I can also use safe-mode to get an idea of what changes other Discourse distros have made:
Purism only has a couple of theme scripts (which might actually be part of official Discouse, since safe mode blocks all themes I think) and one internal (as in, part of the HTML file, not an external JS file) piece of JavaScript, starting with const DELAY_TARGET=2e3,POLLING_INTERVAL=50,splashS…
Exercism has what appears to be the discourse-spoiler-alert plugin which was later added to core, as well as the same exact internal JS as Purism
FSF Member forum has just that same exact internal JS as the other two
Discourse Meta (this forum) appears to have a lot of JS differences
discourse-activity-pub
discourse-customer-flair-plugin (I couldn’t seem to find a license for this one anywhere)
discourse-deprecation-collector
discourse-doc-categories
discourse-new-features-feeds (no license found for this one either)
many more scripts, including some that do not even have a link to a source map
So it seems like most third party distributions (based on my small sample size of 3) stay pretty close to mainline Discourse, but then now this makes it look like this distribution contains plugins that would not be part most distributions. Do you know where I would find the licensed source code for all of those? Would they be in the main repository? I couldn’t seem to find them by grepping for some of those names in the main repo, but it’s possible I missed it.
I tried searching the entire forum for “discourse-new-features-feeds” (for example) and didn’t find anything. For some extensions I was able to find them in the plugin directory, on GitHub, or here on the forums, but for discourse-new-features-feeds and discourse-customer-flair-plugin, I could not find anything. I did not check every single plugin script, so there may be more I wouldn’t be able to find.
It is possible that they are an Enterprise customer and got Discourse to specially customize their forum for them.
Also, if you want to use safe mode to see client-side customizations, wouldn’t that disable it instead? How would you enable it on these sites in the first place?
Out of curiosity, I do wonder what the whole rationale is exactly, here. You simply can’t browse the internet with the concerns you’re putting forward, correct?
You’re talking of “license”. But your own license to use a specific forum as a simple user would be different than the license to actually run the forum software (=if someone wants to set up another forum with it). Why would a user care about the latter? Because of some principles he wants to adhere to? Any non-redistributed customization would be “proprietary”, I guess. Which begs the question of where this begins and ends.
You can be wary of javascript and what it might allow to run on your browser (the risks and possibilities of that is often debated. It’s supposed to be limited). I’m not sure if Discourse can run without it, tho. Or run correctly, at least. You can always give it a try. There is the popular “NoScript” browser extension for that, for example.
I still wonder about the reasoning: Is it about potential malicious code? In this case, it wouldn’t make much sense to me that you would feel better with a license SAYING a forum runs a non-modified version. Or what is it about?
Generally, I want to avoid running nonfree software. The main reason is that I think I should have control over the software that runs on my computer, and an additional reason is that I don’t like the idea of bugs that may be illegal to fix. I also think it would be good if I got my software from a small number of trusted repositories, rather than downloading software from hundreds of different independent websites with no third-party oversight or accountability, so it’s important to me that I am free to package the software I use for a repository I trust (though this is quite impractical for site-served JS with current technology).
I don’t think I ought to have control over the software that runs on others’ computers, because I think the server operator should have that control, and it doesn’t seem to me like it would make sense to have multiple users fully control the software.
No, it’s relatively easy to avoid running nonfree software on the internet if you don’t use programs that automatically download and run arbitrary code from untrusted parties, or if you modify such programs to not do that (for example, by installing LibreJS in your web browser).
As far as I can tell, running the forum software is required to use most functions of the forum, although reading posts works without it. If I want to register an account and post topics, it seems like I have to run the forum software. Most people don’t realize it because most browsers will download and run any software the website sends, without notifying the user.
Some of forum software is run on the server, and then Discourse instances will not necessarily distribute that software at all, which means I wouldn’t necessarily even get any nonfree software the instance added to the server side, so I don’t try to avoid instances that do this.
aside about definitions
In my view, software that is never distributed is “proprietary” because it has a single “owner” (the author) but it is also “free” because it all of its users (just one, the author) are free to do whatever they want with it. Well, I guess you could say people interacting with a server are “users” of the software on that server, so maybe I should use a different word from “users”, but I’m not sure what word to use instead. Maybe I am technically a “user” of the software running on the phone network or on someone else’s phone if I call someone.
Yes, I have NoScript installed, and when I block the client-side Discourse software, of course Discourse cannot “run” without it, because I have prevented the browser from running the scripts. The server-side software, which doesn’t run on my computer, is not prevented from running by NoScript. In this state, the topics and comments served by the Discourse server software are viewable, but to register and post it seems like you need to use the client-side JavaScript software.
