1387 lines
57 KiB
TeX
1387 lines
57 KiB
TeX
% Restore Online Freedom!
|
|
%
|
|
% Copyright (C) 2016 Mike Gerwitz
|
|
%
|
|
% This work is licensed under a Creative Commons Attribution-ShareAlike
|
|
% 4.0 International License.
|
|
%
|
|
% You should have received a copy of the license along with this
|
|
% work. If not, see <http://creativecommons.org/licenses/by-sa/4.0/>.
|
|
%%
|
|
|
|
\documentclass[pdf,red]{beamer}
|
|
\mode<presentation>{}
|
|
\usetheme{Boadilla}
|
|
|
|
%% preamble
|
|
\title{Restore Online Freedom!}
|
|
\author{Mike Gerwitz}
|
|
\date{20 March, LibrePlanet 2016}
|
|
|
|
\usepackage{listings}
|
|
|
|
% hide pesky navigation
|
|
\setbeamertemplate{navigation symbols}{}
|
|
|
|
\def\hangleft#1{%
|
|
\settowidth{\dimen0}{#1}%
|
|
\hspace*{-\dimen0}%
|
|
#1%
|
|
}
|
|
|
|
|
|
\def\lecture#1{}
|
|
|
|
\begin{document}
|
|
|
|
|
|
%%%=== BEGIN TIMEBLOCK 6.5m ==============================================
|
|
|
|
\begin{frame}
|
|
\titlepage
|
|
|
|
\lecture{So I'm here to talk to you about some problems. Too many
|
|
problems for this talk---I had to gut this presentation for
|
|
length countless times. A better term might be
|
|
``eviscerate''. Problems that are fundamental to the Web today,
|
|
and don't have a trivial solution. My hope is to encourage
|
|
discussion on these issues, since not enough people are talking
|
|
about them.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Who am I?}
|
|
\lecture{Well, I'm Mike Gerwitz.}
|
|
|
|
\begin{itemize}
|
|
\item Long-time free software hacker and activist
|
|
\lecture{I'm a long-time free software hacker and activist}
|
|
|
|
\item GNU volunteer, software evaluator, and part of maintainers team
|
|
\lecture{and volunteer for the GNU project. I'm part of the small
|
|
team of evaluators for GNU project submissions, and I'm what
|
|
I'd called a trainee on the maintainers team.}
|
|
|
|
\item Author of GNU ease.js
|
|
\lecture{I'm also the author of GNU ease.js, a classical
|
|
object-oriented framework for JavaScript licensed under the
|
|
GNU GPLv3+.}
|
|
|
|
\lecture{I've been involved in web development to at least some capacity}
|
|
\item 10+ years of web development
|
|
\lecture{for well over ten years. But possibly just as importantly,
|
|
I've been a \emph{user} of the web for even longer. Now, I'm
|
|
26---I'm not part of the generation that was swiping at
|
|
newspapers when they were babies, wondering why nothing was
|
|
happening, but I did grow up with the Internet.}
|
|
|
|
\begin{itemize}
|
|
\item<2-> The Web has \only<2>{changed}\only<3->{{\bf worsened}} a lot
|
|
\lecture{And as I'm sure all of you here can attest to---and I'm
|
|
really stating the obvious here---the Internet has changed a
|
|
\emph{lot} in the past ten, fifteen years. In fact, it's had
|
|
a version change---the so-called ``Web 2.0''! Which, to
|
|
clarify, is just jargon; there's not actually a version
|
|
change.}
|
|
|
|
\lecture{But I suppose I could phrase this in another way: the
|
|
Web has also \emph{worsened} a lot in the past ten
|
|
years. A version bump isn't always an upgrade.}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{``But the Web is great!''}
|
|
\lecture{``But the web is great!'', you'll hear people say.}
|
|
|
|
\begin{itemize}
|
|
\item<2-> The Web has improved \emph{technically}
|
|
\lecture{Yes, the web has improved \emph{technically}---}
|
|
|
|
\begin{itemize}
|
|
\item<2-> Modern software on the web rivals traditional desktop
|
|
software
|
|
\end{itemize}
|
|
\lecture{you can do things on the web today that were
|
|
\emph{unfathomable} ten years ago. I don't think any
|
|
rational person who's seen the~transition over the past
|
|
ten-plus years would argue that.}
|
|
|
|
\lecture{But we're talking about \emph{freedom}.}
|
|
|
|
\item<3-> The truth is: the Web has become alarmingly hostile and
|
|
freedom-denying toward users
|
|
\lecture{The sad truth is: the web has become increasing \emph{hostile} and
|
|
freedom-denying toward its users. And that's not progress;
|
|
technical advancements are great, but \emph{not when they
|
|
deny users their freedoms}.}
|
|
|
|
\item<4-> Freedom trumps all.
