Today is the [10th annual International Day Against DRM][day-drm]---a day
where activists from around the world organize events in protest against
[Digital Restrictions Management][drm].
DRM is a scheme by which tyrants use [antifeatures][] to lock down what
users are able to do with their systems, often cryptographically.
For example,
your media player might tell you how many times you can listen to a song,
or watch a video, or read a book;
it might [delete books][1984] that you thought you owned;
it might require that you are [always online][always-on] when playing a
game, and then stop working when you disconnect, or when they decide to
stop supporting the game.
If you try to circumvent these locks,
then you might be [called a pirate][pirate] and be thrown in prision under
the ["anti-circumvention" privisons of the Digital Millenium Copyright Act
(DMCA)][dmca].
These are all things [that have been long predicated][right-to-read], and
are only expected to get worse with time.
That is, unless we take a stand and fight back.
I had the pleasure of participating in
the [largest ever protest against the W3C][w3c-protest] and their attempts
to introduce DRM as a _web standard_ via the [Encrypted Media Extensions
(EME)][eme] proposal.[^photos]
This event was organized beautifully by Zak Rogoff of the [Free Software
Foundation][fsf] and began just outside the Strata Center doors where the
W3C was _actively meeting_,
and then continued to stop outside the Google and Microsoft offices,
both just blocks away.
We were [joined outside Microsoft][eff-protest] by Danny O'Brien,
the EFF's International Director,
who stepped out of the W3C meeting to address the protesters.
Afterward, most of us [traveled to the MIT Media Lab][media-lab] where
Richard Stallman---who joined us in the protest---sat on a panel along
with Danny O'Brien, Joi Ito of the MIT Media Lab, and Harry Halpin of the
W3C.
The W3C was invited to participate in a discussion on EME, but they never
showed.
As a demonstration of the severity of these issues,
[Harry Halpin vowed to resign from the W3C][hh-resign] if the EME proposal
ever became a W3C Recommendation.
I can say without hesitation that the protest and following discussion were
some of the most powerful and memorable events of my life---there is no
feeling like being a part of a group that shares such a fundamental
passion (and distaste!) for something important.
And it _is_ very important.
[DRM is pervasive][dbd]---the Web is just one corner where it rears its ugly
head.
The [International Day Against DRM][day-drm] gives you and others an
excellent opportunity to hold your own protests, demonstrations, and events
to raise these issues to others---and to do so as part of an
_international group_;
to send a strong, world-wide message:
a message that it is _not_ acceptable to act as tyrants and treat users as
slaves and puppets through use of digital handcuffs and [draconian
punishments for circumventing them][dmca].
[^photos]: The EFF has some [great photots][eff-protest]; I'm the one in the
hoodie between the giant GNU head and Zak Rogoff.
[day-drm]: https://www.defectivebydesign.org/dayagainstdrm
[drm]: https://www.defectivebydesign.org/what_is_drm_digital_restrictions_management
[antifeatures]: https://www.fsf.org/bulletin/2007/fall/antifeatures/
[lp2016]: https://libreplanet.org/2016/
[w3c-protest]: https://www.defectivebydesign.org/from-the-web-to-the-streets-protesting-drm
[eme]: https://w3c.github.io/encrypted-media/
[eff-protest]: https://w3c.github.io/encrypted-media/
[w3c]: https://www.w3.org/
[fsf]: https://fsf.org/
[media-lab]: https://motherboard.vice.com/read/we-marched-with-richard-stallman-at-a-drm-protest-last-night-w3-consortium-MIT-joi-ito
[hh-resign]: https://www.defectivebydesign.org/blog/w3c_staff_member_pledges_resignation_if_drm_added_web_standards
[dmca]: https://www.eff.org/issues/dmca
[dbd]: https://www.defectivebydesign.org/
[1984]: https://www.defectivebydesign.org/amazon-kindle-swindle
[always-on]: https://en.wikipedia.org/wiki/Always-on_DRM
[right-to-read]: https://www.gnu.org/philosophy/right-to-read.en.html
[pirate]: https://www.eff.org/deeplinks/2015/02/go-prison-sharing-files-thats-what-hollywood-wants-secret-tpp-deal
There has been a lot of talk lately about a most unique combination:
[GNU][gnu]---the [fully free/libre][free-sw] operating system---and
Microsoft Windows---the [freedom-denying, user-controlling,
surveillance system][woe].
