[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNU-linux-libre] youtube-dl might be running non-free software from web
|
From: |
Adonay Felipe Nogueira |
|
Subject: |
[GNU-linux-libre] youtube-dl might be running non-free software from webpages |
|
Date: |
Wed, 19 Apr 2017 11:55:23 -0300 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
To clarify: I'm a LibreJS proponent, not a NoScript proponent.
This issue seems to affect at least: Trisquel, Guix (and GuixSD),
Parabola.
Backstory paragraph: Earlier on the trisquel-users mailing list, people
questioned how to watch YouTube videos with free/libre software, and so
I jumped in suggesting them that, while this is possible, society should
publish videos in places that use, for example, GNU MediaGoblin and
GNUnet. Some people asked about Vimeo and Internet Archive. However, I
told them that these hold the exact same problems against the *average
site visitor* (i.e.: non-free video formats being provided by default,
non-free JS being forced by default). By "average" I mean those who
don't have JS disabled and those which have no non-free JS blocker.
Sometime later, the discussion changed slightly after reports from some
people saying that youtube-dl can run arbitrary code through
[[https://listas.trisquel.info/pipermail/trisquel-users/2017-April/076773.html]["jsinterp.py";
JavaScript interpreter script]].
At first,
[[https://listas.trisquel.info/pipermail/trisquel-users/2017-April/076787.html][evaluators
thought that the capability of such script to be limited]], however,
[[https://listas.trisquel.info/pipermail/trisquel-users/2017-April/076820.html][lcerf
argues]] that this script has things that make it Turing-complete, and
argues that, with this, the problem is not the interpreter script
itself, but the code that it interpretes. lcerf also questions if this
interpreter script is taking arbitrary code from the web.
[[https://listas.trisquel.info/pipermail/trisquel-users/2017-April/076844.html][Other
user answered]] lcerf's question saying that it might be, because it's
set-up to do so --- but he doesn't know if this is the actual case. And
also says that the module containing the JavaScript interpreter is
imported by another script at "extractor/youtube.py", and the same user
points to parts of the code that make use of such JavaScript
interpreter.
Later on,
[[https://listas.trisquel.info/pipermail/trisquel-users/2017-April/076931.html][people
summarized what is hapenning and where to go from here]],
[[https://listas.trisquel.info/pipermail/trisquel-users/2017-April/076935.html][lcerf
took a look at ViewTube GreaseMonkey userscript]], and
[[https://listas.trisquel.info/pipermail/trisquel-users/2017-April/076940.html][I
made some suggestions to recommend for average users]].
Respectfully, Adonay.
--
- [[https://libreplanet.org/wiki/User:Adfeno]]
- Palestrante e consultor sobre /software/ livre (não confundir com
gratis).
- "WhatsApp"? Ele não é livre, por isso não uso. Iguais a ele prefiro
GNU Ring, ou Tox. Quer outras formas de contato? Adicione o vCard
que está no endereço acima aos teus contatos.
- Pretende me enviar arquivos .doc, .ppt, .cdr, ou .mp3? OK, eu
aceito, mas não repasso. Entrego apenas em formatos favoráveis ao
/software/ livre. Favor entrar em contato em caso de dúvida.
- [GNU-linux-libre] youtube-dl might be running non-free software from webpages,
Adonay Felipe Nogueira <=