I can also use safe-mode to get an idea of what changes other Discourse distros have made:
Purism only has a couple of theme scripts (which might actually be part of official Discouse, since safe mode blocks all themes I think) and one internal (as in, part of the HTML file, not an external JS file) piece of JavaScript, starting with const DELAY_TARGET=2e3,POLLING_INTERVAL=50,splashS…
Exercism has what appears to be the discourse-spoiler-alert plugin which was later added to core, as well as the same exact internal JS as Purism
FSF Member forum has just that same exact internal JS as the other two
Discourse Meta (this forum) appears to have a lot of JS differences
discourse-activity-pub
discourse-customer-flair-plugin (I couldn’t seem to find a license for this one anywhere)
discourse-deprecation-collector
discourse-doc-categories
discourse-new-features-feeds (no license found for this one either)
many more scripts, including some that do not even have a link to a source map
So it seems like most third party distributions (based on my small sample size of 3) stay pretty close to mainline Discourse, but then now this makes it look like this distribution contains plugins that would not be part most distributions. Do you know where I would find the licensed source code for all of those? Would they be in the main repository? I couldn’t seem to find them by grepping for some of those names in the main repo, but it’s possible I missed it.
I tried searching the entire forum for “discourse-new-features-feeds” (for example) and didn’t find anything. For some extensions I was able to find them in the plugin directory, on GitHub, or here on the forums, but for discourse-new-features-feeds and discourse-customer-flair-plugin, I could not find anything. I did not check every single plugin script, so there may be more I wouldn’t be able to find.
It is possible that they are an Enterprise customer and got Discourse to specially customize their forum for them.
Also, if you want to use safe mode to see client-side customizations, wouldn’t that disable it instead? How would you enable it on these sites in the first place?
Out of curiosity, I do wonder what the whole rationale is exactly, here. You simply can’t browse the internet with the concerns you’re putting forward, correct?
You’re talking of “license”. But your own license to use a specific forum as a simple user would be different than the license to actually run the forum software (=if someone wants to set up another forum with it). Why would a user care about the latter? Because of some principles he wants to adhere to? Any non-redistributed customization would be “proprietary”, I guess. Which begs the question of where this begins and ends.
You can be wary of javascript and what it might allow to run on your browser (the risks and possibilities of that is often debated. It’s supposed to be limited). I’m not sure if Discourse can run without it, tho. Or run correctly, at least. You can always give it a try. There is the popular “NoScript” browser extension for that, for example.
I still wonder about the reasoning: Is it about potential malicious code? In this case, it wouldn’t make much sense to me that you would feel better with a license SAYING a forum runs a non-modified version. Or what is it about?
Generally, I want to avoid running nonfree software. The main reason is that I think I should have control over the software that runs on my computer, and an additional reason is that I don’t like the idea of bugs that may be illegal to fix. I also think it would be good if I got my software from a small number of trusted repositories, rather than downloading software from hundreds of different independent websites with no third-party oversight or accountability, so it’s important to me that I am free to package the software I use for a repository I trust (though this is quite impractical for site-served JS with current technology).
I don’t think I ought to have control over the software that runs on others’ computers, because I think the server operator should have that control, and it doesn’t seem to me like it would make sense to have multiple users fully control the software.
No, it’s relatively easy to avoid running nonfree software on the internet if you don’t use programs that automatically download and run arbitrary code from untrusted parties, or if you modify such programs to not do that (for example, by installing LibreJS in your web browser).
As far as I can tell, running the forum software is required to use most functions of the forum, although reading posts works without it. If I want to register an account and post topics, it seems like I have to run the forum software. Most people don’t realize it because most browsers will download and run any software the website sends, without notifying the user.