There has also been a great deal of misinformation.
I'd like to share my thoughts.
Before we can discuss this subject,
we need to clarify some terminology:
We have a [free/libre][free-sw] operating system called [GNU][gnu].
Usually, it's used with the kernel Linux, and is together called the
[GNU/Linux (or GNU+Linux) operating system][gnulinux].
But that's not always the case.
For example, GNU can be run with its own kernel, [The GNU Hurd][hurd]
(GNU/Hurd).
It might be run on a system with a BSD kernel (e.g. GNU/kFreeBSD).
But now, we have a situation where we're taking GNU/Linux, removing Linux,
and adding in its place a Windows kernel.
This combination is referred to as GNU/kWindows (GNU with the Windows kernel
added).[^kwindows]
GNU values users' freedoms.
Windows [does exactly the opposite][woe].
When users talk about the operating system "Linux", what they are referring
to is the [GNU operating system][gnu] with the kernel Linux added.
If you are using the GNU operating system in some form, then many of the
programs you are familiar with on the command line are GNU programs:
`bash`, `(g)awk`, `grep`, `ls`, `cat`, `bc`, `tr`, `gcc`, `emacs`, and
so on.
But GNU is a fully free/libre Unix replacement, [not just a collection of GNU
programs][gnu].
Linux is the kernel that supports what the operating system is trying to do;
it provides what are called system calls to direct the kernel to perform
certain actions, like fork new processes or allocate memory.
This is an important distinction---not only is calling all of this software
"Linux" incorrect, but it discredits the project that created a fully
free/libre Unix replacement---[GNU][gnu].
This naming issue is so widespread that
[most users would not recognize what GNU is][gnu-noheard], even if they
are _using_ a [GNU/Linux][gnulinux] operating system.
I recently read an article that referred to GNU Bash as "Linux's Bash";
this is simply a slap in the face to all the hackers that have for the
past 26 years been writing what is one of today's most widely used
shells on Unix-like systems (including on [Apple's][apple] proprietary
Mac OSX), and all the other GNU hackers.
Microsoft and Canonical have apparently been working together to write a
subsystem that translates Linux system calls into something Windows will
understand---a compatibility layer.
So, software compiled to run on a system with the kernel Linux will work on
Windows through system call translation.
Many articles are calling this "Linux on Windows".
This is a fallacy: the kernel Linux is not at all involved!
What we are witnessing is the [_GNU_ operating system][gnu] running with
a Windows kernel _instead_ of Linux.
This is undoubtedly a technical advantage for Microsoft---Windows users want
to do their computing in a superior environment that they might be
familiar with on [GNU/Linux][gnulinux] or other Unix-like operating
systems, like [Apple's][apple] freedom-denying Mac OSX.
But thinking about it like this is missing an essential concept:
When users talk about "Linux" as the name of the operating system, they
avoid talking about [GNU][gnu].
And by avoiding mention of GNU,
they are also avoiding discussion of the core principles upon which GNU is
founded---the belief that all users deserve
[software granting _four essential freedoms_][free-sw]:
the freedom to use the program for any purpose;
the freedom to study the program and modify it to suit your needs (or
have someone do it on your behalf);
the freedom to share the program with others;
and the freedom to share your changes with others.
We call software that respects these four freedoms
[_free/libre software_][free-sw].
Free software is absolutely essential:
it ensures that _users_,
who are the most vulnerable,
are in control of their computing---not software developers or
corporations.
Any program that denies users any one of their [four freedoms][free-sw] is
_non-free_ (or _proprietary_)---that is, freedom-denying software.
This means that any non-free software, no matter its features or
performance, will [_always_ be inferior to free software][oss] that
performs a similar task.
Not everyone likes talking about freedom or the
[free software philosophy][free-sw].
This disagreement resulted in the
["open source" development methodology][oss],
which exists to sell the benefits of free software to businesses *without*
discussing the essential ideological considerations.
Under the "open source" philosophy,
if a non-free program provides better features or performance,
then surely it must be "better",
because they have outperformed the "open source" development methodology;
non-free software isn't always considered to be a bad thing.
So why would users want to use GNU/kWindows?
