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

On reading https://www.gnu.org/software/repo-criteria.html (as pointed out on tor-talk), I came across "B0": "All code sent to the user's browser must be free software and labeled for LibreJS or other suitable free automatic license analyzer".

I don't know anything about the politics behind libre JS or the like, but I know some of the Tor sites use JavaScript, and I also know we're not meaning to keep any of it non-free.

Is there some enthusiastic free software zealot out there who wants to inventory the javascript used on various Tor sites, and move us closer to labeling it all as free?

Child Tickets

Attachments (1)

librejs7.18.2.png (249.1 KB) - added by traumschule 8 months ago.
Right: Default red LibreJS symbol on tpo's onion service Left: The license of debian-os-selector.js is recognized because of the Javascibt Web Labels Table on the [librejs branch](https://github.com/torproject/webwml/pull/45)

Download all attachments as: .zip

Change History (20)

comment:1 Changed 4 years ago by anon

https://www.torproject.org/

  • no script sources

https://blog.torproject.org/blog/

  • no script sources

https://trac.torproject.org/projects/tor

  • no script sources

https://gitweb.torproject.org/

  • no script sources

https://globe.torproject.org/

https://atlas.torproject.org/

Additional inventory as exhibited by Tor Browser on tp.o sites to follow... [ Join in! The more the merrier :) ]

Last edited 4 years ago by anon (previous) (diff)

comment:2 Changed 4 years ago by anon

Note that if/when Tor'ed builds of GNU's IceCat browser happen, LibreJS is enabled by default.

If/when Onion services for Tor websites and services are available, per https://trac.torproject.org/projects/tor/ticket/14026, the use of JavaScript on these domains will need to be evaluated.

comment:3 Changed 3 years ago by Sebastian

Keywords: defer-new-website added
Severity: NormalMinor

comment:4 Changed 2 years ago by Sebastian

Owner: changed from Sebastian to cypherpunks
Status: newassigned

comment:5 Changed 2 years ago by hiro

Milestone: WebsiteV3

comment:6 Changed 2 years ago by hiro

Keywords: website-bug added

comment:7 Changed 10 months ago by traumschule

Owner: changed from cypherpunks to traumschule

I installed the LibreJS 7.15 .xpi in TB 8.0a10 and had to wait much longer to load previews in trac.

Then I went to http://expyuzz4wqqyqhjn.onion/download/download-easy.html.en and clicked on the LibreJS button.
Result: External script with no known license.
Screenshot: https://share.riseup.net/#gCNX17L2E2ykuz_bprZhug

Compared to the list above torproject.org degraded during the last three years:

./docs/debian-selector.js
./js
./js/animate.min.js
./js/jquery-migrate-1.0.0.min.js
./js/jquery.infieldlabel.min.js
./js/jquery.min.js
./js/jquery.accordion.min.js
./js/functions.js
./js/jquery.client.min.js
./js/dlpage01.js
./js/jquery-migrate-1.0.0.js
./js/animate.js
./js/functions.min.js
./js/jquery.ba-bbq.min.js

Which License shall we use?

Bookmark: https://www.gnu.org/software/librejs/manual/librejs.html#Free-Licenses-Detection

comment:8 Changed 10 months ago by traumschule

LibreJS 7.16 was justed released.

To: help-librejs@gnu.org
Subject: Is LibreJS compatible with onion addresses?
Date: Wed, 5 Sep 2018 23:47:47 +0200

Hi,

the Torproject is about to license all used JavaScript under
LibreJS[1]. I tested a script with two methods specified on your
manual[2]. However the installed LibreJS 7.15 addon used in Tor Browser
8[3] was not able the recognize the source specification of the tested
onion address[4].

The license is defined in the script itself and the Web Labels table.

Did we make a mistake?

Best,
Traumschule

[1] https://torproject.org/projects/tor/ticket/17393

[2] https://www.gnu.org/software/librejs/free-your-javascript.html

[3] https://torproject.org/download/download-easy.html

[4]
http://yslc6nb5fftewvbmxlkdm3h3b42feesug7qebc2a42xsgeesp4llkayd.onion/docs/debian.html

comment:9 Changed 10 months ago by traumschule

LibreJS 7.16 recognizes the link to a JavaScript Web Labels table. It can be placed anywhere in the site, but not in comments:

<a href="<page about/javascript>" data-jslicense="1">JavaScript license information</a>

The result is that all JavaScript on the page is qualified with Free licenses (GPL-2.0):
https://share.riseup.net/#B7FX1hAfLjz9Y2VGam3w4Q (screenshot)

It seems that the content of the linked page does not change the result as it was tested with an empty page and with a table listing the scripts by name.

