As part of a Free Software Foundation internship, developer Alyssa Rosenzweig has released a python3 script intended to allow users to make PayPal payments without using the proprietary ECMAScript normally associated with its usage. From the FSF's blog:
My third and final project was still more ambitious. As you may know from my work with Panfrost, the free software driver for modern Mali GPUs, I enjoy liberating critical proprietary software by decoding its internal protocols and reimplementing them in freedom. So, we looked around for latent proprietary software involved with FSF operations. Although we eat our own dog food, there was one proprietary system that could not be ignored: PayPal, which recently began requiring nonfree JavaScript. Pah. Enter Pagamigo. (In Calculus, this is formally known as a p-series.)
Pagamigo liberates the proprietary software required to donate to organizations like the FSF or the Debian Project via PayPal. Soon, the FSF Web pages that take online payments will include instructions for using Pagamigo.
Usage is straightforward, however your password may be stored in cleartext in your command history:
Use an online shop and opt to pay with Paypal. You will be redirected to a URL like:
https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-CAFEBABE123456789
Copy that URL to your clipboard. Then, from the command line run:
$ pagamigo redirect
Follow the directions on-screen prompting you to enter your PayPal credentials and to paste this URL.
...
For peer-to-peer money transfer ("Send money"), instead use:
$ pagamigo send-money
Pagamigo, while interactive by default, is entirely configurable by arguments as well. For instance:
$ pagamigo send-money --to sunset@chs.eq --amount 10.00 --username scitwi@chs.earth --password hunter2 --debug
While many people dislike PayPal for numerous reasons, it is ubiquitous and has few stable alternatives. This should at least allow the anti-ECMAScript and FOSS crowds a less-compromised option. Perhaps a SoylentNews subscription?
Related Stories
Arm Officially Supports Panfrost Open-Source Mali GPU Driver Development
Most GPU drivers found in Arm processors are known to be closed-source making it difficult and time-consuming to fix some of the bugs since everybody needs to rely on the silicon vendor to fix those for them, and they may even decide a particular bug is not important to them, so you'd be out of luck.
So the developer community has long tried to reverse-engineer GPU drivers with projects like Freedreno (Qualcomm Adreno), Etnaviv (Vivante), as well as Lima and Panfrost for Arm Mali GPUs. Several years ago, Arm management was not interested at all collaborating with open-source GPU driver development for Mali GPUs, but as noted by Phoronix, Alyssa Rosenzweig, a graphics software engineer employed by Collabora, explained Panfrost development was now done in partnership with Arm during a talk at the annual X.Org Developers' Conference (XDC 2020).
[...] So that means a stable Panfrost driver should be expected quite earlier, and possibly with higher quality, than if the company still had to spend time and resources on reverse-engineering.
Related: Pagamigo: FOSS Python Script for PayPal Payments (Alyssa Rosenzweig)
Nvidia Announces $40 Billion Acquisition of Arm Holdings
Nvidia-Branded ARM CPUs; UK Trade Union Speaks Out Against Deal
(Score: 2) by c0lo on Friday November 09 2018, @12:36PM (4 children)
Got me totally confused now, is this about that Ajit Pai-pal we use for our daily 5 minutes of hate or what?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by pkrasimirov on Friday November 09 2018, @12:44PM
Reclabritaing unencsesray, was not a prolbem for redaing.
(Score: 1, Informative) by Anonymous Coward on Friday November 09 2018, @01:29PM (2 children)
My apologies, I had to retpye it several times because my connection kept dropping out when I tried to submit the story. Why I type directly into the textbox instead of in a proper editor is the fatal flaw of sloth.
(Score: 2) by c0lo on Friday November 09 2018, @02:12PM (1 child)
That's why we have editors, I s'ppose. Or do we?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by martyb on Friday November 09 2018, @03:11PM
(1) Yes, the typos got past me; story has been updated and the corrected version should make it out of the site caches within a few minutes.
(2) Ordinarily, we strive to have a second editor review a story after it has been pushed into the story queue and before it goes live. As we are all volunteers on this site and have outside responsibilities, it seems the other editors were otherwise pre-disposed and the 2nd-edit did not happen, unfortunately.
(3) Thanks for calling it to our attention and keeping us on our toes!
Wit is intellect, dancing.
(Score: 0) by Anonymous Coward on Friday November 09 2018, @01:38PM
Any sign of a response to this by PayPal? Do they care? Can they do anything about customers using a different UI on a local machine?
(Score: 4, Informative) by Marand on Friday November 09 2018, @02:42PM (8 children)
Start your command with a space, e.g. " foo" instead of "foo", and the shell should ignore it instead of adding it to your history. It's not guaranteed to work since it's a configurable setting, but is usually the default so it's likely. (See HISTCONTROL variable in the bash manpage for info; some other shells like fish and zsh have similar behaviour.)
It's still a dumb way to deal with passwords, though.
(Score: 4, Interesting) by martyb on Friday November 09 2018, @03:14PM (1 child)
Thanks for the informative post!
I seem to recall some program that, if a password was not presented on the command line, would take that as a sign that it should issue a prompt to the user to which they would then enter their password. That would keep it from being stored in their history (I think), and even more importantly, keep it from being visible when issuing the ps command. Does anyone else remember something like this?
Wit is intellect, dancing.
(Score: 1, Informative) by Anonymous Coward on Friday November 09 2018, @04:59PM
Virtually all command-line tools that take passwords from the user can and should operate this way, at least when connected to a terminal. Most do.
(Score: 0) by Anonymous Coward on Friday November 09 2018, @08:50PM (1 child)
Handling passwords is not a new topic.
Like most other programmers, the author of this "script" is just a hack.