Well, probably for the same reason that they want GNU tools on Mac OSX:
they want to use software they want to use, but they also want the
technical benefits of GNU that they like.
What we have here is the ["open source" philosophy][oss]---because if the
user truly valued her freedom, she would use a
[fully free operating system like GNU/Linux][gnulinux-distros].
If a user is _already_ using Windows (that is, before considering
GNU/kWindows), then she does gain some freedom by installing GNU:
she has more software on her system that respects her freedoms,
and she is better off because of that.
But what if you're using GNU/Linux today?
In that case,
it is a major downgrade to switch to a GNU/kWindows system;
by doing so, you are [surrendering your freedom to Microsoft][woe].
It does not matter how many shiny features Microsoft might introduce into
its [freedom-denying surveillance system][woe];
an [operating system that respects your freedoms][gnulinux-distros] will
_always_ be a superior choice.
We would do our best to dissuade users from switching to a GNU/kWindows
system for the technical benefits that GNU provides.
So we have a couple different issues---some factual, some philosophical:
Firstly,
please don't refer to GNU/kWindows as "Linux on Windows", or any variant
thereof;
doing so simply propagates misinformation that not only confounds the
situation, but discredits the thousands of hackers working on the
[GNU operating system][gnu].
It would also be best if you avoid calling it "Ubuntu on Windows";
it isn't a factually incorrect statement---you are running Ubuntu's
distribution of GNU---but it still avoids mentioning the
[GNU Project][gnu]. If you want to give Ubuntu credit for working with
Microsoft, please call it "Ubuntu GNU/kWindows" instead of "Ubuntu".
By mentioning GNU,
users will ask questions about the project,
and might look it up on their own.
They will read about [the free software philosophy][free-sw],
and will hopefully begin to understand these issues---issues that they
might not have even been aware of to begin with.
Secondly,
when you see someone using a GNU/kWindows system,
politely ask them why.
Tell them that there is a _better_ operating system out there---the
[GNU/Linux operating system][gnu]---that not only provides those technical
features,
but also provides the feature of _freedom_!
Tell them what [free software][free-sw] is,
and try to relate it to them so that they understand why it is important,
and even practical.
It's good to see more people benefiting from GNU;
but we can't be happy when it is being sold as a means to draw users into
an otherwise [proprietary surveillance system][woe],
without so much as a mention of our name,
or [what it is that we stand for][gnu].
[^kwindows]: This name comes from [Richard Stallman][rms], founder of the
[GNU Project][gnu].
[gnu]: https://gnu.org/gnu/gnu.html
[free-sw]: https://gnu.org/philosophy/free-sw.html
[woe]: https://www.gnu.org/proprietary/malware-microsoft.en.html
[hurd]: https://gnu.org/software/hurd/
[oss]: http://www.gnu.org/philosophy/open-source-misses-the-point.html
[gnulinux]: https://www.gnu.org/gnu/linux-and-gnu.html
[gnulinux-distros]: https://www.gnu.org/distros/free-distros.html
[apple]: https://stallman.org/apple.html
[rms]: https://www.fsf.org/about/staff-and-board
[gnu-noheard]: https://gnu.org/gnu/gnu-users-never-heard-of-gnu.html
Anything coming out of Facebook should be [cause for concern][rms-fb]. So,
naturally, one might be concerned when they decide to get into the virtual
reality (VR) scene by [purchasing the startup Occulus VR][fb-vr], makers of
the Occulus Rift VR headset. One can only imagine all the fun ways Facebook
will be able to track, manipulate, spy on, and otherwise screw over users
while they are immersed in a virtual reality.
Sure enough, we have our first peak: [the software that Facebook has you
install for the Occulus Rift is spyware][fb-spy], reporting on what
*unrelated* software you use on your system, your location (including GPS
data and nearby Wifi networks), the type of device you're using, unique
device identifiers, your movements while using the VR headset, and more.
This is absurd. Do not play into Facebook's games through temptation of
cool new technology; reject their terms and see if there's other ways you
can use the headset without their proprietary spyware. If not, perhaps you
should ask for a refund, and tell them why.