|
|
\lecture{\emph{Freedom trumps all.} So we can say that, while Web~2.0
|
|
was a \emph{technical} upgrade, it has been an alarmingly
|
|
progressive \emph{downgrade} for users' freedoms.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Interoperability}
|
|
\begin{itemize}
|
|
\item<1-> Fundamental building blocks are standardized (W3C)
|
|
\lecture{Normally when we talk about the ``Web'', as opposed to the
|
|
``Internet'' as a whole, we're referring to something that
|
|
you would access using a web browser.}
|
|
\lecture{Technically, you can include anything on the
|
|
Web---certain formats will just invoke external programs or
|
|
trigger a download. But as far as web pages go, they
|
|
traditionally consist of HTML}
|
|
\begin{itemize}
|
|
\item<1-> HTML---Describes the document
|
|
\lecture{which describes the~document, and CSS}
|
|
|
|
\item<1-> CSS---Describes the document style (appearance)
|
|
\lecture{which describes the~document \emph{style}---how it looks,
|
|
what font to render in, the background color, et cetera.}
|
|
|
|
\item<1-> HTTP---Communication protocol
|
|
\lecture{Most of this communication is done using the HTTP
|
|
protocol, which defines how the server and client
|
|
communicate. All of this is standardized by the
|
|
W3C---the World Wide Web Consortium.}
|
|
|
|
\lecture{Back in the day, most every reaction to user input
|
|
involved loading a new webpage. You're seeing less and
|
|
less of that today---many web pages look and behave more
|
|
like \emph{software} than documents. You might hear the
|
|
term ``single-page'' programs.}
|
|
|
|
\item<2-> JavaScript---Embed programs in web browser
|
|
\lecture{The standard way to do this today is with a language
|
|
called JavaScript.}
|
|
\end{itemize}
|
|
|
|
\item<3-> Any software can interact freely
|
|
\lecture{Given these standards, you're free to use whatever software
|
|
you choose! Everything is interoperable, on both the server
|
|
and the client. And this is incredibly important for user
|
|
freedom, and essential for free software.}
|
|
|
|
\item<3-> Threatened in the past: Java applets, ActiveX, Flash,
|
|
Silverlight, and other proprietary/non-standard software
|
|
\lecture{Now that's been threatened in the past by other proprietary
|
|
systems for embedding software in the browser. The most
|
|
popular ones include Java applets, ActiveX, Flash, and
|
|
Silverlight. Those were dark ages.}
|
|
|
|
\item<3-> Threatened today: Encrypted Media Extensions (EME)
|
|
Silverlight, and other proprietary/non-standard software
|
|
\lecture{But we do in fact have another looming threat---the Encrypted
|
|
Media Extensions proposal being considered by the W3C which
|
|
would effectively introduce DRM as a \emph{standard} for the
|
|
Web. A \emph{standarized} way to betray users. We must
|
|
oppose it, and I encourage you to join us in protest just
|
|
outside the conference tonight at 6:45.}
|
|
|
|
\item<4-> Now the greatest threat is JavaScript
|
|
\lecture{But an \emph{existing} standard is now our greatest
|
|
threat. JavaScript.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{What is JavaScript?}
|
|
\lecture{So what is \emph{JavaScript}?}
|
|
|
|
\begin{itemize}
|
|
\item<1-> ECMAScript (Standard: ECMA-262; ISO/IEC 16262)
|
|
\lecture{Formally, it's ECMAScript, which is the standard defining the
|
|
language. But browsers tend to incorporate their own
|
|
features beyond the standard, which we include under the
|
|
umbrella of ``JavaScript''.}
|
|
|
|
\item<1-> Traditionally: Browser-based, client-side scripting language
|
|
\lecture{JavaScript started out in the web browser, specifically
|
|
Netscape in 1995. It was used on the server as well at the
|
|
time, but that's not where it flourished.}
|
|
|
|
\item<2-> Today: General-purpose programming language
|
|
\lecture{But today is has evolved into a popular general-purpose
|
|
scripting language, used on both the client and the
|
|
server.}
|
|
|
|
\begin{itemize}
|
|
\item<2-> Heavily popularized by Node.js
|
|
\lecture{But it wasn't until Node.js that it exploded in
|
|
popularity, and is often times even \emph{preferable} by
|
|
some to other languages on the server. I'm not getting
|
|
into \emph{that} debate today.}
|
|
\end{itemize}
|
|
|
|
\item<3-> ``Assembly language'' of the web
|
|
\lecture{It's often called the ``assembly language'' of the web,
|
|
because there an ever-growing number of languages that
|
|
compile into it---if you want code running in the browser,
|
|
the standard way to do it is by using JavaScript.}
|
|
\begin{itemize}
|
|
\item<3-> Subset: asm.js
|
|
\item<3-> Soon: WebAssembly (WebASM)
|
|
\lecture{But there are properties of the language that don't make
|
|
ideal for being the compiler target for all things on the
|
|
web. One popular method is a subset of JavaScript called
|
|
asm.js that is more effectively optimized. But now we
|
|
have a low-level language on the horizon called
|
|
WebAssembly, which is intended as a compiler target for
|
|
C/C++ code. So expect these issues I'm about to describe
|
|
to only propagate further in the future as it becomes
|
|
more and more trivial to write software for the web.}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
%%%=== END TIMEBLOCK 6.5m ==============================================
|
|
|
|
|
|
%%%=== BEGIN TIMEBLOCK 8m ==============================================
|
|
|
|
\begin{frame}{The Illusion of Remote Execution}
|
|
\lecture{Perhaps one of the greatest dangers of software on the Web is the
|
|
illusion of remote execution---}
|
|
|
|
\begin{itemize}
|
|
\item<1-> Looks like the web page is manipulating itself
|
|
\begin{itemize}
|
|
\item<1-> Many consider the web page as a remote resource, not a local
|
|
copy of that resource
|
|
\end{itemize}
|
|
\lecture{the illusion that, because the program is manipulating and
|
|
appears to be a part of the web page, that it must be
|
|
executing in a magical remote place.}
|
|
|
|
\item<2-> JavaScript programs run \emph{on the client}
|
|
\lecture{But it's not. JavaScript programs are executed \emph{on your
|
|
computer, by your web browser}: the program is downloaded
|
|
just like any other resource and interpreted by a JavaScript
|
|
engine in your browser.}
|
|
|
|
\item<3-> Illusion inhibits consideration of freedoms
|
|
\lecture{This is an important distinction, because we can't begin to
|
|
consider how to exercise our four freedoms if we can't even
|
|
get around to the fact that the program is actually running
|
|
on our computer.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[plain]{}
|
|
\begin{center}
|
|
\center\includegraphics[width=0.9\textwidth]{images/you-win.png}
|
|
|
|
Would you run some random website's program on your computer?
|
|
\end{center}
|
|
|
|
\lecture{(Read slide)}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[plain,c]{}
|
|
\lecture{Well, you do. Or at least many of you.}
|
|
|
|
\begin{center}
|
|
Well, you do.
|
|
\end{center}
|
|
|
|
\lecture{If only our web browser gave us a warning like that. But
|
|
instead, it's silent. And this is more dangerous than a phishing
|
|
attack---because at least when the user is presented with
|
|
\emph{this} (return to previous slide), they have a \emph{chance}
|
|
to be suspicious.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Covert Ephemeral Software}
|
|
\begin{itemize}
|
|
\item<1-> Browser downloads and executes arbitrary, often non-free software
|
|
\begin{itemize}
|
|
\item<1-> (Automatically clicks the download button for you!)
|
|
\end{itemize}
|
|
|
|
\lecture{But no---our web browsers are being stupid on our behalf!}
|
|
|
|
\item<2-> Most users have no idea this is happening
|
|
\lecture{And most users---even many technical ones---really don't have
|
|
any idea that this is happening. Because they don't think
|
|
about it like that.}
|
|
|
|
\begin{itemize}
|
|
\item<2-> How would they?
|
|
\lecture{You can be taught to be suspicious of sites advertising
|
|
awards and such, but when a site offers no indication at
|
|
all, then what exactly do you teach? What do you tell
|
|
them to be suspicious of? Instead, it's just a website.}
|
|
|
|
\item<2-> Most who \emph{do} know don't care.
