Re: How to ensure not to fall into new Webassembly trap - was Re: Web versions

[Jean Louis]

* Alfred M. Szmidt <ams@gnu.org> [2021-03-17 12:04]:
>    What we can do in GNU in regards to new technologies considered trap,
>    as users will be lured to launch non-free software without possibility
>    to verify it is to expand or extend the LibreJS to verify Webassembly
>    programs for their licenses.
> 
> It is easier, and far more practical to recommend to solve the problem
> in a different manner than try and verify all running code in the
> world.

How? I have proposed how I think it should be implemented.

>    RMS has to get involved on this, as to devise a method how to make
>    sure that Webassembly programs are free software.
> 
> Why don't you take it up and try to devise this method?  It would not
> only be useful for web browsers, but programs in general.

I did not think of technical method, rather strategic, something
similar to LibreJS. I have already made proposal in that same email
that you are referencing now. For me personally I will have to clean
some lists of Webassembly sites to keep it safe.

>    A white list of websites offering Webassembly as free software could
>    be compiled as well.
> 
> It is easier to simply deal with the problem by avoiding running
> random code automagically.  But if you think such a list is possible,
> would you like to start working on it?

I do not program in Javascript.

It is for me natural that such a script or plugin should NOT allow the
execution of Webassembly program unless the program is in the white
list. A plugin could also keep hashes of reproducible Webassembly
programs.

Thus I am and already did mention that Webassembly should be default
be disabled, unless plugin similar to LibreJS tells: this binary here
is safe, it is free software, or maybe that plugin verifies its hash
being reproducible as free software. Users should be able to allow
websites to run Webassembly as they wish, as I may download SSH as
Webassambly and wish to run it from the USB stick for example.

>    Firefox is already warning users of abusive websites reported by
>    users, which run Webassembly.
> 
> If you can convince the firefox developers to do it, it sounds like it
> would be useful.

We can open up ticket and see reactions. But I do not believe
so. Mozilla as foundation does not give me impression to be keen not
to allow non-free software execution, as that is the fundamental
reason why they included Webassembly in the first place. They want to
be in the group of "vendors":
https://developer.mozilla.org/en-US/docs/WebAssembly just as Google,
Apple and Microsoft: https://research.mozilla.org/webassembly/

Convincing an organization to change their fundamental reason why they
included into Firefox is not likely. The fundamental reason is like
you said, to quickly run programs without consent. Now to convince
them to run programs with consent would impede their position as one
of "vendors" in the browser competition. No matter that Mozilla is a
non-profit, they obviously act as profit, not really looking for
users' freedom.

There is option in Firefox to exclude Webassembly, thus that opens up
option to have a plugin but there are no plugins yet. I wonder why in
so many years there is no plugin for users to be warned and to
consent.

I did not see that this plugin works, it did not detect Webassembly in
my Firefox:
https://addons.mozilla.org/en-US/firefox/addon/webassembly-detector/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search

Thus there is so far none workable plugin that would tell to user,
that Webassembly wants to be executed, and ask for consent.

Jean