A license definition only at the head of the loaded script as described in 3.2.4 Stylized comment however is not recognized, or i made a mistake:
http://yslc6nb5fftewvbmxlkdm3h3b42feesug7qebc2a42xsgeesp4llkayd.onion/docs/debian-selector.js

Based on this i propose to place the link to the Web labels table in the footer to appear on all pages of our site.

It is good to know that it works well with onion addresses.

comment:10 Changed 10 months ago by traumschule

Status: assignedneeds_review

https://github.com/torproject/webwml/pull/45

Creating the table it was not quite possible to find the exact origin of all our JQuery libraries. I used EFFs jslicense list as a reference. This page describes the issues creating an inventory of used js in mediawiki quite well. For example searching for JQuery Client libraries leads to no exact result, so it is hard to decide which version we are using, from which origin and how much it was modified. git blame helped to find editors of our specific files, in doubt we can interview Andrew Lewman who added most of the JQuery libraries. If you find any wrong links in the table, please let me know.

comment:11 Changed 10 months ago by arma

Are all of these javascript things actually free software? I want to make sure we aren't just taking the random javascript we got from somewhere on the internet and slapping a free software license on it (because that's not how software licensing works).

comment:12 Changed 10 months ago by traumschule

Priority: MediumLow
Reviewer: hiro
Status: needs_reviewneeds_information

I trust below committers that the source is properly stated and if none, the script has been written by themselves. To confirm, we should ask Hiro and Andrew.

./docs/debian-selector.js
3e230b9e6 (Peter Palfrader 2017-03-19 18:23:54 +0100   1) // This code is based on the http://mozilla.debian.net sources.list
3e230b9e6 (Peter Palfrader 2017-03-19 18:23:54 +0100   2) // generator as originally written by Mike Hommey. It is licensed under
3e230b9e6 (Peter Palfrader 2017-03-19 18:23:54 +0100   3) // the terms of the GNU GPLv2, http://www.gnu.org/licenses/gpl-2.0.html.

./js/functions.js
17643b019 (hiromipaw 2017-06-16 11:16:38

./js/animate.js
17643b019 (hiromipaw 2017-06-16 11:16:38

./js/dlpage01.js
18489e4b4 (Andrew Lewman        2011-08-29 02:37:19

./js/jquery.client.min.js
18489e4b4 (Andrew Lewman        2011-08-29 02:37:19

./js/jquery.min.js
baa9466e3 (Nima Fatemi 2015-12-08 19:10:09 +0000 1) /*! jQuery v1.11.3 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license */

./js/jquery.accordion.min.js
8bd8f2803 (Andrew Lewman 2011-09-28 12:48:57

./js/jquery-migrate-1.0.0.js
86c5276a1 (hiromipaw 2017-06-16 11:57:59 +0200   2)  * jQuery Migrate - v1.0.0 - 2013-01-14
86c5276a1 (hiromipaw 2017-06-16 11:57:59 +0200   3)  * https://github.com/jquery/jquery-migrate
86c5276a1 (hiromipaw 2017-06-16 11:57:59 +0200   4)  * Copyright 2005, 2013 jQuery Foundation, Inc. and other contributors; Licensed MIT

./js/jquery.infieldlabel.min.js
4981006d4 (Andrew Lewman 2011-09-13 19:28:18 +0000  2)  * In-Field Label jQuery Plugin
4981006d4 (Andrew Lewman 2011-09-13 19:28:18 +0000  3)  * http://fuelyourcoding.com/scripts/infield.html
4981006d4 (Andrew Lewman 2011-09-13 19:28:18 +0000  4)  *
4981006d4 (Andrew Lewman 2011-09-13 19:28:18 +0000  5)  * Copyright (c) 2009 Doug Neiner
4981006d4 (Andrew Lewman 2011-09-13 19:28:18 +0000  6)  * Dual licensed under the MIT and GPL licenses.
4981006d4 (Andrew Lewman 2011-09-13 19:28:18 +0000  7)  * Uses the same license as jQuery, see:
4981006d4 (Andrew Lewman 2011-09-13 19:28:18 +0000  8)  * http://docs.jquery.com/License
4981006d4 (Andrew Lewman 2011-09-13 19:28:18 +0000  9)  *
4981006d4 (Andrew Lewman 2011-09-13 19:28:18 +0000 10)  * @version 0.1