Some of forum software is run on the server, and then Discourse instances will not necessarily distribute that software at all, which means I wouldn’t necessarily even get any nonfree software the instance added to the server side, so I don’t try to avoid instances that do this.
aside about definitions
In my view, software that is never distributed is “proprietary” because it has a single “owner” (the author) but it is also “free” because it all of its users (just one, the author) are free to do whatever they want with it. Well, I guess you could say people interacting with a server are “users” of the software on that server, so maybe I should use a different word from “users”, but I’m not sure what word to use instead. Maybe I am technically a “user” of the software running on the phone network or on someone else’s phone if I call someone.
Yes, I have NoScript installed, and when I block the client-side Discourse software, of course Discourse cannot “run” without it, because I have prevented the browser from running the scripts. The server-side software, which doesn’t run on my computer, is not prevented from running by NoScript. In this state, the topics and comments served by the Discourse server software are viewable, but to register and post it seems like you need to use the client-side JavaScript software.
Regarding malware, if a free software program is malware, then someone can modify it to not be malware, and then distribute that modified version to use instead. For site-served JavaScript this is currently somewhat impractical. Ideally there would be a license stating directly that the software is free software, so that even if the software was modified it would still be legal to use as free software. As it stands, I do have to trust that the distributions I use do not “lie” about what version of the software they are using (e.g. by modifying the Discourse server software to claim one commit is being used when it’s really another).
I probably made this response a bit too long but the core of it is that I value software freedom and therefore want to avoid running nonfree software on my computer.
In this case “they” is Discourse Meta. Isn’t that part of Discourse (the company)?
Yes, what I meant was: with safe mode I can disable the scripts from modifications, and then I can compare what software gets sent to the browser in both cases. The difference is the modifications and themes.
Safe mode can be enabled by navigating to /safe-mode (e.g. http://meta.discourse.com/safe-mode) and selecting the options there. That page does not require JavaScript, so safe mode can be enabled while using extensions like NoScript, LibreJS, and/or Haketilo to block the JS or by setting javascript.enabled to false in the browser settings for Firefox-based browsers.
At this point, you can compare the script tags on both pages to see what was removed with safe mode. I used a script like this:
script-diff.js
// SPDX-FileCopyrightText: 2024 Jacob K
//
// SPDX-License-Identifier: CC0-1.0
// on page with more scripts
const scriptSrcArr = [];
for (script of document.scripts) {
if (script.src) {
scriptSrcArr.push(script.src);
} else {
scriptSrcArr.push(script.textContent);
}
}
console.log(scriptSrcArr)
// on page with fewer scripts (You will need to right click on the array and click "Copy Object" on the first page)
scriptSrcArr = PASTE_OBJECT_FROM_OTHER_PAGE_HERE
for (script of document.scripts) {
if (!scriptSrcArr.includes(script.src)) {
console.info(script)
}
}
// I'm assuming that the scripts on the first page are a superset of the scripts on the second page
@Jagster (trying a reply via edit, as suggested by Discourse (cool suggestions feature!))
That makes me think that Discourse, as distributed by meta.discourse.org, is nonfree software, which would mean that the claims of “The entire Discourse codebase is open and freely available to the public” and “Discourse is 100% free, open-source forum software.” (both from www.discourse.org) seem misleading, even if it technically is true because the software isn’t the same thing as its plugins. It kind of feels like I’ve been tricked into running nonfree software
I guess that claim is really meant for people intending to host Discourse instances, not join existing ones.
I hope that I’m incorrect and it really is the case that I just didn’t look closely enough at the repo.
You must have that feel really often. No smileys, because that was just a statement because how internet and apps in it works.
You just said cusomizations are bad, and if the base is open source, then every add-ons must be free too. Well, I think WordPress used that, but surely not with wordpress.com, but if you visit my wodpress site there is a lot of custom work. Some are propietary, some are open, some are custom and some are by me. And not in this reality two things will happen:
all code of custom work would be public
I would tell to you or any visitor if I have or have not valid licence
But I have hard time to undestand why Discourse, WordPress, Moodle etc wouldn’t be free if some adds aren’t free. I don’t understand the logic behind that thinking.
Okay, I think I understand where you’re coming from.