[rms-fb]: https://stallman.org/facebook.html#privacy
[fb-vr]: http://www.theguardian.com/technology/2014/jul/22/facebook-oculus-rift-acquisition-virtual-reality
[fb-spy]: http://uploadvr.com/facebook-oculus-privacy/
I will be [speaking at LibrePlanet this year][lp2016] (2016) about freedom
on the Web. Here's the session description:
> Imagine a world where surveillance is the default and users must opt-in to
> privacy. Imagine that your every action is logged and analyzed to learn
> how you behave, what your interests are, and what you might do next.
> Imagine that, even on your fully free operating system, proprietary
> software is automatically downloaded and run not only without your
> consent, but often without your knowledge. In this world, even free
> software cannot be easily modified, shared, or replaced. In many cases,
> you might not even be in control of your own computing -- your actions and
> your data might be in control by a remote entity, and only they decide
> what you are and are not allowed to do.
>
> This may sound dystopian, but this is the world you're living in right
> now. The Web today is an increasingly hostile, freedom-denying place that
> propagates to nearly every aspect of the average users' lives -- from
> their PCs to their phones, to their TVs and beyond. But before we can
> stand up and demand back our freedoms, we must understand what we're being
> robbed of, how it's being done, and what can (or can't) be done to stop
> it.
There are a number of other [great sessions][lp2016] this year from a
[number of speakers][lp2016s], many well-known. We also have an opening
keynote from Edward Snowden!
All [FSF associate members get free entry][fsfmember]. If you can't join
us, the conference will be streamed live. You can also see [videos of past
talks][lpvideos] on the FSF's self-hosted [GNU MediaGoblin][goblin]
instance.
Special thanks to the FSF for covering a large portion of my travel
expenses; I otherwise might not have been able to attend. Thank you to all
who donated to the conference scholarship fund.
[lp2016]: https://www.libreplanet.org/2016/program/
[lp2016s]: https://www.libreplanet.org/2016/program/speakers.html
[fsfmember]: https://crm.fsf.org/join
[lpvideos]: https://media.libreplanet.org/
[goblin]: http://mediagoblin.org/
*This was originally written as a guest post for GitLab in November of 2015,
but they [decided not to publish it][gitlab-merge].*
Back in May of of 2015, I [announced GitLab's liberation of their Enterprise
Edition JavaScript][ggfs] and made some comments about GitLab's course and
approach to software freedom. In liberating GitLab EE's JavaScript, all
code served to the browser by GitLab.com's GitLab instance was [Free (as in
freedom)][free-sw], except for one major offender: Google Analytics.
Since Google Analytics was not necessary for the site to function, users
could simply block the script and continue to use GitLab.com
[ethically][free-sw]. However, encouraging users to visit a project on
GitLab.com while knowing that it loads Google Analytics is a problem both
for users' freedoms, and for their privacy.
GitLab is more than service and front-end to host Git repositories; it has a
number of other useful features as well. Using those features, however,
would mean that GitLab.com is no longer just a mirror for a project---it
would be endorsed by the project's author, requiring that users visit the
project on GitLab.com in order to collaborate. For example, if an author
were to use the GitLab issue tracker on GitLab.com, then she would be
actively inviting users to the website by telling them to report issues and
feature requests there.
We cannot realistically expect that anything more than a minority of
visitors will know how to block Google Analytics (or even understand that it
is a problem). Therefore, if concerned authors wanted to use those features
of GitLab, they had to use another hosted instance of GitLab, or host their
own. But the better option was to encourage GitLab.com to remove Google
Analytics entirely, so that _all_ JavaScript code served to the users is
[Free][free-sw].
GitLab has chosen to actively
[work with the Free Software movement][ggfs]---enough so that they are now
considered an [acceptable host for GNU projects][gitlab-gnu-criteria]
according to [GNU's ethical repository criteria][gnu-repo-criteria]. And
they have chosen to do so again---headed by Sytse Sijbrandij (GitLab
Inc. CEO), Google Analytics has been removed from the GitLab.com instance
and replaced with [Piwik][piwik].
## More Than Just Freedom
This change is more than a commitment to users' freedoms---it's also a
commitment to users' privacy that cannot be understated. By downloading and
running Google Analytics, users are being infected with some of the most
[sophisticated examples of modern spyware][ga-wikipedia]: vast amounts of
[personal and behavioral data][ga-google] are sent to Google for them to use
and share as they wish. Google Analytics also tracks users across [many
different websites][ga-popularity], allowing them to discover your interests
and behaviors in ways that users themselves may not even know.
