Re: Web versions

[Schanzenbach, Martin]

> On 14. Mar 2021, at 19:25, Alfred M. Szmidt <ams@gnu.org> wrote:
> 
>   The same is true for JS/Webassembly. In fact, one could argue that this
>   is a significant part of the value offering (offline use of the web 
> application).
>   You can copy the whole site offline and continue using it.
>   Yes, there MAY be interaction with a REST API, but that is a completely 
> different
>   story not directly related to webassembly at all.
> 
> The same is absolutley not true for Javascript or Webassembly, it is
> nigh impossible to download the full set of scripts and other code to
> run it locally.  And, again -- it is running code (binary, obfuscated,
> or source) from someone else machine.

Why is it a problem that it is binary?
.deb packages also contain only binaries. You can download the source,
but that is not part of apt/deb and can be done out of band due to the freedoms
you (hopefully) have. You can also include non-free repositories. Then you 
cannot.
You may even install a free program but the dependencies it pulls in are 
ABI-compatible
proprietary libraries. As a user there is nothing you can do against that 
except changing the distribution
channel. In the browser you would call such a change "browsing to an 
alternative website".
But most importantly, it is not the fault of the program that it was 
distributed with
ABI-compatible libraries or the fact that is compiled/dymanically linked!

Can you explain to me what the difference is: Why is the browser as http client 
bad
to download binary compiled free software but the apt http client is just fine?

And regarding the difficulty of copying the scripts: How does the browser do it 
then?
I think you have not programmed a web application using JS/WA yourself that 
actually "obfuscates"
it (e.g. using webpack or webassembly or both).
What happens there is that it "packs" all the code into a single file and 
optimizes it for space
and performance. Transpilation and packing is not so much different from 
compilation and linking.
For webassembly, it is actually just semantics.

That "blob" (sic) is then downloaded by the browser, or not. It may be cached 
(=already downladed) or it may
be a webextension. I guess nothing is really keeping you from copying the 
program and running it on another machine or browser
either.
This is because you can very well download a copy any time and run it basically 
anywhere.
That is exactly what the browser does and why it is done.
Which brings me to the second point I made: For most JS applications ("single 
page applications")
the fact that you can run the program offline without "downloading it from 
another persons server" all the time
is the core value offering compared the older style of web applications using 
application servers.

And then of course there are webextensions which are even less distinguishable 
from other programs running on
your system.
Theoretically, you could have a webextension that has a compiled emacs which 
replaces all input fields so you can use it for that.
There is not even a connection with a server. (Except, of course, for 
downloading the webextension which might have happened through apt and I am not 
sure if you find this problematic now or not as the deb repository is certainly 
somebody else's server).

>  You have no idea if the code
> you got is free software or not, it is a binary blob that
> automatically runs on your computer.  I suggest you read the
> Javascript trap.
> 
>   Have you tried running emacs on a C64 recently?
> 
> Emacs has never run on a C64.
> 
>> The suggestion in this thread was to make GNU port to webassembly, and
>> then be run in a web browser, from someone elses machine.
> 
>   No, it was not:
> 
>   " ince WebAssembly is now a reality, maybe you guys should get to
>   making the browser versions of AAAAAAAALL your software?  "
> 
> In other words, exactly what I wrote.

You said the issue is that that the code comes from "somebody else's server" I 
was making the point that
the OP said no such thing and I tried to define "browser version" for you (the 
text that would follow if you hadn't removed it).
Note that OP did not even say "web applications" and hence did not imply the 
download from a website/server at all.

Please understand that I am trying to understand the logic behind the general 
rejection of webassembly as a target platform;
or JS for that matter.
It is a relevant question for packages such as GNUnet and GNU Taler. Both have 
features that require the use of a
webextension, for example.
The article on the JavaScript trap is sensible and I agree. It also proposes a 
mechanism that allows us to
have a technical means to determine if the binary is FS. Which is something 
actual binaries often lack and why reproducible builds
is a good thing (how do YOU determine if your emacs is actually compiled from a 
free software source?). But the reasoning behind the necessity for a mechanism 
in the case of web applications (JS/WA or otherwise) is well explained in the 
article.

Seeing the OP, initially I thought it was completely uncontroversial to add a 
compilation target such as WA to a gnu package
if there is a use case for it.
Especially since the platform is conceivably free software (a browser) -- 
unlike, say, the M1 platform.
But apparently not. The reasoning behind it is, however, unclear to me.


- Martin

signature.asc
Description: Message signed with OpenPGP