Make our website's Javascript acceptable to LibreJS

[purcell]

See #3728 and this reddit thread in relation to RMS's assertion that our website has "ethical problems".

In short, we would like to help the GNU LibreJS browser extension to correctly detect that all the Javascript we serve is open source software.

Quoting @artlogic in #3728:

Obviously, the site specific JS could be given a proper LibreJS tag: https://www.gnu.org/software/librejs/manual/html_node/Setting-Your-JavaScript-Free.html

I'm not sure if LibreJS is smart enough to notice that Mithril and moment.js are MIT Licensed (headers exist in their minified source code). Lodash is also MIT licensed, but refers to it's website instead of stating it outright. Cookies.js has no license header and appears to be public domain - see: https://github.com/ScottHamper/Cookies/blob/master/UNLICENSE (I realize both the "MIT License" and public domain are contentious topics).

I'm hoping to make most of these dependencies progressive enhancement, but it would still be nice to understand what LibreJS will do in the above cases. Does anyone know?

[artlogic]

After learning a bit more about LibreJS, I've sent a request to the mailing list in the hopes of whitelisting all the external Javascript. If that's successful, I'll submit a pull request adding the proper headers to melpa.js.

[artlogic]

After learning a bit more about LibreJS, I've sent a request to the mailing list in the hopes of whitelisting all the external Javascript. If that's successful, I'll submit a pull request adding the proper headers to melpa.js.

[purcell]

Thanks! There's probably still something to be done around putting copyright info in melpa.js.

[purcell]

Thanks! There's probably still something to be done around putting copyright info in melpa.js.

[artlogic]

Yup - I'll submit a pull request. I was just waiting to hear back from the LibreJS people.

[artlogic]

Yup - I'll submit a pull request. I was just waiting to hear back from the LibreJS people.

[aplaice]

(Disclaimer: not affiliated with librejs, don't actually use it; think blacklisting of MELPA over such triviality would be stupid)

According to the most comprehensive guide, the easiest way to inform LibreJS that a given js file is FOSS, is using web labels, effectively creating an html file containing a table with the URLs of all the scripts you load (including scripts from other domains!), their licenses and links to their unminified forms.

LibreJS does, indeed recognise some js files as free based on their hash, but I'm not sure how scalable and easily-updatable this approach is. (Currently the list of pre-approved files is here.)

In the case of inline (embedded) javascript one needs to surround all the javascript used with // @license and // @license-end tags (or have a license section in the document header).

For MELPA, all the scripts needed for basic functionality are already free and the following changes should make the site work with LibreJS:

1. change melpa/html/index.html, adding:

    <a href="/jslicense" data-jslicense="1">JavaScript license information</a

somewhere (for example in the footer) and
2. create melpa/html/jslicense with (at least) the following table:

<table id="jslicense-labels1">
    <thead>
      <tr>
        <th>Script</th>
        <th>License</th>
        <th>Source</th>
      </tr>
    </thead>
    <tr>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/mithril/0.2.0/mithril.min.js">mithril.min.js</a></td>
          <td><a href="http://www.jclark.com/xml/copying.txt">Expat</a></td>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/mithril/0.2.0/mithril.js">mithril.js</a></td>
    </tr>
    <tr>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.min.js">moment.min.js</a></td>
          <td><a href="http://www.jclark.com/xml/copying.txt">Expat</a></td>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.js">moment.js</a></td>
    </tr>
    <tr>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/lodash.js/2.4.1/lodash.min.js">lodash.min.js</a></td>
          <td><a href="http://www.jclark.com/xml/copying.txt">Expat</a></td>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/lodash.js/2.4.1/lodash.js">lodash.js</a></td>
    </tr>
    <tr>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/Cookies.js/1.1.0/cookies.min.js">cookies.min.js</a></td>
          <td><a href="http://www.jclark.com/xml/copying.txt">Unlicense</a></td>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/Cookies.js/1.1.0/cookies.js">cookies.js</a></td>
    </tr>
    <tr>
          <td><a href="/js/melpa.js">melpa.js</a></td>
          <td><a href="http://www.gnu.org/licenses/gpl-3.0.html">GNU-GPL-3.0-or-later</a></td>
          <td><a href="/js/melpa.js">melpa.js</a></td>
    </tr>
</table>

(Here are the full files: index.html and jslicense — if you prefer I could send a pull request.)