|
|
\lecture{But then there are those who are well aware of what is
|
|
going on. Many of those are web developers---the same
|
|
people that \emph{write} this covert software. And
|
|
surprisingly, at least from my experience, most of them
|
|
don't care. Many instead take the stance that it would
|
|
be silly to consider disabling it and quote-unquote
|
|
``break'' websites. They don't consider that they're
|
|
already broken by robbing users of their freedoms and
|
|
privacy.}
|
|
\end{itemize}
|
|
|
|
\item<3-> Ephemeral software
|
|
\lecture{And then at the end, the software disappears, leaving no
|
|
trace except for some persistent data storage. A browser
|
|
doesn't list all the scripts that it executes as
|
|
``installed software'' like it would an addon. Users won't
|
|
know that they were running software. The software is
|
|
ephemeral.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]{Just Say ``Yes!''}
|
|
\lecture{So if we adopt the philosophy of those who really don't care,
|
|
then life becomes a hell of a lot easier. Just saying ``yes''
|
|
all the time is much less confrontational; especially when
|
|
your web browser is doing it for you. And this makes a lot of
|
|
people pretty excited! Like...}
|
|
|
|
\begin{center}
|
|
\only<2>{Advertisers}
|
|
\lecture{Advertisers! You say ``yes!'' to their spyware that tracks
|
|
and analyzes you.}
|
|
|
|
\only<3>{Crackers \& Script Kiddies}
|
|
\lecture{Crackers and script kiddies love you too. You happily say
|
|
``yes!'' to their payloads.}
|
|
|
|
\only<4>{Governments (also Crackers \& Script Kiddies)}
|
|
\lecture{Governments! Also crackers and script kiddies. They like to
|
|
broadly distribute exploits in the hope of maybe catching a
|
|
criminal. One such exploit was a 0-day used by the FBI to
|
|
deanonymize Tor users, guilty or not.}
|
|
|
|
\only<5>{ISPs (Like Comcast)}
|
|
\lecture{And what about the entity you depend on the most for your
|
|
communications online? In November of last year it was
|
|
discovered that Comcast was MITM'ing customers to inject
|
|
JavaScript into non-SSL webpages to inform customers of
|
|
copyright violations. Oh yes.}
|
|
|
|
\only<6>{People who want to show off their cool stuff}
|
|
\lecture{There are certainly other malicious actors, but not everyone
|
|
has bad intentions---you also have hackers that just want to
|
|
show you their cool new programs. And I think a
|
|
lot of people fall into this group---I don't think many of them
|
|
are being intentionally malicious.}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]{Just Say ``Yes!''...and ``Yes!'' and ``Yes!'' and ``Yes!''...}
|
|
\begin{itemize}
|
|
\item<1-> Everyone expects their code to run, always, or there's
|
|
something wrong with your browser
|
|
|
|
\lecture{So if your browser doesn't default to saying ``yes'' to
|
|
untrusted, random, freedom-denying, possibly malicious
|
|
programs, then your browser is broken. This is in fact a big
|
|
deterrent for common-sense freedom and security practices: the
|
|
Tor Browser Bundle, for example---although it comes with
|
|
NoScript installed---does not block any websites by default,
|
|
even though it would make its users safer.}
|
|
|
|
\item<2-> But most browsers today give you a binary choice:
|
|
\lecture{But let's say you are one of those people who might be a
|
|
little uncomfortable with this situation, and want to do
|
|
something about it. Well, with most browsers, what are your
|
|
options?}
|
|
|
|
\begin{enumerate}[<+->]
|
|
\item<2-> No---disable JavaScript
|
|
\lecture{You could disable JavaScript completely. But there might
|
|
be \emph{some} things that you'd like to run.}
|
|
|
|
\item<2-> Yes---run everything!
|
|
\lecture{Or you could run everything! Good choices here. These
|
|
are clearly not choices that taken into consideration
|
|
these issues.}
|
|
\end{enumerate}
|
|
|
|
\lecture{Now, many people will simply say, ``Well, I trust the sites I
|
|
visit.''}
|
|
\item<3-> You aren't just running that site's JavaScript
|
|
\lecture{But it's very important to understand that you aren't just
|
|
running the programs for that website. That website might
|
|
also include code from other servers---like CDNs. It might
|
|
inject other code like the Google Analytics spyware. And
|
|
what if the site is compromised, or susceptible to a XSS
|
|
attack, and an attacker loads additional scripts?}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{How Do We Install Software (Usually)?}
|
|
\lecture{If all of this seems awkward to consider, that's because it
|
|
is. Let's go back to the desktop for a bit; now that we're
|
|
thinking in terms of programs running on our computer, how do we
|
|
normally install software?}
|
|
|
|
\begin{itemize}
|
|
\item<2-> Explicitly.
|
|
\lecture{Explicitly. You indicate that you want some program foo and
|
|
you make it so. Unless you use a backdoored operating system
|
|
like Windows, OSX, iOS, or others---they tend to install
|
|
things for you.}
|
|
|
|
\begin{itemize}
|
|
\item<3-> GNU/Linux---Usually through a package manager
|
|
\lecture{On a GNU/Linux operating system, you usually install
|
|
software through that distro's package manager. GNU Guix
|
|
is a pretty good one to try.}
|
|
|
|
\item<3-> Source distribution (tarballs/etc)
|
|
\lecture{You might compile from source. That's even more of an
|
|
explicit process.}
|
|
|
|
\item<3-> Binaries (especially on proprietary operating systems)
|
|
\lecture{And, as is usually necessary on proprietary operating
|
|
systems, there are binaries. They might be downloaded from
|
|
a website or a walled weed garden,}
|
|
\end{itemize}
|
|
|
|
\item<4-> There is a conscious effort made by the user
|
|
\lecture{but in any case, it's generally a conscious operation all the
|
|
same. Even users of proprietary operating systems don't like
|
|
when things appear on their computer without having been
|
|
requested.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Software Signing}
|
|
\lecture{We also have certain other guarantees. Or attempts, at least.}
|
|
|
|
\begin{itemize}
|
|
\item<1-> Package manager (should!) verify signatures of package
|
|
maintainers
|
|
\lecture{Many package managers provide---with some
|
|
caveats---assurances that the package you received is
|
|
actually the package that the author or maintainer intended
|
|
for you to receive by using cryptographic signatures. I'm
|
|
not getting into those caveats here.}
|
|
|
|
\item<1-> Many projects distribute detached signatures for manual
|
|
verification
|
|
\lecture{In the case of source distributions, detached signatures are
|
|
often used. You'll see this with GNU programs, for
|
|
example---if you download a program from ftp.gnu.org, you'll
|
|
also find a corresponding signature file, and you should use
|
|
GPG to verify that your download is what the author
|
|
actually signed.}
|
|
|
|
\item<2-> No such thing exists for the Web
|
|
\lecture{...We don't have this type of thing for the web.}
|
|
|
|
\item<3-> I wish I had time to discuss this
|
|
\begin{itemize}
|
|
\item<4-> What not to do: Firefox refuses to install/run addons that
|
|
are not signed by Mozilla
|
|
\item<4-> No ``walled gardens''
|
|
\end{itemize}
|
|
\lecture{I really wish I had the time to discuss this on a more
|
|
technical level, but I don't. Like I said---it's a
|
|
presentation about problems, and there's a lot of them to get
|
|
to in such a short talk!}
|
|
\end{itemize}
|
|
|
|
\lecture{So what does the absence of user control mean?}
|
|
\end{frame}
|
|
|
|
%%%=== END TIMEBLOCK 8m ==============================================
|
|
|
|
|
|
%%%=== BEGIN TIMEBLOCK 4.5m ==============================================
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
Everyone is flocking to the web
|
|
\end{center}
|
|
|
|
\lecture{Everyone is flocking to the web. And a major reason is because
|
|
of the convenience that is provided by transferring even more
|
|
control away from the user \emph{to} the authors and
|
|
distributors.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Effortless Distribution}
|
|
\lecture{This convenience provides a distribution model that is
|
|
exploitative, and highly alluring to many. Two things that go
|
|
great in the same sentence.}
|
|
|
|
\begin{itemize}
|
|
\item Software is downloaded \emph{automatically}---guaranteed!
