Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/hellodword/reproducible-violentmonkey


https://github.com/hellodword/reproducible-violentmonkey

reproducible-builds violentmonkey

Last synced: 7 months ago
JSON representation

Awesome Lists containing this project

README 

          
# reproducible-violentmonkey



I found two related issues:



- https://github.com/violentmonkey/violentmonkey/issues/1109

- https://github.com/violentmonkey/violentmonkey/issues/587#issuecomment-515380084



The maintainer and a member said:



> **tophf**: all you need is to build the source code and compare it to the released version, which is what AMO (addons.mozilla.org) reviewers do

> **gera2ld**: The AMO reviewers make sure that the code generated by them is exactly the same as that submitted by us, otherwise the add-on will be rejected.

> **gera2ld**: If you don't believe us anyway, you can always build your own version with a simple `yarn build`.



I found that the reproducible build requires some environment variables, which violentmonkey doesn't provide.



https://github.com/violentmonkey/violentmonkey/blob/63913466aaf6503be0ca035fe3a268e9ebe73158/.github/workflows/release.yml#L30-L45



So, I extracted them from the xpi file.



## how-to



### Docker



```sh

docker build -t reproducible-violentmonkey .

```



### Nix



> [!CAUTION]

> It's not working now, I have to figure out how to reproduce the `sharp` dependency.



1. [Install Nix](https://nixos.org/download/)

2. [Enable the `nix-command` and `flakes` features](https://wiki.nixos.org/wiki/Flakes)



```sh

# # fetch the latest info

# nix run .#info



# build and diff

nix run

```



## evil or not



I'm not the expert, but I agree with the maintainer:



> **tophf**: Quick perusal of the code won't guarantee safety, it just gives you a false sense of security, which is just as bad as blind trust or maybe even worse.



Reproducing the AMO xpi file only proves that "there is no evil thing at the release stage", but the source code and the dependencies are not audited, which is a common issue for almost all FOSS softwares.