I found two related issues:
The maintainer and a member said:
tophf: all you need is to build the source code and compare it to the released version, which is what AMO (addons.mozilla.org) reviewers do gera2ld: The AMO reviewers make sure that the code generated by them is exactly the same as that submitted by us, otherwise the add-on will be rejected. gera2ld: If you don't believe us anyway, you can always build your own version with a simple
yarn build
.
I found that the reproducible build requires some environment variables, which violentmonkey doesn't provide.
So, I extracted them from the xpi file.
docker build -t reproducible-violentmonkey .
Caution
It's not working now, I have to figure out how to reproduce the sharp
dependency.
# # fetch the latest info
# nix run .#info
# build and diff
nix run
I'm not the expert, but I agree with the maintainer:
tophf: Quick perusal of the code won't guarantee safety, it just gives you a false sense of security, which is just as bad as blind trust or maybe even worse.
Reproducing the AMO xpi file only proves that "there is no evil thing at the release stage", but the source code and the dependencies are not audited, which is a common issue for almost all FOSS softwares.