repo-criteria-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On Gitlab's Javascript code

From: bill-auger
Subject: Re: On Gitlab's Javascript code
Date: Thu, 29 Oct 2020 23:28:11 -0400 
On Fri, 30 Oct 2020 02:13:32 +0000 Thomas wrote:
> It is rather straightforward to check any program's license; check
> for licenses in the source code distribution

for the most part, these criteria are not related to the forge
software - they are primarily concerned with the service offered
by individual hosts

the question was WRT the javascript which users of the service
execute - unfortunately, the only way to verify that
conclusively, is to visit the instance with a web browser, and
compare the javascripts which were received, to the
corresponding files in source code; and that must be done, not
once, but every time _any_ page is loaded or reloaded into the
web browser - short of that perpetual tedious exercise, librejs
is the only user-friendly tool which can give any confidence
regarding the licensing of the javascripts

it is an unfortunate property of the web, that the executable
code which one receives, is often unstable and unreproducible -
many of the scripts which the user executes, are not even in the
source code of the server software, nor originate from that same
server where the website is running, but fetched directly by
the user from third-parties - the browser does not verify, in
the way that a package manager would, that the received files
are exactly the ones intended by the developer or the service
operator, and they may contain different code each time the page
is loaded

i dont know if the particular website in question, behaves in
that way; but it is very common, if not the norm - there is no
criteria which states that all javascripts, should be served by
the same host as the forge; and there is no criteria which
states that the javascripts which the user executes, should be
included in the source code of the forge

web software simply can not audited in the same way as
conventional software - the only way to have software freedom
regarding network services, is to host them yourself; but again,
these criteria are grading specific public hosts, not the
underlying forge software itself
reply via email to
[Prev in Thread] Current Thread [Next in Thread]