GitLab.com has committed to using [Piwik][piwik] on their GitLab instance,
which [protects users' privacy][piwik-privacy] in a number of very important
ways: it allows users to opt out of tracking, anonymizes IP addresses,
retains logs for limited time periods, respects [DoNotTrack][eff-dnt], and
more. Further, all logs _will be kept on GitLab.com's own servers_, and is
therefore governed solely by
[GitLab.com's Privacy Policy][gitlab-privacy]; this means that other
services will not be able to use these data to analyze users' behavior on
other websites, and advertisers and others will know less about them.
Users should not have to try to [anonymize themselves][eff-ssd] in
order to maintain their privacy---privacy should be a default, and a
respected one at that. GitLab has taken a strong step in the right
direction; I hope that others will take notice and do the same.
*Are you interested in helping other websites liberate their JavaScript?
Consider [joining the FSF's campaign][freejs], and
[please liberate your own][whyfreejs]!*
[gitlab-merge]: https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/1094
[eff-dnt]: https://www.eff.org/dnt-policy
[eff-ssd]: http://ssd.eff.org/
[freejs]: https://fsf.org/campaigns/freejs
[free-sw]: https://www.gnu.org/philosophy/free-sw.html
[ga-google]: https://www.google.com/analytics/standard/features/
[ga-popularity]: http://w3techs.com/technologies/overview/traffic_analysis/all
[ga-wikipedia]: https://en.wikipedia.org/wiki/Google_Analytics
[ggfs]: https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/
[gitlab-featurse]: https://about.gitlab.com/features/
[gitlab-gnu-criteria]: https://lists.gnu.org/archive/html/repo-criteria-discuss/2015-11/msg00012.html
[gitlab-privacy]: https://about.gitlab.com/privacy/
[gnu-repo-criteria]: https://www.gnu.org/software/repo-criteria.html
[mtg]: http://mikegerwitz.com/
[piwik]: https://piwik.org/
[piwik-privacy]: https://piwik.org/privacy/
[whyfreejs]: https://www.gnu.org/software/easejs/whyfreejs.html
When I started writing this blog, my intent was to post notices more
frequently and treat it more like a microblogging platform; but that's not
how it ended up. Instead, I use this site to write more detailed posts with
solid references to back up my statements.
[GNU Social](https://gnu.org/software/social/) is a federated social
network---you can host your own instances and they all communicate with
one-another. You can find mine at the top of this page under "Notices", or
at [https://social.mikegerwitz.com/](https://social.mikegerwitz.com/). I
will be using this site to post much more frequent miscellaneous notices.
It seems that Comcast has decided that it is a good idea to [inject
JavaScript into web pages][js] visited by its customers in order to inform
them of Copyright violations.
This is a huge violation of user privacy and trust. Further, it shows that
an ISP (and probably others) feel that they have the authority to dictate
what is served to the user on a free (as in speech) Internet. Why should we
believe that they won't start injecting other types of scripts that spy on
the user or introduce advertising? What if a malicious actor compromises
Comcast's servers and serves exploits to users?
It is no surprise that Comcast is capable of doing this---they know the IP
address of the customer, so they are able to intercept traffic and alter it
in transit. But the fact that they _can_ do this demonstrates something far
more important: _that they have spent the money on the infrastructure to do
so_!
Comcast isn't the only ISP to have betrayed users by injecting data. One
year ago, it was discovered that [Verizon was injecting "perma-cookies" into
requests to track users][verizon]. This is only one example of the
insidious abuses that unchecked ISPs can take.
So what can you do to protect yourself?
What Comcast is doing is called a [man-in-the-middle (MITM) attack][mitm]:
Comcast sits in the middle of you and your connection to the website that
you are visiting, proxying your request. Before relaying the website's
response to you, it modifies it.
In order to do this, Comcast needs to be able to read your communications,
and must be able to modify them: the request must be read in order to
determine how the JavaScript should be injected and what request it should
be injected into; and it must be modified to perform the injection. It
cannot (given a properly configured web server) do so if your connection is
encrypted. In the case of web traffic, `https` URLs with the little lock
icon in your web browser generally indicates that your communications are
encrypted, making MITM attacks
unlikely.