|
|
\lecture{So, when you visit a website---as we've already
|
|
discussed---your browser just starts saying ``Yes!'' to
|
|
software. So, for the majority of your users, it's
|
|
essentially guaranteed that your software will be downloaded
|
|
and executed, and it will be done so immediately. If not,
|
|
their browser is broken, right? Right.}
|
|
|
|
\item<1-> It's so easy for you---just click here!
|
|
\lecture{Baiting the user into downloading that software is also a
|
|
trivial task---there's no trying to trick the user into
|
|
downloading and invoking an executable. Just provide the
|
|
user with a link, and their freedoms are automatically
|
|
robbed.}
|
|
|
|
\item<2-> Cross-\{device,platform\}!
|
|
\lecture{In the modern web, platform or operating system isn't a
|
|
border---you can rob someone of their freedoms anywhere, any
|
|
time, whether they're on a mobile device, their home
|
|
computer, or their television.}
|
|
|
|
\item<3-> Automatic updates! We know best! (Ephemeral software)
|
|
\lecture{And let's not worry about those pesky users who decide to
|
|
exercise their freedom to decide what software they want to
|
|
run. Just overwrite their software for them, at any
|
|
time. Updates are automatic, and the user has no
|
|
choice.}
|
|
\begin{itemize}
|
|
\item<3-> Your browser is effectively a backdoor
|
|
\lecture{You might hear from security experts that most
|
|
computers have a backdoor---software updates. Well, in
|
|
this case, the backdoor is the front door. You have no
|
|
option. There \emph{is no} separate installation and
|
|
update---they're one and the same. As I already
|
|
mentioned, we can say that the software is ephemeral---it
|
|
exists as long as you're on the website, and then
|
|
disappears until you next load it again.}
|
|
\end{itemize}
|
|
|
|
\item<4-> We control your data and computing (SaaSS)!
|
|
\lecture{But that's not enough. How can we take even greater
|
|
advantage of the user? Ah, let's also hold their data
|
|
hostage, and control what they can and cannot do with it!}
|
|
|
|
\item<5-> So easy to spy on you!
|
|
\lecture{And what's a magnificent consequence of all of this? We get
|
|
to spy on you for free! It's part of the package! We know
|
|
exactly what you are doing, when your are doing it, how you
|
|
are doing it, and anything in-between.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
We can finally get rid of that pesky little bit of control you had left
|
|
over your physical computing!
|
|
|
|
\lecture{Greedy, malicious software developers and distributors have
|
|
been searching long and hard for ways to prevent users from
|
|
even studying the binaries, letalone source code. They've
|
|
pursued draconian technical and legal measures like DRM and the
|
|
DMCA out of desperation.}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
%%%=== END TIMEBLOCK 4.5m ==============================================
|
|
|
|
|
|
|
|
%%%=== BEGIN TIMEBLOCK 4.5m ==============================================
|
|
|
|
\begin{frame}{The Web Is Easy}
|
|
\lecture{Let's explore another aspect of why the Web is so appealing for
|
|
software developers.}
|
|
|
|
\begin{itemize}
|
|
\item Low Barrier To Entry
|
|
\lecture{Most everyone has a web browser, and every very major browser
|
|
comes with excellent debugging and inspection tools, which is
|
|
great, because it encourages studying and tinkering. And
|
|
when users start writing software, they can see it in the
|
|
familiar environment that is their web browser.}
|
|
|
|
\item Huge number of libraries and tools for web development
|
|
\lecture{Because of that, the number of libraries focused on web
|
|
development is crazy, and steadily growing. And most of
|
|
these popular libraries are free software.}
|
|
|
|
\item Even server/desktop software [substitutes] using web libraries
|
|
\lecture{And then we have software like Node.js that allows running
|
|
code written for the web directly, without a web browser. So
|
|
it often makes sense to write software in JavaScript or a
|
|
language that compiles into it, because then you can share
|
|
code between the server and client. And then you have those
|
|
that only really know web development, but are now able to
|
|
take that knowledge and apply it directly to the server or
|
|
the desktop.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
\only<1>{This is great for software freedom.}
|
|
\lecture{All of this is great for software freedom---you have all of
|
|
these libraries that make it \emph{easy} to develop free
|
|
software!}
|
|
|
|
\only<2>{But we have a problem.}
|
|
\lecture{...but we have a problem.}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
|
|
\begin{frame}{Effortless \emph{Proprietary} Software}
|
|
\lecture{While it's making software easy for the good guys, it's also
|
|
making it easy for the bad guys! And there's an easy explanation
|
|
for that.}
|
|
|
|
\begin{itemize}
|
|
\item<1-> We have a licensing problem.