Regarding malware, if a free software program is malware, then someone can modify it to not be malware, and then distribute that modified version to use instead. For site-served JavaScript this is currently somewhat impractical. Ideally there would be a license stating directly that the software is free software, so that even if the software was modified it would still be legal to use as free software. As it stands, I do have to trust that the distributions I use do not “lie” about what version of the software they are using (e.g. by modifying the Discourse server software to claim one commit is being used when it’s really another).
I probably made this response a bit too long but the core of it is that I value software freedom and therefore want to avoid running nonfree software on my computer.
In this case “they” is Discourse Meta. Isn’t that part of Discourse (the company)?
Yes, what I meant was: with safe mode I can disable the scripts from modifications, and then I can compare what software gets sent to the browser in both cases. The difference is the modifications and themes.
Safe mode can be enabled by navigating to /safe-mode (e.g. http://meta.discourse.com/safe-mode) and selecting the options there. That page does not require JavaScript, so safe mode can be enabled while using extensions like NoScript, LibreJS, and/or Haketilo to block the JS or by setting javascript.enabled to false in the browser settings for Firefox-based browsers.
At this point, you can compare the script tags on both pages to see what was removed with safe mode. I used a script like this:
script-diff.js
// SPDX-FileCopyrightText: 2024 Jacob K
//
// SPDX-License-Identifier: CC0-1.0
// on page with more scripts
const scriptSrcArr = [];
for (script of document.scripts) {
if (script.src) {
scriptSrcArr.push(script.src);
} else {
scriptSrcArr.push(script.textContent);
}
}
console.log(scriptSrcArr)
// on page with fewer scripts (You will need to right click on the array and click "Copy Object" on the first page)
scriptSrcArr = PASTE_OBJECT_FROM_OTHER_PAGE_HERE
for (script of document.scripts) {
if (!scriptSrcArr.includes(script.src)) {
console.info(script)
}
}
// I'm assuming that the scripts on the first page are a superset of the scripts on the second page
@Jagster (trying a reply via edit, as suggested by Discourse (cool suggestions feature!))
That makes me think that Discourse, as distributed by meta.discourse.org, is nonfree software, which would mean that the claims of “The entire Discourse codebase is open and freely available to the public” and “Discourse is 100% free, open-source forum software.” (both from www.discourse.org) seem misleading, even if it technically is true because the software isn’t the same thing as its plugins. It kind of feels like I’ve been tricked into running nonfree software
I guess that claim is really meant for people intending to host Discourse instances, not join existing ones.
I hope that I’m incorrect and it really is the case that I just didn’t look closely enough at the repo.
You must have that feel really often. No smileys, because that was just a statement because how internet and apps in it works.
You just said cusomizations are bad, and if the base is open source, then every add-ons must be free too. Well, I think WordPress used that, but surely not with wordpress.com, but if you visit my wodpress site there is a lot of custom work. Some are propietary, some are open, some are custom and some are by me. And not in this reality two things will happen:
all code of custom work would be public
I would tell to you or any visitor if I have or have not valid licence
But I have hard time to undestand why Discourse, WordPress, Moodle etc wouldn’t be free if some adds aren’t free. I don’t understand the logic behind that thinking.
Okay, I think I understand where you’re coming from.
Not at all! The code will always be free.
Admins of their own Discourse site have the freedom to customize their own forum. Plugins, themes, TCs don’t always have to be open source. Discourse is fine with that, since there are ways of using private repos instead of public ones to connect these customizations.
So is any of the plugins, except in very, very, very rare occasions (maybe even almost never!) will such customizations be paid [1]. So nothing is “nonfree”: everything is free.
My point is, open-source software will be free. Plugins are free - it’s your choice to use them. So are themes, TCs, etc. What isn’t open-source, however, may be paid, but the admins chose to make it free to use. There’s no one stopping you if you want to make a copy of a closed-source customization to the best of your ability and using it yourself.
Discourse is free, it’s public customizations [2] are free, it’s private customizations are also free to use (At least in a fair bit of places, but
. Paying the owner for the source code is a different thing, though.
Essentially, unless you make a plugin/theme/TC yourself and don’t share it around, you can always install customizations for free. No one is stopping you.
I’m sorry if this sounds rude or curt, or going round in circles and repeating the same thing.