(We're assuming that Comcast won't ask you to install a root CA so that they
can decrypt your traffic! But that would certainly be noticed, if they did
so on a large enough scale.)
Not all websites use SSL. Another method is to use encrypted proxies, VPNs,
or services like like [Tor][tor]. This way, Comcast will not be able to
read or modify the communications.
See also: [HackerNews discussion][hn]; [original Reddit discussion][reddit].
[js]: https://gist.github.com/Jarred-Sumner/90362639f96807b8315b
[verizon]: https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
[mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
[hn]: https://news.ycombinator.com/item?id=10592775
[reddit]: https://www.reddit.com/r/HuntsvilleAlabama/comments/35v4sn/comcast_is_injecting_bad_javascript_to_your/
[tor]: https://tor.org/
*This article originally appeared as a guest post on the [GitLab
blog][orig-post].*
In early March of this year, it was announced that
[GitLab would acquire Gitorious][0] and shut down `gitorious.org` by 1
June, 2015. [Reactions from the community][1] were mixed, and
understandably so: while GitLab itself is a formidable alternative to wholly
proprietary services, its acquisition of Gitorious strikes a chord with the
free software community that gathered around Gitorious in the name of
[software freedom][2].
<!-- more -->
After hearing that announcement,
[as a free software hacker and activist myself][11], I was naturally
uneasy. Discussions of alternatives to Gitorious and GitLab ensued on the
[`libreplanet-discuss`][12] mailing list. Sytse Sijbrandij (GitLab
B.V. CEO) happened to be present on that list;
[I approached him very sternly][13] with a number of concerns, just as I
would with anyone that I feel does not understand certain aspects of the
[free software philosophy][2]. To my surprise, this was not the case at
all.
Sytse has spent a lot of time accepting and considering community input for
both the Gitorious acquisition and GitLab itself. He has also worked with
me to address some of the issues that I had raised. And while these issues
won't address everyone's concerns, they do strengthen GitLab's commitment to
[software freedom][2], and are commendable.
I wish to share some of these details here; but to do so, I first have to
provide some background to explain what the issues are, and why they are
important.
## Free Software Ideology
[Gitorious][3] was (and still is) one of the most popular Git repository
hosts, and largely dominated until the introduction of GitHub. But even as
users flocked to [GitHub's proprietary services][28], users who value freedom
continued to support Gitorious, both on `gitorious.org` and by installing
their own instances on their own servers. Since Gitorious is
[free software][2], users are free to study, modify, and share it with
others. But [software freedom does not apply to Services as a
Software Substitute (SaaSS)][4] or remote services---you cannot apply the
[four freedoms][2] to something that you do not yourself possess---so why do
users still insist on using `gitorious.org` despite this?
The matter boils down to supporting a philosophy: The
[GNU General Public License (GPL)][6] is a license that turns copyright on
its head: rather than using copyright to restrict what users can do with a
program, the GPL instead [ensures users' freedoms][8] to study, modify, and
share it. But that isn't itself enough: to ensure that the software always
remains free (as in freedom), the GPL ensures that all *derivatives* are
*also* licensed under similar terms. This is known as [copyleft][9], and it
is vital to the free software movement.
Gitorious is licensed under the
[GNU Affero General Public License Version 3 (AGPLv3)][5]---this takes the
[GPL][6] and adds an additional requirement: if a modified version of the
program is run on a sever, users communicating with the program on that
server must have access to the modified program's source code. This ensures
that [modifications to the program are available to all users][7]; they
would otherwise be hidden in private behind the server, with others unable
to incorporate, study, or share them. The AGPLv3 is an ideal license for
Gitorious, since most of its users will only ever interact with it over a
network.
GitLab is also free software: its [Expat license][10] (commonly referred to
ambiguously as the "MIT license") permits all of the same freedoms that
are granted under the the GNU GPL. But it does so in a way that is highly
permissive: it permits relicensing under *any* terms, free or not. In other
words, one can fork GitLab and derive a proprietary version from it, making
changes that deny users [their freedoms][2] and cannot be incorporated back
into the original work.