(Score: 2) by Marand on Friday November 09 2018, @11:19PM
I agree, the space trick is a workaround for bad design, rather than the right way. It's good to know about for the occasional useful tool with dumb behaviour, though.
(Score: 2, Informative) by Anonymous Coward on Friday November 09 2018, @09:41PM (3 children)
$ read ; pagamigo --password "$REPLY" ; unset REPLY
You can also use read PW if you prefer PW as variable, or need multiple reads; REPLY is just the default.
Use "read -s" if you want silent mode, to avoid shoulder surfers. It's all documented in bash man page.
BTW, pagamigo is probably a joke on PayPal. "Paga, Amigo", Spanish for "Pay, Friend" (or Pal).
(Score: 0) by Anonymous Coward on Friday November 09 2018, @09:58PM (2 children)
When pagamigo --password "$REPLY" is processed by the shell, it will set up the password argument in cleartext, which could be accessible to programs that can read the list of running programs, etc.
In general, a program argument is not a safe spot to place sensitive information.
(Score: 1, Informative) by Anonymous Coward on Friday November 09 2018, @10:35PM
True, it will appear in ps unless commands take extra steps to change their command line. As in http://www.uofr.net/~greg/processname.html [uofr.net] (and not working everywhere).
Some get very creative with the issue, with library preload https://serverfault.com/questions/592744/how-to-hide-a-password-passed-as-command-line-argument [serverfault.com]
(Score: 0) by Anonymous Coward on Saturday November 10 2018, @01:23PM
A better way would be to extend or wrap this script to get the password from gpg-agent or something similar. Shouldn't take more than a few lines of python either way.
(Score: -1, Redundant) by Anonymous Coward on Friday November 09 2018, @06:13PM (1 child)
Ok this is going to seem wildly offtopic, but this is a sincere question and tangentially related to the topic because the code in question is written by an intern, which means she qualified for an internship and if you review her code it clearly wasn't her coding ability that got her qualified. It's not terrible, it does the job, but it needs massive improvement. I'd put it on par with a high schooler who had half a semester of programming, certainly not undergrad level. Clearly she's a diversity hire, but she's also trans and so that started me thinking.
Anyways over the last year I've been bombarded with ads proclaiming the need for more women and girls to enter STEM.
My own 12 year old daughter who was highly interested in the topic of programming just a year ago is quickly losing interest because the ads are just too much.
This is despite an adblocker as it seems tech sites are now taking to running their own ads.
Yet over the last 5 years I've noticed a trend of transexuals, generally those presenting as women, gaining a good degree of prominence, status and acceptance.
I don't know if it's related but it does seem correlated, that this push to get girls into STEM, might actually be encouraging some men to become women.
Or it may just be these people were naturally trans and the push to get women into STEM topics gives them a little extra motivation to be who they want.
I don't even know if those are different concepts or just different views of the same concept.
It seems like some of these are Mrs Doubtfires though.
It looks like this is turning into a "no boys allowed club" while at the same time I'm seeing a marked lack of interest from my girls and their friends.
It seems the push to get girls in, has now turned into a push to get boys out, as there are "girls only coding camps" that have largely replaced the "children's camps".
A lot of opportunities are available based solely on your gender and this has never been the case in IT before. After all, the first programmer was a woman, the first person to find a bug in a program was a woman, one of the earliest language designers and computer engineers, also a woman. These women weren't exceptional for their time, but became exceptional as IT became less about collaboration and more about dealing with cold hard technology. Which is why starting with the 1970s you begin to see a marked decline in women in the field and it won't really improve until the social aspects of technology improve. Watch my girls pair program sometime, it's freakin amazing.
So how do trans people count in the gender metrics? Do people who present as women count as women in STEM or as men?
Is it abusing the system for men to identify as women, whether it opens new opportunities such as prestigious internships to them or not?
I know these questions seem like baiting, but I have a son who is 9 who I believe will probably be trans once he hits puberty and I'm ok with that.
I also have a brother in law who became my sister in law in the last year.
So this isn't baiting but I am looking for honest thoughts while I try to piece together how to prepare my children for the world they are about to enter.
(Score: 1, Touché) by Anonymous Coward on Saturday November 10 2018, @04:35AM
Nice troll.
At least you're honest. And we all know what kind of bite you want. You get a nibble.
You blew your cover here. If you have a reason to believe that your son will turn out to be a pussy faggot and if you're ok with that, then one would think that you have a rational understanding of seat of gender being in the brain and not with bodily functions. Such an understanding would not produce what I quoted.
(Score: 2) by Rich on Saturday November 10 2018, @03:09AM
Hopefully that won't be a case for the follow-up article "The ‘Kill Zone’ for Industry Upstarts". Her work on Panfrost is outstanding and if completed would be the missing puzzle piece in getting an entirely libre-software computer suitable for everyday use, without backdoors. The RK3399 just barely fits the bill, with the worst limitation being 4GB of RAM, but if you relocate web surfing to an online service, or resort to some clustering, it would work. Work as in "the man", turning white faced: "who forgot to tell Rockchip they must enforce TrustZone booting with our blob on that chip?" It's just the bloody drivers for the ARM sourced GPU missing. And the FSF lets her do menial or entirely unrelated tasks like updating a web site about single-board computers or maintaining some maintenance tool. Nearly as delusional as the Stallman call for the community to improve emacs so it can be easily used by a wide audience. And now she wastes time on a private payment API that can easily be made proprietary again with the addition of one little sentence of legalese to the terms, one little code change to check for the client, and one big crackdown to tell every pretentious sucker out there to not mess with them.
Get Panfrost finished! Pretty please. With a cherry on top. :)
(Score: 0) by Anonymous Coward on Saturday November 10 2018, @01:08PM
EOM
Need we say more.