./js/jquery.ba-bbq.min.js
87c425b7a (Andrew Lewman 2012-04-25 04:41:44 +0000  2)  * jQuery BBQ: Back Button & Query Library - v1.2.1 - 2/17/2010
87c425b7a (Andrew Lewman 2012-04-25 04:41:44 +0000  3)  * http://benalman.com/projects/jquery-bbq-plugin/
86c5276a1 (hiromipaw     2017-06-16 11:57:59 +0200  4)  *
87c425b7a (Andrew Lewman 2012-04-25 04:41:44 +0000  5)  * Copyright (c) 2010 "Cowboy" Ben Alman
87c425b7a (Andrew Lewman 2012-04-25 04:41:44 +0000  6)  * Dual licensed under the MIT and GPL licenses.
87c425b7a (Andrew Lewman 2012-04-25 04:41:44 +0000  7)  * http://benalman.com/about/license/

Above website states:

All of the original JavaScript, PHP, and other code samples, plugins, and snippets offered on this site are Copyright © 2010 “Cowboy” Ben Alman and dual licensed under the MIT and GPL licenses (except where the transition is not yet complete, and the code is still just MIT licensed).

comment:13 Changed 9 months ago by traumschule

i wonder if we should add js for metrics and blog to the list

comment:14 Changed 9 months ago by traumschule

Came across these comments in dlhead.wmi:

# /* jQuery */
  </script>
  <script type="text/javascript" src="../js/jquery.client.min.js">
/* "jQuery Browser And OS Detection Plugin" by Stoimen
   Source: http://www.stoimen.com/blog/2009/07/16/jquery-browser-and-os-detection-plugin/
   License: Public Domain (http://www.stoimen.com/blog/2009/07/16/jquery-browser-and-os-detection-plugin/#comment-12498) */
  </script>
  <script type="text/javascript" src="../js/jquery-migrate-1.0.0.min.js"></script>
  <script type="text/javascript" src="../js/jquery.ba-bbq.min.js">
/*  Source: https://raw.github.com/cowboy/jquery-bbq/v1.2.1/jquery.ba-bbq.js */
  </script>
  <script type="text/javascript" src="../js/dlpage01.js">
# /* Displays detected section */
  </script>
  <script async type="text/javascript" src="../js/jquery.accordion.min.js">
/* Modified version of "Stupid Simple jQuery Accordian Menu" originally developed by Ryan Stemkoski
   Source: http://www.stemkoski.com/stupid-simple-jquery-accordion-menu/
   License: Public Domain (http://www.stemkoski.com/stupid-simple-jquery-accordion-menu/#comment-32882) */
  </script>

This find deserves a new commit.

comment:15 Changed 9 months ago by traumschule

Status: needs_informationneeds_review
Last edited 9 months ago by traumschule (previous) (diff)

comment:16 Changed 9 months ago by traumschule

Time for another test round: LibreJS 7.17

This release introduces a new interface for management of the whitelist/blacklist, along with several bug fixes:

  • Temporary hiding complain to owner feature until ready for prime time.
  • Adjust directory layout and packaging to allow Storage.js to be shared with the settings page in the xpi release.
  • Refactored panel visual styles to be reused by the settings page.
  • Support for batch async list operations.
  • Fix navigating the same url with # erases activity report information.

comment:17 Changed 8 months ago by traumschule

Status: needs_reviewneeds_revision

comment:18 Changed 8 months ago by traumschule

Testing LibreJs 7.18 (2 Nov 2018) now:

This is a bugfix release containing:

* Corrections to the checks for trivial scripts
* Correctly handle scripts that are embedded as attributes (onclick,
onload, etc) or as links (href="javascript:...")
* Updated manual
* More generalized license matching, accounts for some common mistakes
in license tags, and allow to match by either license tag, canonical url
or magnet link.

https://lists.gnu.org/archive/html/info-gnu/2018-11/msg00001.html

Changed 8 months ago by traumschule

Attachment: librejs7.18.2.png added

Right: Default red LibreJS symbol on tpo's onion service Left: The license of debian-os-selector.js is recognized because of the Javascibt Web Labels Table on the [librejs branch](https://github.com/torproject/webwml/pull/45)

comment:19 in reply to:  9 Changed 8 months ago by traumschule

Reviewer: hiro
Status: needs_revisionneeds_review

Retested the functionality of LibreJS 7.18:

Replying to comment:9:

LibreJS 7.16 recognizes the link to a JavaScript Web Labels table. It can be placed anywhere in the site, but not in comments
The result is that all JavaScript on the page is qualified
It seems that the content of the linked page does not change the result as it was tested with an empty page and with a table listing the scripts by name.

This has been fixed with 7.18. Now it also correctly parses the table and recognizes when scripts are missing.

A license definition only at the head of the loaded script as described in 3.2.4 Stylized comment however is not recognized

Also fixed.

Based on this i propose to place the link to the Web labels table in the footer to appear on all pages of our site.

Seconding myself.

I suggest we are done here.

Note: See TracTickets for help on using tickets.