I've tested this, so it should just work. However, that was on my system for which I had to change the paths (so that melpa "worked") and I might not have changed everything back correctly.

Obviously, this will not make LibreJS accept the twitter or google-analytics javascript, since these are not FOSS, but at least the core functionality will work.

[aplaice]

(Disclaimer: not affiliated with librejs, don't actually use it; think blacklisting of MELPA over such triviality would be stupid)

According to the most comprehensive guide, the easiest way to inform LibreJS that a given js file is FOSS, is using web labels, effectively creating an html file containing a table with the URLs of all the scripts you load (including scripts from other domains!), their licenses and links to their unminified forms.

LibreJS does, indeed recognise some js files as free based on their hash, but I'm not sure how scalable and easily-updatable this approach is. (Currently the list of pre-approved files is here.)

In the case of inline (embedded) javascript one needs to surround all the javascript used with // @license and // @license-end tags (or have a license section in the document header).

For MELPA, all the scripts needed for basic functionality are already free and the following changes should make the site work with LibreJS:

1. change melpa/html/index.html, adding:

    <a href="/jslicense" data-jslicense="1">JavaScript license information</a

somewhere (for example in the footer) and
2. create melpa/html/jslicense with (at least) the following table:

<table id="jslicense-labels1">
    <thead>
      <tr>
        <th>Script</th>
        <th>License</th>
        <th>Source</th>
      </tr>
    </thead>
    <tr>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/mithril/0.2.0/mithril.min.js">mithril.min.js</a></td>
          <td><a href="http://www.jclark.com/xml/copying.txt">Expat</a></td>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/mithril/0.2.0/mithril.js">mithril.js</a></td>
    </tr>
    <tr>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.min.js">moment.min.js</a></td>
          <td><a href="http://www.jclark.com/xml/copying.txt">Expat</a></td>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/moment.js/2.8.4/moment.js">moment.js</a></td>
    </tr>
    <tr>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/lodash.js/2.4.1/lodash.min.js">lodash.min.js</a></td>
          <td><a href="http://www.jclark.com/xml/copying.txt">Expat</a></td>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/lodash.js/2.4.1/lodash.js">lodash.js</a></td>
    </tr>
    <tr>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/Cookies.js/1.1.0/cookies.min.js">cookies.min.js</a></td>
          <td><a href="http://www.jclark.com/xml/copying.txt">Unlicense</a></td>
          <td><a href="//cdnjs.cloudflare.com/ajax/libs/Cookies.js/1.1.0/cookies.js">cookies.js</a></td>
    </tr>
    <tr>
          <td><a href="/js/melpa.js">melpa.js</a></td>
          <td><a href="http://www.gnu.org/licenses/gpl-3.0.html">GNU-GPL-3.0-or-later</a></td>
          <td><a href="/js/melpa.js">melpa.js</a></td>
    </tr>
</table>

(Here are the full files: index.html and jslicense — if you prefer I could send a pull request.)

I've tested this, so it should just work. However, that was on my system for which I had to change the paths (so that melpa "worked") and I might not have changed everything back correctly.

Obviously, this will not make LibreJS accept the twitter or google-analytics javascript, since these are not FOSS, but at least the core functionality will work.

[artlogic]

@aplaice That would certainly be the quickest way to get things going. I have yet to hear back from the LibreJS folks. You can see my request here: http://lists.gnu.org/archive/html/help-librejs/2016-04/msg00000.html

If you have the work done already, and if @purcell agrees, I'd be happy to test your code to verify it works on my system.

[artlogic]

@aplaice That would certainly be the quickest way to get things going. I have yet to hear back from the LibreJS folks. You can see my request here: http://lists.gnu.org/archive/html/help-librejs/2016-04/msg00000.html

If you have the work done already, and if @purcell agrees, I'd be happy to test your code to verify it works on my system.

[aplaice]

I've sent a pull request #3753.

@artlogic it would be great if you could test the change, assuming the approach is one the MELPA maintainers want to take.

[aplaice]

I've sent a pull request #3753.

@artlogic it would be great if you could test the change, assuming the approach is one the MELPA maintainers want to take.

[artlogic]

@aplaice I've tested and commented in the pull request. Unfortunately it looks like we'll need to wait and see about the "unlicensed" piece of code.