Except by paid commissions, which is your own choice to sponsor it. ↩︎
i.e. those listed here in Meta or in github publicly ↩︎
That is not necessarily true. Again: this is about free as in liberty, not in price. There are open source projects that have licenses that are too restrictive to be seen as free software per the FSF definition. Examples are MongoDB and ElasticSearch.
Running free software does not imply that you have control over it.
So it seems you’re mixing up ‘trusted’ and ‘free’. When a server administrator builds discourse, the build process downloads all kinds of packages from NPM. Can those always be trusted? (History has learned us that this is not the case - example and another).
You “guess” A server administrator can make modifications without changing the commit hash. And a plugin can inject Javascript code as well.
I hate to break it to you, but that is untrue.
This is not about free or non-free or open source or closed source, but about trust.
If you visit a Discourse instance, you will have to trust
the server administrator(s)
everyone with commit access on the Discourse github org
everyone with commit access on plugin repositories
everyone at github
the entire NPM software chain
everyone with commit access to any NPM repository that is being used
everyone with control over your browser software
the company that supplied the SSL certificate and the trust chain
Which will be a few thousand people at least?
Plugins and theme components can be found in separate repositories.
Not all plugins are open source (e.g. discourse-customer-flair-plugin isn’t AFAIK). So there you have it. You will have to cease using Meta Just kidding of course. My point is that there can be enough trust without everything being open source or libre.
Just something, @JacobK1 , have you read Discourse’s license?
Quoting some points that may be relevant:
the GNU General Public
License is intended to guarantee your freedom to share and change free
software–to make sure the software is free for all its users.
You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above
I hope this was answered above and in the quote above this.
If I understand correctly, all this is mainly linked to javascript. And it is about what is run with javascript inside your browser, which is served by each Discourse instance. It would also mostly be about “trust” and having the capacity to know what code is run (being able to have a look at it). Correct?
This is quite above my pay-grade, but can you have “control” over this? Unless you were submitting a commit which changes things for everybody, I don’t believe you could really “fix” yourself anything here, as what you refer to as the “software” run on your computer is provided to your browser by the server each time.
Even if each forum were to have its own open-source code published, with all possible modifications, can you know for sure that’s what they’re actually running at all time? It’s not like you could download one time, check and compile yourself on your end.
What you would really want is either:
No javascript (no luck with Discourse on that one, which relies quite heavily on it) or
An independent open-source client actually installed on your computer. The latter would also need to not use javascript, if all this is possible with Discourse, which IDK. Then you would be able to modify your client and have the control over it you’re after.
Would that be a fair understanding?
(PS: It is above my paygrade too, but if I remember correctly, not 100% of Discourse code is open-source. Now, you only really care about what runs on your end, not everything server-side)
Because I get the vast majority of my software using apt install instead of a web browser, and I trust my software distribution (Trisquel) to only distribute free software, this isn’t usually a concern.
Just to be clear, I am not saying customizations are necessarily bad, just that they may be bad if they are nonfree, so a way to be sure you avoid running nonfree software is to disable customizations.
To be clear, I am not trying to say Discourse is nonfree. It’s only this particular distribution of Discourse (Discourse Meta) that appears to include nonfree software.
I should have mentioned in my previous post that another reason I thought this distribution would be free is that the about page for Discourse says " There is only one version of Discourse – the awesome open source version.". This is, again, technically true because the plugins are not part of Discourse, but it felt misleading to me.
Discourse might not have control over third party distributions, but I would have expected Discourse instances hosted by Discourse to be free software if they are saying what they say on the about page. I might have also expected a license and/or framework that would effectively require derivatives to be free software, which there kind of is, since Discourse is GPL, but I guess it doesn’t cover plugins.
I think charging money for software or services is fine; usually the “free” in “free software” means “libre”, as in you are free to do what you want with it (copy, modify, etc.), after you get it. It does not necessarily mean that it is “free” as in “gratis” i.e. zero cost.
Strictly speaking, yes, there is no one stopping me, but it would be illegal, which seems bad. For private use this might work out, but generally public software repos and app stores don’t want to include code illegally, and some people who I might want to use the software may be uncomfortable running illegally copied code. I’m not sure I have the right approach; maybe I should just totally ignore copyright, but that seems like not the best option when it’s feasible to avoid illegal and nonfree software.
No worries! I don’t think you’re being rude, and I don’t yet feel like we’re going in circles.
What do you mean by this? If the software is free that means I can modify it; therefore I do have control over what it does.