This is the issue that the free software community surrounding Gitorious has
a problem with: any changes contributed to GitLab could in turn benefit a
proprietary derivative. This situation isn't unique to GitLab: it applies
to all non-copyleft ("permissive") [free software licenses][26]. And this
issue is realized by GitLab itself in the form of its GitLab Enterprise
Edition (GitLab EE): a proprietary derivative that adds additional
features atop of GitLab's free Community Edition (CE). For this reason,
many free software advocates are uncomfortable contributing to GitLab, and
feel that they should instead support other projects; this, in turn, means
not supporting GitLab by using and drawing attention to their hosting
services.
The copyleft vs. permissive licensing debate is one of the free software
movement's most heated. I do not wish to get into such a debate here. One
thing is clear: GitLab Community Edition (GitLab CE) is free
software. Richard Stallman (RMS) [responded directly to the thread on
`libreplanet-discuss`][20], stating plainly:
> We have a simple way of looking at these two versions. The free
> version is free software, so it is ethical. The nonfree version is
> nonfree software, so it is not ethical.
Does GitLab CE deserve attention from the free software community? I
believe so. Importantly, there is another strong consideration: displacing
proprietary services like GitHub and Bitbucket, which host a large number of
projects and users. GitLab has a strong foothold, which is an excellent
place for a free software project to be in.
If we are to work together as a community, we need to respect GitLab's
free licensing choices just as we expect GitLab to respect ours. Providing
respect does not mean that you are conceding: I will never personally use a
non-copyleft license for my software; I'm firmly rooted in my dedication to
the [free software philosophy][2], and I'm sure that many other readers are
too. But using a non-copyleft license, although many of us consider it to
be a weaker alternative, [is not wrong][23].
## Free JavaScript
As I mentioned above,
[software freedom and network services are separate issues][4]---the four
freedoms do not apply to interacting with `gitlab.com` purely over a network
connection, for example, because you are not running its software on your
computer. However, there is an overlap: JavaScript code downloaded to be
executed in your web browser.
[Non-free JavaScript][15] is a particularly nasty concern: it is software
that is downloaded automatically from a server---often without prompting
you---and then immediately executed. Software is now being executed on your
machine, and [your four freedoms][2] are once again at risk. This, then,
[is the primary concern][16] for any users visiting `gitlab.com`: not only
would this affect users that use `gitlab.com` as a host, but it would also
affect *any user that visits* the website. That would be a problem, since
hosting your project there would be inviting users to run proprietary
JavaScript.
As I was considering migrating my projects to GitLab, this was the
[first concern I brought up to Sytse][14]. This problem arises because
`gitlab.com` uses a GitLab EE instance: if it had used only its Community
Edition (GitLab CE)---which is free software---then all served JavaScript
would have been free. But any scripts served by GitLab EE that are not
identical to those served by GitLab CE are proprietary, and therefore
unethical. This same concern applies to GitHub, Bitbucket, and other
proprietary hosts that serve JavaScript.
Sytse surprised me by stating that he would be willing to
[freely license all JavaScript in GitLab EE][17], and by offering to give
anyone access to the GitLab EE source code who wants to help out. I took
him up on that offer. Initially, I had submitted a patch to merge all
GitLab EE JavaScript into GitLab CE, but Sytse came up with another,
superior suggestion, that ultimately provided even greater reach.
**I'm pleased to announce that Sytse and I were able to agree on a license
change (with absolutely no friction or hesitation on his part) that
liberates all JavaScript served to the client from GitLab EE instances.**
There are two concerns that I had wanted to address: JavaScript code
directly written for the client, and any code that produced JavaScript as
output. In the former case, this includes JavaScript derived from other
sources: for example, GitLab uses CoffeeScript, which compiles *into*
JavaScript. The latter case is important: if there is any code that
generates fragments of JavaScript---e.g. dynamically at runtime---then that
code must also be free, or users would not be able to modify and share the
resulting JavaScript that is actually being run on the client. Sytse
accepted my change verbatim, while adding his own sentence after mine to
disambiguate. At the time of writing this post, GitLab EE's source code
isn't yet publicly visible, so here is the relevant snippet from its
`LICENSE` file:
> The above copyright notices applies only to the part of this Software that
> is not distributed as part of GitLab Community Edition (CE), and that is
> not a file that produces client-side JavaScript, in whole or in part. Any
> part of this Software distributed as part of GitLab CE or that is a file
> that produces client-side JavaScript, in whole or in part, is copyrighted
> under the MIT Expat license.