[artlogic]

@aplaice I've tested and commented in the pull request. Unfortunately it looks like we'll need to wait and see about the "unlicensed" piece of code.

[artlogic]

@purcell I've emailed the LibreJS maintainer in an attempt to move things along.

Another developer and I have made a couple of requests about whitelisting libraries and licenses on both bug-librejs and help-librejs, but there has been no response. Here are the relevant posts:

http://lists.gnu.org/archive/html/help-librejs/2016-04/msg00000.html
http://lists.gnu.org/archive/html/bug-librejs/2016-04/msg00001.html

I hope you don’t mind me emailing you directly, but we’re attempting to get LibreJS to recognize the MELPA repository website as free software: http://melpa.org/

Is there anything I can do to help make this happen?

[artlogic]

@purcell I've emailed the LibreJS maintainer in an attempt to move things along.

Another developer and I have made a couple of requests about whitelisting libraries and licenses on both bug-librejs and help-librejs, but there has been no response. Here are the relevant posts:

http://lists.gnu.org/archive/html/help-librejs/2016-04/msg00000.html
http://lists.gnu.org/archive/html/bug-librejs/2016-04/msg00001.html

I hope you don’t mind me emailing you directly, but we’re attempting to get LibreJS to recognize the MELPA repository website as free software: http://melpa.org/

Is there anything I can do to help make this happen?

[purcell]

Great -- thanks so much for your help with this.

[purcell]

Great -- thanks so much for your help with this.

[artlogic]

@purcell - I got to thinking, since the hold-up here is Cookies.js, and it's barely used, how would you feel about stubbing out a mock object that would be used if window.Cookies is undefined?

window.Cookies = window.Cookies || {
  get: function () { },
  set: function () { },
  expire: function () { }
};

I'd be happy to submit a pull request if this would be acceptable.

[artlogic]

@purcell - I got to thinking, since the hold-up here is Cookies.js, and it's barely used, how would you feel about stubbing out a mock object that would be used if window.Cookies is undefined?

window.Cookies = window.Cookies || {
  get: function () { },
  set: function () { },
  expire: function () { }
};

I'd be happy to submit a pull request if this would be acceptable.

[purcell]

I'd rather not put too much effort into working around this just for a handful of users. We can consider our options when and if we get a response from the LibreJS folks.

[purcell]

I'd rather not put too much effort into working around this just for a handful of users. We can consider our options when and if we get a response from the LibreJS folks.

[artlogic]

I just heard back from the LibreJS maintainer. He will be adding Unlicense. Additionally, the four libraries will be whitelisted at some point in the future. I don't believe there's any further work to be done on this issue other than testing once LibreJS is updated.

[artlogic]

I just heard back from the LibreJS maintainer. He will be adding Unlicense. Additionally, the four libraries will be whitelisted at some point in the future. I don't believe there's any further work to be done on this issue other than testing once LibreJS is updated.

[aplaice]

@artlogic Thank very much for e-mailing the LibreJS maintainer directly, as it seems to have sped things up considerably (he finally replied both to your initial question and my later one).

@purcell Thank you for merging the patch!

[aplaice]

@artlogic Thank very much for e-mailing the LibreJS maintainer directly, as it seems to have sped things up considerably (he finally replied both to your initial question and my later one).

@purcell Thank you for merging the patch!

[purcell]

Thanks so much for your help with this, folks!

[purcell]

Thanks so much for your help with this, folks!

[tarsius]

So this has been taken care of. (Of course if someone actually installed librejs and reported the result, that would be nice.)

[tarsius]

So this has been taken care of. (Of course if someone actually installed librejs and reported the result, that would be nice.)

[purcell]

I recall trying it at some point, and I think it was fine. I'm sure someone will file a fresh issue if not.

[purcell]

I recall trying it at some point, and I think it was fine. I'm sure someone will file a fresh issue if not.

[To1ne]

The site is fully functional with LibreJS enabled (6.0.13). But there is still a "Complain" tab because the Google Analytics code is non-free (although, I don't mind it being blocked).

[To1ne]

The site is fully functional with LibreJS enabled (6.0.13). But there is still a "Complain" tab because the Google Analytics code is non-free (although, I don't mind it being blocked).