Re: (was Re: Adding a description text property for a track) non-free javascript and ytdl

[Yuchen Pei]

On Sat 2022-03-19 00:56:51 +0100, Alexandre Garreau wrote:

> Le vendredo, 18-a de marto 2022, 21-a horo kaj 23:04 CET Yoni Rabkin a écrit :
>
>> Yoni Rabkin <yoni@rabkins.net> writes:
>
>> 
>
>> 
>
>> 
>
>> > I realized that I don't know a lot about ytdl/youtube-dl and went to
>
>> > have a look. As a result, I came across a potential show-stopper for
>
>> > inclusion in Emms in any form.
>
>> > 
>
>> > I was concerned when I saw that ytdl/youtube-dl has a javascript
>
>> > interpreter built-in.
>
>> > 
>
>> > I found the following thread that reports that ytdl/youtube-dl
>
>> > downloads and runs non-free javascript automatically as part of
>
>> > accessing the sites it supports:
>
>> > https://trisquel.info/en/forum/do-youtube-dlhtml5-video-everywhere-run
>
>> > -nonfree-js
>
>> > 
>
>> > The thread is from back in 2017. Is this still the case? If so, is
>
>> > there a libre version of ytdl?
>
>> 
>
>> I bit more research reveals that this concern is real. Apparently there
>
>> is a fork called hypervideo which removes the non-free parts:
>
>> https://notabug.org/heckyel/hypervideo
>
> yes, but i think the decision to make is more tricky as it may appear as: the
> javascript interpreter youtube-dl claims to use disable most of its API,
> essentially interpreting turing-complete IO-less program that’s actually not
> redacted by humans but generated randomly by a script so that to act as an
> obscure key for some kind of weird kindof symetrical encryption

So afaik there are two js interpreters used by youtube-dl (I haven't
checked yt-dlp).  One is the self-contained jsinterp (used by the
youtube extractor), the other phantomjs (used by openload and *checks
notes* pornhub extractors).

I took a look at how the self-contained jsinterp is used, and tested a
few youtube video links there.  Surprisingly I did not come across any
videos requiring running any js code - one can simply wget the video
page, which contains some json containing direct links to video / audio.

>
> i don’t know if it has much impact that this code is proprietary.  anyway the
> mere fact we have to resort to reverse-engineering and scraping to get videos
> is concerning,

Try put some print statements in the call_function js interpreter, see
whether ytdl runs it.  Chances are it won't.

> and the whole usage of youtube (its standard interface is
> proprietary and there so way to use it as a creator/writer without using
> proprietary software) is problematic. Yet the sharing and archiving of its 
> videos
> is imho appropriate resistance.

Right, GET-only usage without running nonfree js is fine and does not
take away your freedom.  But POST is problematic because it requires
nonfree js that is needed for signing up a google account etc.

>
> However I’m unsure it still needs it for youtube, afaik, they mostly used it 
> for
> openload and a very few other backends.  Actually it doesn’t hurt really much
> to remove them, and could mostly lead users to instead prefer other streaming
> platform to download (and then share) movie, series, etc.
>

I agree that a youtube-dl / yt-dlp without using any js interpreter
would be better, and ideally they should be running some sort of LibreJS
to block nonfree nontrivial scripts before executing any remaining free
/ trivial ones.  I'm gonna strip my copy of ytdl of code running js
interpreters.

Best,
Yuchen

-- 
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0
          <https://ypei.org/assets/ypei-pubkey.txt>