|
|
\lecture{What we have is a licensing problem! We have a \emph{lot} of
|
|
free software,}
|
|
|
|
\item<2-> Permissive licensing \emph{enables} proprietary software
|
|
\lecture{but most of it is licensed under permissive licenses---one
|
|
of the most popular being the MIT~Expat license, which allows
|
|
for non-free derivatives. Writing software is expensive; any
|
|
time that can be saved using free software libraries is money
|
|
that they can divert toward adding attractive features,
|
|
releasing early, and implementing ways to screw over the
|
|
user.}
|
|
\end{itemize}
|
|
|
|
\lecture{How many of you saw Bradley Kuhn's presentation yesterday? I was
|
|
originally going to talk a lot more on this topic, but it's one
|
|
of the things I gutted, so I recommend watching his.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{The Web Scene}
|
|
\lecture{This philosophy is pervasive throughout the modern web
|
|
development community.}
|
|
|
|
\begin{itemize}
|
|
\item<1-> Startups (e.g. YCombinator-funded)
|
|
\lecture{There are a lot of startups, and they recognize the Web as an
|
|
easy way to create lock-in---something that many misguided
|
|
startups and funders will consider to be vital to their
|
|
long-term success.}
|
|
|
|
\item <1-> Large corporations
|
|
\lecture{The Web is carried and advanced (tehcnologically) by large
|
|
and influential corporations like Google, Facebook, Twitter,
|
|
GitHub, and others. All of them contribute to the free
|
|
software community. But all of them rob us of our freedoms.}
|
|
|
|
\item<1-> New programmers, new culture
|
|
\lecture{The web development community is home to many new or
|
|
inexperienced programmers. Those programmers are immersed in
|
|
a culture that talks about ``rockstar'' and ``10x''
|
|
programmers; about ``brogrammers'' and ``hipster''
|
|
languages---these are very different terms than hackers are
|
|
used to, and highlight very different concepts.}
|
|
\begin{itemize}
|
|
\item<2-> ``Open Source''
|
|
\lecture{Importantly, they focus on
|
|
\emph{methodology}---performance, producing something
|
|
that is cool and will be accepted by your peers. This is
|
|
not a focus on freedom.}
|
|
\item<2-> ``Copyleft'' is a dirty word
|
|
\lecture{``Copyleft'' is a dirty word: if you want to be accepted
|
|
by your peers, you'd better license your libraries
|
|
permissively.}
|
|
\end{itemize}
|
|
|
|
\item<3-> Peer pressure
|
|
\lecture{And besides, all your friends are doing it, and they're all
|
|
10x rockstars!}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
Partial freedom isn't freedom!
|
|
\end{center}
|
|
|
|
\lecture{So what you get is this dangerous ``open core'' concept, where
|
|
you have a lot of free software, but you build all the goodies
|
|
that people want on top of it, and make it proprietary. Partial
|
|
freedom isn't freedom! It doesn't matter if \emph{part} of your
|
|
software is free---if even a byte of it robs me of any of my four
|
|
freedoms, then I can't ethically use it! I would have to concede
|
|
that your website is worth surrendering my freedoms for. It's
|
|
probably not.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{No Such Thing As Neutral On Freedom}
|
|
\begin{itemize}
|
|
\item<1-> Permissive (pushover) licenses are sometimes used in an
|
|
attempt to be neutral
|
|
\lecture{Freedom can be an uncomfortable topic, because it's
|
|
philosophical and heavily controversial. So they might try
|
|
to remain neutral by using pushover licenses. And many
|
|
people are neutral by default simply because they don't
|
|
consider the issues, or aren't aware of them.}
|
|
|
|
\item<2-> But there's no such thing as neutrality!
|
|
\lecture{Remaining neutral on the topic of freedom is like walking
|
|
down a sidewalk and seeing someone being bullied.
|
|
And rather than step in, you just keep walking. Maybe
|
|
peek back. Because if you were to step in to stop the
|
|
bullying, then you'd piss off the bullies, and you'd be a
|
|
target. But if you stepped in and bullied yourself, then
|
|
you'd be called a bully! So what's the end result?}
|
|
|
|
\item<2-> Neutral on freedom $\equiv$ allowing erosion of freedoms
|
|
\lecture{You let the bullies take over---they already have the upper
|
|
hand, and they'll continue to exert their power for as long
|
|
as it benefits them. Neutrality might okay if freedom were
|
|
the default. But that's not the case today. We are being
|
|
bullied at every turn.}
|
|
|
|
\item<3-> Copyleft is \emph{essential} for a free Web
|
|
\lecture{Standing up to the bullies means \emph{fighting} for freedom,
|
|
not just talking about it. If you are writing software, that
|
|
means using copyleft by means of a license like the
|
|
AGPL.}
|
|
|
|
\begin{itemize}
|
|
\item<3-> If you use pushover licenses, you're helping to push over
|
|
everyone else (but perhaps not intentionally)
|
|
\lecture{If you write software that uses a pushover license, then
|
|
you're not just standing on the sidewalk---you're giving
|
|
\emph{power} to the bullies, whether you realize it or
|
|
not.}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
If you value freedom,
|
|
\only<1>{talk about Free Software!}%
|
|
\only<2>{choose copyleft!}
|
|
\lecture{If you value freedom, \emph{talk about free software}! Many
|
|
people simply don't know about these issues! Talk to your
|
|
peers, talk to users, start that discussion.}%
|
|
|
|
\lecture{If you value freedom, \emph{choose copyleft!} Fight for the
|
|
freedoms that you deserve, and for the freedoms of those who
|
|
can't fight. Lead by example!}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
%%%=== END TIMEBLOCK 4.5m ==============================================
|
|
|
|
|
|
%%%=== BEGIN TIMEBLOCK 4.5m ==============================================
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
Freedom is only as good as your ability to exercise it
|
|
\end{center}
|
|
|
|
\lecture{All this focus on copyleft is good and all---if only it were the
|
|
solution to all of our problems. Freedom is only as good as your
|
|
ability to exercise it.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Maybe free...?}
|
|
\begin{itemize}
|
|
\item Almost always no license information or link to source code
|
|
\lecture{One huge problem we have with software on the web is that it
|
|
is almost always void of licensing information. So software
|
|
might be free, but we can't be sure.}
|
|
|
|
\item Might also load non-free code as a separate program
|
|
(e.g. Google Analytics spyware)
|
|
\lecture{The page might also load other programs in \emph{addition}
|
|
to the free program, for example the Google Analytics
|
|
spyware. This is like a free software package installing
|
|
proprietary software alongside of it; SourceForge used to do
|
|
that, for example.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Corresponding Source Code}
|
|
\begin{itemize}
|
|
\item<1-> Where can I find the corresponding source?
|
|
\lecture{The other requirement is the corresponding source code. We
|
|
should be able to build it ourselves, host it ourselves, and
|
|
expect to have the same functionality.}
|
|
|
|
\item<2-> Minified code is not source code!
|
|
\lecture{I have personally had people counter my argument in the past
|
|
with a statement saying that all JavaScript code is
|
|
quote-unquote ``open source'' because the source code is
|
|
distributed to the browser. No!}
|
|
|
|
\item<2-> ``The 'source code' for a work means the preferred form of the
|
|
work for making modifications to it. 'Object code' means any
|
|
non-source form of a work.''