I don’t think free is the same as trusted; perhaps I should have said “arbitrary” instead of “untrusted”, but my point was that most browsers will execute whatever code a webpage gives them, and since I often visit websites I have never visited before, many websites I visit are “untrusted”. For these websites, I have no reason to think they will not send nonfree software.
Regarding NPM, I consider it more trusted than an arbitrary website, but maybe not as trusted as my apt or guix repos. Though, trust is not one-dimensional; although I would not trust a new package on NPM just because it is on NPM, I would trust that when I download JQuery from NPM it really is JQuery. NPM may make mistakes that allow an attacker to replace JQuery, but NPM could take measures to avoid malware that would not be as realistic for site-served JavaScript (e.g. pre-publish automated/manual review, post-publish crowd-sourced review, automated checking that minified/obfuscated scripts match source code, rules against downloading and running arbitrary code at runtime). Importantly, when malware is found on NPM, there’s a third party (NPM, as opposed to the software developer) to report it to so it can be removed. This is not the case for site-served JavaScript - the only one who can remove it is the site operator.
Does that mean the listed commit hash would be incorrect if a server administrator made modifications and didn’t also change the listed commit hash? I thought updating software would change the commit hash automatically, and I (incorrectly?) assumed the listed commit hash would be updated automatically.
Would plugin-injected JavaScript be disabled with safe_mode=no_themes,no_unofficial_plugins?
So, would the only way to avoid nonfree software while using Discourse be to package a Discourse client as a browser extension or Haketilo package or something similar?
I’m not sure what you mean by that considering my original question is about software freedom, and not trust.
I disagree that everyone you listed has to be trusted.
The server administrators would not have to be trusted if you don’t run software served by them, for example if you get the Discourse client from GitHub and package it so it can be used with that server.
In many cases, people collaborating on software might read some of each others’ commits, so I don’t have to trust all authors individually.
So that would mean the Discourse Meta client is proprietary software, right? Though, it is possible to use safe mode to disable the plugin JS.
Maybe, but that’s not very helpful if I want to avoid nonfree software.
@NateDhaliwal
I have read the license in the Discourse git repo, but (because of the CLA) it does not necessarily apply to derivatives of Discourse outside of that repo. I would like to see a notice on every Discourse distribution that says which of the distributed software is libre. It would even (IMO) fit with the spirit of the GPL: “you must show them these terms so they know their rights”.
Yes, it is possible, to run JavaScript from a browser extension or proxy, such a Haketilo or GreaseMonkey, though this can be very impractical for some software, for example if it updates very often, as would be the case for software where data is baked into the JavaScript software. Haketilo also doesn’t have support for some kinds of scripts, for example scripts with a type of “module”.
Yes, I think your understanding is correct overall. Though packaging the JavaScript as a browser extension or for Haketilo or GreaseMonkey would effectively result in an independent installed client, even though it would be using JavaScript.
All Discourse instances hosted by CDCK or by us (I am the co-founder of a company that hosts Discourse) are running one or a few closed source plugins to provide some functionality that is specific to the hosting environment.
I think there is a lot of confusion between a distribution in the good old sense (here’s a github repo and feel free to do whatever you want) and a distribution in the more modern sense (here’s a website and it pushes Javascript to your browser). Additionally, there is confusion between Discourse https://github.com/discourse/discourse and Discourse-and-all-of-its-first-and-third-party plugins-and-theme-components-added-by-the-site-administrators.
It’s a commit hash so if modifications are made after pulling it from the repo and before committing it then you already have such a situation. That doesn’t need to be a malicious act, it will also happen if security patches are applied (which is typically done before committing them in a public branch). Now in general security patches are not client side but they might introduce some updated client-side code.
Yes - at least in theory. I’m unsure how hard it is to circumvent that (deliberately or accidentally)
Is there a separate repo with a license for the plugins that I didn’t find previously, like discourse-customer-flair-plugin? The JavaScript served to the browser has a link to a source map but no license as far as I can tell.
My understanding of “hosting/infra code” wouldn’t include client-side JavaScript; is that correct?
I agree. I think I am confused about what the word “Discourse” actually applies to.
Ah, okay, so I guess there wouldn’t really be a good way to tell then.
Good point, someone could try to hide a flaw like this. But it seems easier to mitigate that problem by auditing third-party code than by trusting every single person who ever modified the code upstream, though probably neither approach would be practical to do completely.
Yes, although it’s possible that most updates could be handled automatically.
Just FYI, @JacobK1 : Discourse being well done, there is no need to tag someone when you quote that person. The quote itself will already generate a notification (it was also to create subsections, admittedly )