Not at all! The code will always be free.
Admins of their own Discourse site have the freedom to customize their own forum. Plugins, themes, TCs don’t always have to be open source. Discourse is fine with that, since there are ways of using private repos instead of public ones to connect these customizations.
So is any of the plugins, except in very, very, very rare occasions (maybe even almost never!) will such customizations be paid [1]. So nothing is “nonfree”: everything is free.
My point is, open-source software will be free. Plugins are free - it’s your choice to use them. So are themes, TCs, etc. What isn’t open-source, however, may be paid, but the admins chose to make it free to use. There’s no one stopping you if you want to make a copy of a closed-source customization to the best of your ability and using it yourself.
Discourse is free, it’s public customizations [2] are free, it’s private customizations are also free to use (At least in a fair bit of places, but
. Paying the owner for the source code is a different thing, though.
Essentially, unless you make a plugin/theme/TC yourself and don’t share it around, you can always install customizations for free. No one is stopping you.
I’m sorry if this sounds rude or curt, or going round in circles and repeating the same thing.
Except by paid commissions, which is your own choice to sponsor it. ↩︎
i.e. those listed here in Meta or in github publicly ↩︎
That is not necessarily true. Again: this is about free as in liberty, not in price. There are open source projects that have licenses that are too restrictive to be seen as free software per the FSF definition. Examples are MongoDB and ElasticSearch.
Running free software does not imply that you have control over it.
So it seems you’re mixing up ‘trusted’ and ‘free’. When a server administrator builds discourse, the build process downloads all kinds of packages from NPM. Can those always be trusted? (History has learned us that this is not the case - example and another).
You “guess” A server administrator can make modifications without changing the commit hash. And a plugin can inject Javascript code as well.
I hate to break it to you, but that is untrue.
This is not about free or non-free or open source or closed source, but about trust.
If you visit a Discourse instance, you will have to trust
the server administrator(s)
everyone with commit access on the Discourse github org
everyone with commit access on plugin repositories
everyone at github
the entire NPM software chain
everyone with commit access to any NPM repository that is being used
everyone with control over your browser software
the company that supplied the SSL certificate and the trust chain
Which will be a few thousand people at least?
Plugins and theme components can be found in separate repositories.
Not all plugins are open source (e.g. discourse-customer-flair-plugin isn’t AFAIK). So there you have it. You will have to cease using Meta Just kidding of course. My point is that there can be enough trust without everything being open source or libre.
Just something, @JacobK1 , have you read Discourse’s license?
Quoting some points that may be relevant:
the GNU General Public
License is intended to guarantee your freedom to share and change free
software–to make sure the software is free for all its users.
You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above
I hope this was answered above and in the quote above this.
If I understand correctly, all this is mainly linked to javascript. And it is about what is run with javascript inside your browser, which is served by each Discourse instance. It would also mostly be about “trust” and having the capacity to know what code is run (being able to have a look at it). Correct?
This is quite above my pay-grade, but can you have “control” over this? Unless you were submitting a commit which changes things for everybody, I don’t believe you could really “fix” yourself anything here, as what you refer to as the “software” run on your computer is provided to your browser by the server each time.
Even if each forum were to have its own open-source code published, with all possible modifications, can you know for sure that’s what they’re actually running at all time? It’s not like you could download one time, check and compile yourself on your end.
What you would really want is either:
No javascript (no luck with Discourse on that one, which relies quite heavily on it) or
An independent open-source client actually installed on your computer. The latter would also need to not use javascript, if all this is possible with Discourse, which IDK. Then you would be able to modify your client and have the control over it you’re after.
Would that be a fair understanding?
(PS: It is above my paygrade too, but if I remember correctly, not 100% of Discourse code is open-source. Now, you only really care about what runs on your end, not everything server-side)
A server administrator can make modifications without changing the commit hash. And a plugin can inject Javascript code as well.
Just kidding of course. My point is that there can be enough trust without everything being open source or libre.