|
|
\lecture{The GPL defines ``source code'' as (read above). So minified
|
|
sources are object code. And let's see why:}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[fragile,plain]
|
|
\scriptsize
|
|
\begin{verbatim}
|
|
add:function(a,b,c,d,e){var
|
|
f,g,h,i,j,k,l,m,o,p,q,r=N.get(a);if(r){c.handler&&(f=c,c=f.handler,
|
|
e=f.selector),c.guid||(c.guid=n.guid++),(i=r.events)||(i=r.events={}),
|
|
(g=r.handle)||(g=r.handle=function(b){return"undefined"!=typeof
|
|
n&&n.event.triggered!==b.type?n.event.dispatch.apply(a,arguments):void
|
|
0}),b=(b||"").match(G)||[""],j=b.length;while(j--)h=fa.exec(b[j])||[],
|
|
o=q=h[1],p=(h[2]||"").split(".").sort(),o&&(l=n.event.special[o]||{},
|
|
o=(e?l.delegateType:l.bindType)||o,l=n.event.special[o]||{},k=n.extend(
|
|
{type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:
|
|
e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},f),(m=i[o])
|
|
||(m=i[o]=[],m.delegateCount=0,l.setup&&l.setup.call(a,d,p,g)!==!1||
|
|
a.addEventListener&&a.addEventListener(o,g)),l.add&&(l.add.call(a,k),
|
|
k.handler.guid||(k.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,k)
|
|
:m.push(k),n.event.global[o]=!0)}}
|
|
\end{verbatim}
|
|
{\scriptsize https://code.jquery.com/jquery-2.2.1.min.js}
|
|
\lecture{This is an example of minified code---a snippet of jQuery's
|
|
minified sources for an 'add' method. Real quick---what do each
|
|
of those arguments mean? What does this function do?
|
|
Minification is used even with free software for performance
|
|
reasons---smaller file sizes, smaller load times.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
\includegraphics{images/librejs-logo.png}
|
|
\end{center}
|
|
\lecture{GNU has an addon for Firefox-based browsers like GNU IceCat that
|
|
approaches this issue in a few different ways.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{LibreJS}
|
|
\begin{itemize}
|
|
\item Blocks execution of non-free JavaScript
|
|
\lecture{LibreJS blocks the execution of non-free JavaScript. But how
|
|
does it determine what is non-free?}
|
|
|
|
\item JavaScript should contain {\tt @license} tags
|
|
\lecture{A couple ways. Ideally, the JavaScript should be wrapped in
|
|
license tags. It can identify the license in a number of
|
|
ways, including the full license header you'd see in source
|
|
files, or a magnet link, which is much more ideal for
|
|
minified sources.}
|
|
|
|
\item Hashes of common libraries recognized as free
|
|
\lecture{But the Web is full of \emph{existing} software like
|
|
libraries that don't contain those labels. So LibreJS also
|
|
maintains a list of file hashes for popular libraries. For
|
|
example, the minified jQuery file containing the snippet I
|
|
showed would be recognized as free, even though it doesn't
|
|
contain licensing information.}
|
|
|
|
\item Web Labels map scripts to corresponding source code
|
|
\lecture{It then has a method called Web Labels---which is a simple
|
|
HTML table---that is intended to be a machine-readable way to
|
|
map scripts to their source code.}
|
|
\end{itemize}
|
|
|
|
\lecture{The LibreJS project needs help from JavaScript developers to
|
|
develop and maintain the addon. If you're interested, please
|
|
visit gnu.org/software/librejs}.
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Submit Patches To Projects!}
|
|
\begin{itemize}
|
|
\item Patch your own projects!
|
|
\item Submit patches to add headers to projects
|
|
\item Patches for minifiers (e.g. UglifyJS)
|
|
\item Patches for programs that combine sources (e.g. Browserify)
|
|
\item For Node.js programs: can pull license right out of {\tt package.json}
|
|
\end{itemize}
|
|
|
|
\lecture{You can help by adding licenses to your own projects and by
|
|
submitting patches to other projects; this will not only help
|
|
solve the licensing issue for that project, but also make others
|
|
aware of the issue. And one great way to help is to submit
|
|
patches to minifiers like UglifyJS to automatically add that
|
|
license information to sources, or retain it if it exists. But
|
|
that doesn't help when a minified file might contain code under
|
|
various licenses, so it'd also be helpful to patch programs like
|
|
Browserify---which packages Node.js modules for the client---to
|
|
recognize licenses and add them as appropriate. For node.js
|
|
pull the license right out of the package.json file.}
|
|
\end{frame}
|
|
|
|
%%%=== END TIMEBLOCK 4.5m ==============================================
|
|
|
|
|
|
|
|
%%%=== BEGIN TIMEBLOCK 5m ==============================================
|
|
|
|
\begin{frame}{Replacing Programs}
|
|
\begin{itemize}
|
|
\item<1-> How do you replace a program (free or non-) on your computer?
|
|
\lecture{Alright. So back to your desktop for a moment. If you want
|
|
to replace a non-free program with a free one, or modify a
|
|
free program, how do you do it?}
|
|
\begin{itemize}
|
|
\item<2-> You just do.
|
|
\lecture{Well...you just do.}
|
|
\end{itemize}
|
|
|
|
\item<3-> How do you replace a program (free or non-) on the Web?
|
|
\lecture{But what about on the web?}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
Is that a trick question?
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Replacing Programs---The Best Case}
|
|
\only<1->{
|
|
\begin{enumerate}
|
|
\item The program is entirely packaged in its own JavaScript file(s)
|
|
\item All dependencies are packaged with or alongside it
|
|
\end{enumerate}
|
|
}
|
|
\lecture{The best situation we have for replacing programs is when the
|
|
program is packaged entirely in its own JavaScript files, and
|
|
so are its dependencies.}
|
|
|
|
\only<2->{
|
|
Solution:
|
|
|
|
\begin{enumerate}
|
|
\item Block program scripts
|
|
\item Block undesirable dependencies
|
|
\item Inject replacement program
|
|
\end{enumerate}
|
|
}
|
|
\lecture{The solution isn't all that complicated then. Block those
|
|
undesirable scripts from loading and inject a replacement
|
|
program. I'll get into how to do that shortly.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Replacing Programs---The Realistic Case}
|
|
\lecture{But if only we were so lucky!}
|
|
|
|
\begin{enumerate}
|
|
\item<1-> The program is actually a number of independent programs
|
|
(scripts) doing different things
|
|
\lecture{But let's be realistic; a web page often contains what can
|
|
be considered a bunch of independent programs doing distinct
|
|
things, like validating forms, populating a real-time search,
|
|
a shopping cart, animating part of the page, etc.}
|
|
|
|
\item<1-> Some scripts are packaged in one or more JavaScript files
|
|
\lecture{Some of those scripts might be packaged in one or more
|
|
JavaScript files. Okay, that's good.}
|
|
|
|
\item<1-> Some are inline {\tt <script>} tags scattered throughout
|
|
\lecture{But some are inline script tags mixed with the HTML.}
|
|
%% example
|
|
|
|
\item<1-> Some are inline JavaScript fragments in HTML attributes
|
|
\lecture{And others still might be fragments of JavaScript in HTML
|
|
attributes.}
|
|
%% example
|
|
\end{enumerate}
|
|
|
|
\includegraphics[width=\textwidth]{images/code_quality.png}
|
|
{\tiny\\\hfill ``Code Quality'' by Randall Munroe
|
|
(http://xkcd.com/1513/) CC BY-NC 2.5}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
\only<1>{Solution?}
|
|
\lecture{So what's the solution?}
|
|
|
|
\only<2>{Write a presentation complaining about it.}
|
|
\lecture{Well my first step was to write a rant about it. Because not
|
|
everyone thinks about these issues.}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Blocking Scripts---Entirely}
|
|
\lecture{One option is to turn of JavaScript in your browser,
|
|
entirely But if you disable JavaScript, then you can't run any
|
|
replacements.}
|
|
|
|
\begin{itemize}
|
|
\item Can disable JavaScript entirely
|
|
\item But then you can't run replacements
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Blocking Scripts---NoScript}
|
|
\begin{itemize}
|
|
\item NoScript is effective at blocking scripts per (sub-)domain
|
|
\lecture{I consider NoScript to be a necessity for the web. And what
|
|
it does is block scripts entirely, but allows you to create a
|
|
whitelist for specific domains or sub-domains.}
|
|
|
|
\item Careful---some domains serve lots of scripts (e.g. CDNs)
|
|
\lecture{But you have to be careful when you do this, because some
|
|
domains serve a lot of different scripts, and some of them
|
|
might be non-free. CDNs are popular today.}
|
|
|
|
\item Some sites require you to trust many different domains
|
|
\lecture{It's also not uncommon to see a site referencing scripts from
|
|
a dozen different domains. Do you really want to trust a
|
|
dozen third parties to run software for a single website?}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Blocking Scripts---LibreJS}
|
|
\begin{itemize}
|
|
\item Blocks non-free JS with a high level of granularity
|
|
\lecture{LibreJS takes a much more granular approach---it blocks
|
|
individual scripts.}
|
|
|
|
\item Recognizes JavaScript files (or parts of), script tags, inline
|
|
scripts in attributes, etc.
