This Article IsEdited at 2025-08-29Referenced as b88

Erosion of software freedom ­­— Javascript, Python and Android

This page is three news reports in one.

Microsoft maintains a monopoly on Javascript ecosystem through package registries

Recently (more like, some months ago), rumor has it that Microsoft is now training LLM on Github personal private repositories. Since Microsoft also owns NPM, some are worried that Microsoft also use all code hosted on NPM. Since I cannot confirm the truthfulness of this, I will assume that it is true.

JSR is a centralized package registry developed by the authors of Deno. While it claims to be used by Deno, browser, and Node.js, the support is a bit janky.

  • npm: add a line to .npmrc, usually done by npx jsr add @std/ulid
  • pnpm: use "@std/ulid": "jsr:^1.0.0 in package.json
  • deno: use jsr:@std/ulid directly in source code
  • vinxi, while running on top of Deno, cannot understand jsr: inside source code.

Further more, JSR packages can only be uploaded from a Github repository.

Even though packages on JSR can be used through https://jsr.io/package/version/mod.ts, the supported is not listed on the package page (in the list of Deno, Bun, NPM, etc).

Given the current circumstances regarding LLM, I would recommend that

  • Do not upload your packages to JSR when using Deno. Use jsdelivr or use URLs instead.
  • Do not use jsr:_. Use “https://jsr.io/package/version/mod.ts” directly. Still, URL import is not supported by Node.js tooling.

Even though software

recently this trend has become more blantant.

I don’t know the exact relationship between Deno and Microsoft, but through this article, I think that Deno is now owned by Microsoft. There is no other reason why a Javascript runtime that supports loading modules through HTTP need to write about this.

To summarize:

  • Microsoft owns Github
  • Microsoft owns NPM
  • Microsoft owns Deno
  • Deno owns JSR
  • JSR forces uploaders to use a Github repo

Python Software Foundation forgoes PGP for signing releases

Some weeks ago, while I was reading Python 3.14’s release note, I found something weird.

From 3.14 and so on, Python will forgo PGP for signing packages.

What’s their replacement release signing tool?

❯ pacman -Si cosign
Repository      : extra
Name            : cosign
Version         : 2.5.3-1
Description     : Container Signing with support for ephemeral keys and Sigstore signing
Architecture    : x86_64
URL             : https://github.com/sigstore/cosign
Licenses        : Apache-2.0
Groups          : None
Provides        : None
Depends On      : glibc
Optional Deps   : None
Conflicts With  : None
Replaces        : None
Download Size   : 21.53 MiB
Installed Size  : 102.88 MiB
Packager        : Carl Smedstad <carsme@archlinux.org>
Build Date      : Fri 18 Jul 2025 07:53:23 AM UTC
Validated By    : SHA-256 Sum  Signature

Container Signing? Oh no.

After looking a bit through Cosign’s own description, it is a tool that allows different parties to sign the release. For example, Github CI will sign the release with their own key. This “signature scheme” thus replaces web of trust with centralized CA, owned by, again, Microsoft. If history is any good, Sigstore will be used for all kinds of political ends not related to cryptography itself.

The Python release notes and the proposal to remove PGP mentioned complexity as a reason. If complexity is a concern, they can use minisign.

The proposal also mentioned security as a reason for replacing PGP. I’d say that they are pretending that multi-key signature doesn’t exist.

In my opinion, ensuring the security of CI artifacts is the responsibility of release engineering, not of the end user. In my opinion, no one should need a >100M program to verify a cryptographic signature of a Python release. This move is for the benefit of organizational users of Python.

Google restricts app permission not installed through Play Store

Since LineageOS updated to Android 15, I found NewPipe can no longer draw over other apps – the option in Settings is disabled. I have always put it off as “weird software behavior”.

Now I know that it’s intentionally caused by Google. It’s called Play Integrity.

https://lineageos.org/PlayIntegrity/

In short, the operating system (Android) will restricts certain permissions to applications not installed through Google’s Play Store. Google’s offcial stance includes “and other verified app stores”, but it certainly doesn’t include F-Droid.

Now my only options are to root the phone and install a patch or install postmarketOS on it.

Epilogue

As the US-China trade war intensifies, software companies on both sides are tightening control over user freedom. It’s not just for profit, but also for continuation of ideology and life style. I feel sad that this kind of politics has to involve everyone using software mentioned above, and I think even Linux itself might be involved in the trade war.

“Just because you do not take an interest in politics doesn’t mean politics won’t take an interest in you.” In a sense, people like the FSF are defending their life style as well. As they say in TENET, “I’d rather [that] be my own decision.” So do what you will.