## Further Discussion
My discussions with Sytse did not end there: there are other topics that
have not been able to be addressed before my writing of this post that would
do well to demonstrate commitment toward [software freedom][2].
The license change liberating client-side JavaScript was an excellent
move. To expand upon it, I wish to submit a patch that would make GitLab
[LibreJS compliant][21]; this provides even greater guarantees, since it
would allow for users to continue to block other non-free JavaScript that
may be served by the GitLab instance, but not produced by it. For example:
a website/host that uses GitLab may embed proprietary JavaScript, or modify
it without releasing the source code. Another common issue is the user of
analytics software; `gitlab.com` uses Google Analytics.
If you would like to help with LibreJS compliance, please [contact me][11].
I was brought into another discussion between Sytse and RMS that is
unrelated to the GitLab software itself, but still a positive demonstration
of a commitment to [software freedom][2]---the replacement of Disqus on the
`gitlab.com` blog with a free alternative. Sytse ended up making a
suggestion, saying he'd be "happy to switch to" [Juvia][22] if I'd help with
the migration. I'm looking forward to this, as it is an important
discussion area (that I honestly didn't know existed until Sytse told me
about it, because I don't permit proprietary JavaScript!). He was even kind
enough to compile a PDF of comments for one of our discussions, since he was
cognizant ahead of time that I would not want to use Disqus. (Indeed, I
will be unable to read and participate in the comments to this guest post
unless I take the time to freely read and reply without running Disqus'
proprietary JavaScript.)
Considering the genuine interest and concern expressed by Sytse in working
with myself and the free software community, I can only expect that GitLab
will continue to accept and apply community input.
It is not possible to address the copyleft issue without a change in
license, which GitLab is not interested in doing. So the best way to
re-assure the community is through action. [To quote Sytse][18]:
> I think the only way to prove we're serious about open source is in our
> actions, licenses or statements don't help.
There are fundamental disagreements that will not be able to be
resolved between GitLab and the free software community---like their
["open core" business model][19]. But after working with Sytse and seeing
his interactions with myself, RMS, and many others in the free software
community, I find his actions to be very encouraging.
*Are you interested in helping other websites liberate their JavaScript?
Consider [joining the FSF's campaign][27], and
[please liberate your own][16]!*
*This post is licensed under the
[Creative Commons Attribution-ShareAlike 3.0 Unported License][25].*
[0]: https://about.gitlab.com/2015/03/03/gitlab-acquires-gitorious/
[1]: https://news.ycombinator.com/item?id=9138419
[2]: https://www.gnu.org/philosophy/free-sw.html
[3]: https://gitorious.org/
[4]: https://www.gnu.org/philosophy/who-does-that-server-really-serve.html
[5]: https://www.gnu.org/licenses/agpl.html
[6]: https://www.gnu.org/licenses/gpl.html
[7]: https://www.gnu.org/licenses/why-affero-gpl.html
[8]: https://www.gnu.org/licenses/quick-guide-gplv3.html
[9]: https://www.gnu.org/philosophy/pragmatic.html
[10]: https://www.gnu.org/licenses/license-list.html#Expat
[11]: http://mikegerwitz.com/
[12]: https://lists.gnu.org/mailman/listinfo/libreplanet-discuss
[13]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00075.html
[14]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-04/msg00019.html
[15]: https://www.gnu.org/philosophy/javascript-trap.html
[16]: https://www.gnu.org/software/easejs/whyfreejs.html
[17]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-04/msg00020.html
[18]: https://news.ycombinator.com/item?id=9141801
[19]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00076.html
[20]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00095.html
[21]: https://www.gnu.org/software/librejs/free-your-javascript.html
[22]: https://github.com/phusion/juvia
[23]: https://www.fsf.org/blogs/rms/selling-exceptions
[24]: https://gnu.org/software/easejs
[25]: http://creativecommons.org/licenses/by-sa/3.0/
[26]: https://www.gnu.org/licenses/license-list.html
[27]: https://fsf.org/campaigns/freejs
[28]: http://mikegerwitz.com/about/githubbub
[orig-post]: https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/
Mike Gerwitz