|
|
\lecture{So rather than domain, it recognizes individual source files,
|
|
\emph{sections} of source files if they provide licensing
|
|
information, and some of those less desirable practices like
|
|
script tags and fragments in HTML attributes.}
|
|
|
|
\item But doesn't block scripts recognized as free
|
|
\lecture{But one feature I'd like to see is the ability to block all
|
|
scripts by default, even if free.}
|
|
\begin{itemize}
|
|
\item So that we can replace specific programs
|
|
\lecture{Why? Firstly, we'd be able to replace specific programs
|
|
on the page; we can't do that with NoScript.}
|
|
|
|
\item Free software can do bad things too
|
|
\lecture{Free software can still do all the bad things that I
|
|
talked about; you just have the ability to remove those
|
|
anti-features and replace it. Well, you should, anyway,
|
|
if you can find a \emph{way} to replace it.}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Injecting Scripts---Greasemonkey}
|
|
\begin{itemize}
|
|
\item Expat / Modified BSD / MPL 1.1
|
|
|
|
\item Inject user-defined scripts into web pages
|
|
|
|
\item \url{http://openuserjs.org}, \url{http://greasyfork.org},
|
|
\url{http://userscripts-mirror.org}
|
|
\end{itemize}
|
|
|
|
\lecture{After blocking scripts, the second step is replacing
|
|
them. Greasemonkey is a popular browser addon for running
|
|
arbitrary ``user scripts'' on pages. Since the scripts can be
|
|
anything, you can inject your modified program. There are a few
|
|
sites hosting scripts written by users that demonstrates the
|
|
practical utility of modifying programs on the web, or augmenting
|
|
them.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Injecting Scripts/Styles---dotjs}
|
|
\begin{itemize}
|
|
\item MPL 1.1
|
|
|
|
\item Inject user-defined scripts from {\tt \~{}/.js}
|
|
|
|
\item Inject user-defined styles from {\tt \~{}/.css}
|
|
\end{itemize}
|
|
|
|
\lecture{There's also dotjs, which is like a Greasemonkey and Stylish in
|
|
one. It takes a much simpler approach---place scripts and
|
|
stylesheets for specific domains in your home directory and it
|
|
will automatically run them.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Replacing Scripts---What We Need}
|
|
\begin{itemize}
|
|
\item<1-> Something your grandparents can use!
|
|
|
|
\lecture{So that's the existing state of affairs. But as a user---not a
|
|
hacker---do you find this intuitive? You can ask your
|
|
grandparents to install GNU IceCat on their computer just fine,
|
|
but you can't ask them to go through all of this to replace a
|
|
non-free program on the web. We need an easier solution.}
|
|
|
|
\item<2-> Package changes:
|
|
\lecture{I challenge someone to create an addon that allows you to:}
|
|
|
|
\begin{itemize}
|
|
\item<2-> Install replacement software like you'd install an addon
|
|
|
|
\item<2-> Automatically block scripts with granularity of LibreJS
|
|
|
|
\item<2-> Automatically inject scripts
|
|
|
|
\item<2-> Verify package signatures
|
|
|
|
\item<2-> Update mechanism
|
|
\end{itemize}
|
|
|
|
\item<2-> Ideally: add that support to LibreJS
|
|
\lecture{And ideally you'd add that support to GNU LibreJS.}
|
|
\end{itemize}
|
|
|
|
\lecture{But let's be honest.}
|
|
\end{frame}
|
|
|
|
%%%=== END TIMEBLOCK 5m ==============================================
|
|
|
|
|
|
|
|
%%%=== BEGIN TIMEBLOCK 6.5m ==============================================
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
But all this is just a kluge.
|
|
\end{center}
|
|
|
|
\lecture{While all of this would be great, it's ultimately just a
|
|
kluge---we're trying to work around an architecture that was not
|
|
intended to promote exercising the four freedoms.}
|
|
|
|
\lecture{So I have a stronger proposal. I'm going to illustrate with an
|
|
even more disastrous problem.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Service as a Software Substitute (SaaSS)}
|
|
\begin{itemize}
|
|
\item<1-> Also called ``Software as a Service'' (SaaS)
|
|
\item<1-> ``Who Does That Server Really Serve?'' essay by rms
|
|
|
|
\lecture{Services as software substitutes. Most people refer to it as
|
|
``Software as a Service'', but many of us use the term
|
|
``Service as a Software Substitute''---as coined by rms---to
|
|
emphasize that you're sacrificing something.}
|
|
|
|
\item<2-> You simply cannot modify a program running on someone else's
|
|
server
|
|
\lecture{This poses an entirely different problem than software
|
|
freedom---you simply cannot modify software on someone else's
|
|
computer; nor should you be able to.}
|
|
|
|
\item<3>{SaaS---Shackles as a Service}
|
|
\lecture{When talking about freedom, we may as well call it
|
|
``Shackles as a Service''. We're at the point today where
|
|
the next step to strip all power from the user is to remotely
|
|
render the program and stream images. And unfortunately,
|
|
such a thing already exists! It's called ``cloud gaming'',
|
|
or Gaming as a Service. Hold the fart jokes. These services
|
|
remotely render games and stream them to the user. All user
|
|
input is sent to the service. The next logical step after
|
|
that is then licensing eyeball or brain implants so that the
|
|
user can't record or manipulate the image on her screen!
