I just visited https://software.opensuse.org and noticed that it is forcing me to enable some non-free JavaScript in order to use functions like “Show community packages”.
How is that justified along the lines of software freedom (and the PoC of Spectre and Meltdown demonstrated through using JavaScript)?
How can we have an html only version please?
Thanks. There are quite a lot of links on that page. Which contact channels should I use? Or are you suggesting to email directly the people listed in the “Members” table?
On Wed 21 Mar 2018 12:36:01 PM CDT, heyjoe wrote:
Thanks. There are quite a lot of links on that page. Which contact
channels should I use? Or are you suggesting to email directly the
people listed in the “Members” table?
Hi
I would try the IRC channel first…
–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.3|GNOME 3.20.2|4.4.114-42-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
I ran a Tor browser which is FF with NoScript 5.1.8.4 installed, and I’ve explored several links on several pages without running into a forbidden script.
I’ve also clicked on several “show community” and “show experimental” links in the package search pages without a problem. I did a cursory inspection what’s on the page and it looks like pretty standard HTML5/CSS3/Javascript.
If you’re expecting a page without any javascript whatsoever, that’s probably unreasonable in today’s Web… You’d maybe want to point a browser with no javascript support at all directly at the repo directories instead of softeware.opensuse.org/search.
TSU
With the openSUSE Leap 42.3 standard browser: Firefox ESR Version 52.7.2 and the (Firefox standard) IcedTea-Web Java plugin:
<https://software.opensuse.org>: Page information:
Type: “text/html”; Meta (6 keywords):
IE=edge
width=device-width, initial-scale=1
text/html; charset=utf-8
text/javascript
text/css
Checked a package (digiKam): the page’s Type and Meta are just the same – header of the page’s source code is:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="utf-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>openSUSE Software</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta http-equiv="Content-Script-Type" content="text/javascript"/>
<meta http-equiv="Content-Style-Type" content="text/css"/>
<link rel="search" type="application/opensearchdescription+xml" title="openSUSE Software" href="/search_software.xml" />
<link rel="stylesheet" media="screen" href="/chameleon/css/app.css" />
<link rel="stylesheet" media="screen" href="/assets/app-78e83e964932d7d796e66dc9a32622ee7e98f9522cc94291771e9431151356b7.css" />
<script src="/chameleon/js/app.js"></script>
<link href="https://software.opensuse.org/favicon.ico" rel="shortcut icon" />
<script src="/assets/application-f138ca00f631a013675d9ea487a7e5afc06839913e263c9992e1341aa8a1549a.js"></script>
<script type="text/javascript">
/* <=!==C=D=A=T=A= */
So, questions:
The question is - how is it “reasonable” to enforce the user to run non-free software in order to download free software, considering the additional vulnerabilities mentioned.
https://www.gnu.org/philosophy/javascript-trap.html
I am not FSF fanatic but still obfuscated JS cannot be considered even open source in general. So this site now practically requires blindfolded trust from the visitor in order to use its functions. That’s why I asked - how does this align with the whole idea of software freedom? Also who can guarantee that through this obfuscated JS someone cannot perform a Spectre attack (for example)? Even if that was possible one time, nobody can check if JS on the server was changed since last visit. So “today’s web” is not merely something to accept ignoring actual PoC, on the contrary. For similar reasons I am working on new versions of all my own websites, respecting user’s freedom. (just a side note)
chromium-65.0.3325.181-149.1.x86_64 with disabled
chrome://settings/content/cookies //// selectively enabled just for a few sites.
chrome://settings/content/location
chrome://settings/content/camera
chrome://settings/content/microphone
chrome://settings/content/notifications
chrome://settings/content/javascript
chrome://settings/content/flash
chrome://settings/content/backgroundSync
chrome://settings/content/automaticDownloads
chrome://settings/content/unsandboxedPlugins
chrome://settings/content/midiDevices
chrome://settings/content/protectedContent
chrome://settings/languages
chrome://settings/cloudPrinters
The browser is not forcing me to do anything. Java != JavaScript.
Is your suggestion, to move the openSUSE web presence to a “no JavaScript needed” HTML5 + CSS3 implementation?
Well, why not? So far it has been this way.
It hasn’t. The old page was html+javascript, just like the current one. And migration to HTML5? That would need a huge team, with lots of time. And, who’s going to do this?
I mean that so far the blocking of JS has never obstructed the possibility to see e.g. unofficial packages, to download them etc. Currently without JS everything is pretty limited.
Re. huge team and lots of time - how come this was not a factor to destroy what was available but it is a problem to have a freedom respecting website? It sounds like investment is worth it only to build a site exposing the user to the javascript trap. What’s the logic?
I do a lot of browsing with JavaScript disabled, mostly for security and privacy reasons. I have no JavaScript on any of my own websites, because there is nothing on my websites that require the additional control to function.
