Re: FSD as a Git repository

[Sergey Matveev]

*** Lorenzo L. Ancora via [2021-07-20 13:56]:
>The solution is not to convince people that "JavaScript is bad" but to
>educate them on the correct client-side implementation.

JavaScript is literally downloading of the program, that is
transparently executed somehow. No current web-browser allows you
controlling of that process: does anyone stores the hash of the
downloaded script and warns you that it is changed, shows you the diff,
asks for confirmation? It is just silly to blindly trust auto-executing
downloaded programs.

Modern Web-ecosystem is so complicated, that it is just impossible to
write web-engine from the ground:
https://drewdevault.com/2020/03/18/Reckless-limitless-scope.html
That complexity guarantees that it can not be secure by definition.
No sandboxing protects you from from attacks on hardware like rowhammer,
Meltdown, Spectre and many similar:
https://en.wikipedia.org/wiki/Row_hammer
https://www.vusec.net/projects/flip-feng-shui/
https://www.vusec.net/projects/drammer/
https://react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript
You hardly can defence yourself even by running sandboxed JavaScript
inside virtual machine on another OS inside. Nothing will protect you
from the harmful software. The whole modern web-ecosystem is targeted
on running third-party downloaded software on each connection. You
literally loose control on you computer that way.

https://eev.ee/blog/2016/03/06/maybe-we-could-tone-down-the-javascript/
If someone wants to take everything from my hands and allow only to use
provided application (JavaScript script), then one can just give me the
VNC/X11/whatever remote graphical connection: it will be completely the
same for my computer. If I need to fill the complex dynamic input form,
or something far from being satisfied with already existing HTML forms,
then give me the telnet access, BBS like -- it is completely safe for
me and my computer, does not require any many-million-line-of-code
software, that you have to *very* regularly update because of constantly
changing and progressing JavaScript/DOM/CSS/whatever features. And the
form/site/application owner is happy too: no bothering about possible
source code obfuscation and compatibility problems.

People had to stop writing software/application they want me to execute
on my computer, when they just can share me the document they want to
show (HTML, images, PDFs, whatever). I already have transmission
protocols and document viewers available -- why should I download yet
another program I have to trust each time? If you use JavaScript, then
you do something completely wrong (or at least strange) from the
security and user's freedom point of view.

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF

signature.asc
Description: PGP signature