|
|
Vision as a Service, perhaps.}
|
|
\end{itemize}
|
|
|
|
\lecture{You'll often hear that these services are hosted quote ``in the
|
|
cloud''. But let's not fool ourselves.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{There Is No Cloud}
|
|
\begin{itemize}
|
|
\item<1-> Talking about the ``cloud'' leads to cloudy judgment
|
|
\lecture{The ``cloud'' is a popular term that is more of an
|
|
advertising ploy than anything at this point, as it deeply
|
|
confounds the situation and insults users' intelligence by
|
|
making it seem like this is all some sort of mysterious
|
|
magic, providing no explanation of what is \emph{actually}
|
|
going on.}
|
|
|
|
\item<2-> It's just someone else's computer---lots of them
|
|
\lecture{There is no cloud---it's just someone else's computer. Lots
|
|
of them; on demand.}
|
|
|
|
\item<2-> Difference: elasticity---servers/resources brought online only
|
|
when needed
|
|
\lecture{The primary difference between the quote-unquote ``cloud'' versus
|
|
normal servers is that they are what is called ``elastic'',
|
|
in that you bring new servers and resources online as needed,
|
|
and get rid of them when they're not. But otherwise---it's
|
|
the same damn thing!}
|
|
|
|
\item<3-> We can't talk about freedoms using terms that cloud understanding
|
|
\begin{itemize}
|
|
\item<4-> May as well call it the ``fog''
|
|
\end{itemize}
|
|
|
|
\lecture{Don't talk about the ``cloud'', because if you speak in such
|
|
confusing and mysterious terms, then we can't even
|
|
\emph{begin} to explain how you might exercise your freedoms
|
|
on the web, because we first have to explain our way
|
|
\emph{out} of the cloud. We may as well call it the
|
|
``fog''!}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{\{Desktop,Web\} Software}
|
|
\begin{itemize}
|
|
\item<1-> To regain control, must host it yourself
|
|
|
|
\item<1-> This means running the entire stack (server and client) on
|
|
your own computer
|
|
|
|
\lecture{Regaining control of our computing online means being able to
|
|
run the entire software stack---both server and client---on
|
|
our own computers.}
|
|
|
|
\item<2-> Unweb
|
|
\lecture{I call this ``unwebbing'', because you are eliminating your
|
|
reliance on the Web to run the software, and treating it more
|
|
like a desktop application.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Unwebbing}
|
|
\begin{itemize}
|
|
\item<1-> Cannot unweb a partially (or non-) free stack
|
|
\begin{itemize}
|
|
\item<2-> Webserver
|
|
\item<2-> Programs/scripts that it runs to generate output
|
|
\item<2-> Script dependencies
|
|
\item<2-> Client
|
|
\end{itemize}
|
|
|
|
\lecture{We also can't unweb a \emph{partially free} stack---for
|
|
example, if the client JavaScript is free, that doesn't help
|
|
us, because we still can't host the server ourselves, which
|
|
robs us of our freedom to do our own computing. We need the
|
|
whole stack to be free---that means the webserver, any
|
|
output-generating software that it might run, any
|
|
\emph{dependencies} for those programs, and then finally the
|
|
client. So if your server runs an external program like
|
|
Imagemagick to process images, then that program must also be
|
|
free so that we can run it. Fortunately, Imagemagick is.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{The Affero GPL Doesn't Solve All Problems}
|
|
\begin{itemize}
|
|
\item<1-> If users can access a \emph{modified} version of the program
|
|
over a network, that they must have access to the source code
|
|
|
|
\item<1-> But even if you have the source code, you can't modify it on
|
|
the server that's using it
|
|
|
|
\lecture{Some point to the AGPL as a solution---but it's not. Even if
|
|
you have the changes that they made to the server software,
|
|
you still can't change the code running on their
|
|
servers---you need to host it yourself, and to do so, you
|
|
need a full stack.}
|
|
|
|
\item<2-> AGPL'd programs can be used in a pipeline with proprietary
|
|
programs
|
|
|
|
\item<2-> Doesn't cover works that the AGPL'd program might invoke
|
|
externally
|
|
|
|
\lecture{The AGPL also doesn't cover other programs invoked
|
|
externally, or as part of a pipeline.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Truly Unwebbed}
|
|
\begin{enumerate}
|
|
\item<1-> Download unwebbed package
|
|
\item<2-> Invoke unwebbed program {\tt ./foo}
|
|
\item<3-> Package creates an isolated environment (possibly with no
|
|
network access)
|
|
\item<3-> Package mounts persistent storage
|
|
\item<3-> Package starts all necessary services
|
|
\item<3-> Package invokes client (e.g. web browser, possibly in ``app''
|
|
mode / SSB)
|
|
\lecture{A client would then be invoked. This will probably be a web
|
|
browser, but it might be in some sort of ``app'' mode, or
|
|
might be what's called a single-site-browser, to make it feel
|
|
more like a desktop program.}
|
|
\item<4-> Program terminates
|
|
\item<4-> All services are stopped
|
|
\item<4-> Environment is destroyed (but not persistent storage)
|
|
\end{enumerate}
|
|
|
|
\lecture{If this concept sounds familiar, that's because it is---I'm
|
|
essentially describing what's called a ``container'', which is a
|
|
common virtualization technique. In fact, this is a task that
|
|
would be handled quite well by GNU Guix. But even if we didn't
|
|
go the route of virtualization---even if the unwebbed package
|
|
just ran services in the same environment like a normal
|
|
program---the observed program would still be largely the same,
|
|
if not identical.}
|
|
\end{frame}
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
\only<1>{Web software works just as desktop software}
|
|
\only<2>{End Goal: Just Run {\tt ./foo}}
|
|
\end{center}
|
|
|
|
\lecture{That web software works just like software on the desktop. The
|
|
end goal? Just run foo.}
|
|
\end{frame}
|
|
|
|
%%%=== END TIMEBLOCK 6.5m ==============================================
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
Mike Gerwitz
|
|
|
|
{\url mtg@gnu.org}
|
|
|
|
\medskip
|
|
|
|
Interested in submitting your project to GNU?
|
|
|
|
{\url https://www.gnu.org/help/evaluation.html}
|
|
|
|
\medskip
|
|
|
|
Licensed under the Creative Commons Attribution ShareAlike 4.0
|
|
International License
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\end{document}
|