However, I have no issue with enabling JavaScript on responsible sites that I know and trust, where it is often used to increase security and privacy, such as at online banking, the openSUSE sites, and a few other places. Used responsibly, it actually increases both security and privacy, as well as function.
And, it is actually much more secure, safe, and private than some of the scary things that can be done by unscrupulous website operators in HTML5.
It all comes down to not going to and not trusting questionable sites or unknown sites.
JavaScript cannot increase the security and privacy of the visitor, especially on sites which use Piwik or Google Analytics.
Wrong. For one thing, It can provide more secure checks and rechecks for secure logins to online account services on the SSI side.
Along with other uses.
How it is used is like anything usefull: You can use it for good, or you can use it for bad.
So, your decision where to use JavaScript should be based on the entity you are interacting with.
In other words, a person needs to use their brain – think – when online.
There are really no other foolproof protections.
Logins are HTTP requests. They are always checked server side. So enabling JS for a form can have only usability value for a basic pre-check but it does not add security or privacy to the visitor.
In other words, a person needs to use their brain – think – when online.
Thinking “this site is my friend, so let’s trust it” is much different from “I am going to check if this site can be trusted. I see obfuscated JS which I cannot check. I also see Piwik and Google Analytics.” So yes - thinking is necessary, not trusting. openSUSE’s JS is not even LibreJS which would make it verifiable FOSS.
@heyjoe : I bet nobody in the openSUSE Project and community will stop you to setup a project, and recreate the page in HTML5.
But I agree with @Fraser_Bell here, you’re wrong in thinking that javascript cannot increase security. A simple example is account-creation forms. Through javascript you can validate input. On mentioned forms I do not only check for default stuff, but also for the absence of php strings, sql statements etc. This before the user submits the form. And the form not working without javascript. This has moved the checks to the user’s browser, which I consider a security feature. Agreed?
Is there any established way to do that? Please provide info.
If someone can send me the backend templates which output the HTML I can definitely try to make an HTML-only version. However if I am supposed to do it through enabling JS and guessing or reverse engineering the obfuscated code - not interested.
But I agree with @Fraser_Bell here, you’re wrong in thinking that javascript cannot increase security. A simple example is account-creation forms. Through javascript you can validate input. On mentioned forms I do not only check for default stuff, but also for the absence of php strings, sql statements etc. This before the user submits the form. And the form not working without javascript. This has moved the checks to the user’s browser, which I consider a security feature. Agreed?
The root meaning of the word “secure” is “free from danger”. Are you free from danger with a CPU vulnerable to side channel attacks? - No. Can you trust blindly code which can change at any time remotely? - No. Can you trust code which is obfuscated and non-verifiable? - No. Does that increase your security? - No.
Obviously security has different dimensions. Form validation does not secure the user but ensures proper data submission. As I said it improves usability - one can see if the data is valid before submitting the form, i.e. without page reloads. In any case it is a must to have server side validation, so JS is optional. Even more with HTML5 which provides new input types:
https://robertnyman.com/html5/forms/input-types.html
Considering that software.opensuse.org has only 1 search input it does not need any form validation whatsoever.
To add a bit: javascript has nothing to do with FOSS. Like HTML doesn’t. They’re standardized protocols. With various implementations in browsers, and evenly various licensing, Fe. Mozilla’s has an MIT license, Chromium’s an LGPL license.
And, another bit: as soon as 30% of the world’s website runs HTML5, the nasty people will find ways to do some damage, or steal data.
BTW: As a Board member I can guarantee you that our entire infrastructure, so including software.o.o is nothing but FOSS … with one exception: these forums. :D.
I’m not actually interested in getting into an argument with you about this. I have been building and working on websites since the mid-1990s, and quite frankly I would rather rely on my experience than your opinions.
In this post,
I’ll respond specifically to whether it’s possible to navigate and use software.opensuse.org/search using a web browser without javascript support.
The browser used for testing
I decided to use a text-only browser, Lynx.
No client-side scripting is supported, and of course no graphics.
Test Objective
See if I can download the package for postgresql server 10.3.
The current default is 9.4, and even if you open a web browser to the page displaying postgresql 10, the default is 10.2.
And, when you use a javascript-enabled browser, the package is accessible only by clicking on a button that requires javascript.
Result
The navigation is weird and not consistent to navigating with a javascript-enabled browser, but the desired package can be found and downloaded.
I did a search from the beginning for “postgresql 10.3” then although I was looking for the server package, I found a link to the server package within a group of links associated with “postgresql 10 clients and utilities.” That took me to a page that displayed all 10.x server packages.
I expect the experience could be the same for a graphical browser without javascript as the @OP describes.
**
Bottom line**
I wouldn’t recommend this exercise for anyone because my brief test although successful didn’t seem to follow a logical and intuitive path. But, it’s possible for instance if on a non-graphical system.
TSU