* Alfred M. Szmidt <a...@gnu.org> [2021-03-16 21:12]: > Webassembly runs in the browser, I click on the URL and > application is in the browser, > > And thats the problem. How do you check that the program you just ran > (pretense) is free software?
In that particular example I have been checking programs that are free software as they are hosted on Github with free software licenses. I gave you hyperlinks as references, you could verify it yourself. Level of verification is never perfect, regardless of the type of software. How do I know that software delivered in Guix or Parabola GNU OS is free software? I do not know, I can just assume as developers claim to be so, and OS-es are endorsed by FSF. On the next level of verification one will find that proprietary pieces may be found in such OS-es and those issues are handled by bug tracker. But I still cannot verify if software is really free software, I would need to verify each upstream and compare it with the one that I got. Then again, how do I know that binary is really free software? I would need to do it on the next higher level of verification. Maybe I would need to re-compile myself and get reproducible build that I become more sure that it is free software, and also not tampered or malicious one. There is practically no difference between Webassembly and packages delivered with GNU OS. > When you download something, you have not executed the program yet, > and can make an informed decision if you wish to run it or not, > e.g., There are various gradients of informed decision as I have demonstrated above. Teenagers will be informed enough if the software they downloaded can run on their computer. They may not go into any verifications. Majority of people will not verify anything. Once I was verifying all software and there were still proprietary issues. That is why we are safer with FSF endorsed GNU OS and other endorsed OS distributions. We rely on trust to FSF or our basic knowledge about the distribution mostly. Majority of people will not go into extensive verifications of each single package. Thus making adequately informed decision is difficult task for any software. For Webassembly, I have been following the list of examples and found the SSH in browser, it is free software and I find it very handy. I can finally use mutt/ssh and handle my stuff on servers through a browser. My way of making informed decision is looking for useful pieces of software that is free and then using it. > if it is free software or not by looking at whatever tar-ball it came > with, examining the license, etc. You can do that with Webassembly in the same way. > That is not normally the case with Javascript or Webassembly -- when > you access the program, you're already executing it It should be by consent of the user -- that is open task to do, to make some plugins to help user consent to each website specifically. LibreJS is good plugin for Javascript, but I think it will not handle Webassembly. In desktop OS, when I access the system like any computer, I am already executing software. Unless I am informed that it is GNU/Linux or other free system, I am already executing it. Majority of users are in this situation, they are not root or administrators or aware users. Majority of GNU/Linux users are in the same situation as you described it, there are many distributions and they are not fully free -- so users will not necessarily know differences. Thus Javascript or Webassembly shall simply by sorted by GNU into same lists, or packages that we are distributed in FSF endorsed distributions. It is the same process of selection of software just as how developers do it now. How do we choose software? By accessing and downloading the indexed and curated list of software that is assumed to be free software because of developers who have set their set of principles. How can we choose Webassembly as free software? By having lists of websites that provide useful Webassembly programs. If such list is not curated by free software enthusiast then one may find some proprietary software inside just as it happened to me with that PDF kit. Firefox is free browser, so GNU OS may ship derivative with Webassembly disabled or with a plugin that may ask if to run software or not. about:config and one can disable javascript.options.wasm not to run it. Easy. To mitigate risks not to run Webassembly or Javascript automatically one can use plugins (if such exists). We could create plugin that white lists the free software websites running Webassembly, where users can report the website to be free software for further review, and otherwise to keep Webassembly blocked. Jean