After my brief discussion with @Thorin-Oakenpants https://github.com/ghacksuserjs/ghacks-user.js/issues/329#issuecomment-461283439
I decided to open an issue on this so that we may do a comparison as he suggested.
Note I have decided not even to talk about Tampermonkey, because the source code is not available for any modern version.
So I will start with a comparison of Greasemonkey vs Violentmonkey what I had been using in the past. I haven't really written any scripts so I'm not talking about the actual engine, though I would be curious to hear anyone who has anything to say about that.
Greasemonkey
Permissions wise Greasemonkey has two extra permissions:
- Download files and read and modify the browser鈥檚 download history
- Access browser activity during navigation
The source is easily auditable, and does not seem to be optimized in any way when you download the .xpi from AMO and unzip it.
Violentmonkey
- Has a much better UI, particularly the script management part.
- Can do a few things like Syncing to cloud if you want it to.
- After reading this thread and looking at the privacy policy in detail I don't think there's any issues.
I get the feeling that any personal information would be because you initiated a support request:
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you.
This portion could relate to two, things. Firstly that it is on Github and secondly that the site uses Google Analytics. For contrast the Greasemonkey site is hosted on Google's blogger.com platform.
We may employ third party companies and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.
These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
This is kind of obvious.
ghost
All 7 comments
(Note: I simply summarized what others mentioned)
Privacy concerns about Violentmonkey
Obfuscated codes
Even though it is open source, some pointed out Violentmonkey is using obfuscated codes. The code of the addon uploaded to AMO has been processed in such a way that makes it difficult to read and understand what, exactly, it does.
On the other hand, Greasemonkey does not use obfuscated codes.
About Mozilla policy: Add-ons may contain transpiled, obfuscated, minified or otherwise machine-generated code, but Mozilla needs to review a copy of the human-readable source code. The author must provide this information to Mozilla during submission as well as instructions on how to reproduce the build.
Author stance on privacy concerns
When taking about its privacy policy, the author uses phrases like "it does not collect any other information at the moment" and "There is no plan to collect personal information at the moment" which sounds like the author wants to keep those options open. See https://github.com/violentmonkey/violentmonkey/issues/406
"Are there any plans to expand data collection?"
Author: There is no plan to collect personal information at the moment. If things change in the future, I'm pretty sure there will be something like a popup to let users make their choices.
"If so, will it be monetized?"
Author did not answer.
Conclusion
I won't say one must use or not use Violentmonkey, but I think we should inform users about that and let them decide.
If the author can make open statements to promise with strong words like "never monetize", "never collect user data without explicit consent", I would say it would be much better to clear some peoples' doubt about that and restore their trust.
ReporterX
on 14 Apr 2019
As I have said, GM is the only addon of the 2 that works in my setup. IDK why. Probably something about:config related: VM works neither on Android, nor on desktop. So I keep using GM.
KOLANICH
on 14 Apr 2019
This was published today:
- Mozilla announces ban on Firefox extensions containing obfuscated code - Mozilla also plans to be more aggressive towards taking down extensions that break its policies, with a focus on security issues.
- https://news.ycombinator.com/item?id=19809868
Obfuscation should also not be confused with minified (compressed) code. Minification or compression, refers to the practice of removing whitespace, newlines, or shortening variables for the sake of performance.
Minified code can be easily de-minified, while deobfuscating obfuscated code takes a lot of time, and using it in the first place has no performance benefits --with its main benefit being of hiding malicious code from source code reviewers.
"We will no longer accept extensions that contain obfuscated code," said Caitlin Neiman, Add-ons Community Manager at Mozilla.
"We will continue to allow minified, concatenated, or otherwise machine-generated code as long as the source code is included. If your extension is using obfuscated code, it is essential to submit a new version by June 10th that removes it to avoid having it rejected or blocked."
ghost
on 3 May 2019
And why would the developers risk the wrath and fallout from end-users when it becomes known.
I guess they consider that they may want to stop their development somewhen and transfer the addons to an another dev. And there were cases when a new dev of something popular asked for control only to insert malware into that software.
KOLANICH
on 7 Jun 2019
When this gets noticed it is usually too late.
KOLANICH
on 7 Jun 2019
arantius is known to be maintaining GM for pretty long time, I am using GM at least since ~2010 and I remember that he was the maintainer in 2008.
KOLANICH
on 7 Jun 2019
Hi @Thorin-Oakenpants ,
I would like to introduce you FireMonkey: https://addons.mozilla.org/en-US/firefox/addon/firemonkey
GitHub' support page: https://github.com/erosman/support
It is a Mozilla Public License Version 2.0.
And at AMO' page says: "None of my extensions contain any tracking, advertising or privacy infringement."
The Dev @erosman is very responsive. He was tremendously helpful and patient answering me lot of questions, and solving issues in few hours.
FireMonkey is simple, minimalist, so it may not have fancy stuff. It is a matter of personal choice, some users don't care at all about browser performance, they want tons of images, rings, bells, lights and fancy stuff, or they want everything automatized (even if hurts privacy/security). Well, perhaps FireMonkey wont be for them.
I personally only care about browser performance and add-on functions, so for me the less the better. So I love FireMonkey because is very lightweight, very efficient in terms of browser performance, and uses the new API.
PS: Perhaps https://www.ghacks.net/ will be interested on writing a FireMonkey' article.
EstherMoellman
on 13 Sep 2019
Related issues
zdat
路
5Comments
Just-me-ghacks
路
6Comments
Thorin-Oakenpants
路
7Comments
TerkiKerel
路
4Comments
crssi
路
4Comments
Most helpful comment
Hi @Thorin-Oakenpants ,
I would like to introduce you FireMonkey: https://addons.mozilla.org/en-US/firefox/addon/firemonkey
GitHub' support page: https://github.com/erosman/support
It is a Mozilla Public License Version 2.0.
And at AMO' page says: "None of my extensions contain any tracking, advertising or privacy infringement."
The Dev @erosman is very responsive. He was tremendously helpful and patient answering me lot of questions, and solving issues in few hours.
FireMonkey is simple, minimalist, so it may not have fancy stuff. It is a matter of personal choice, some users don't care at all about browser performance, they want tons of images, rings, bells, lights and fancy stuff, or they want everything automatized (even if hurts privacy/security). Well, perhaps FireMonkey wont be for them.
I personally only care about browser performance and add-on functions, so for me the less the better. So I love FireMonkey because is very lightweight, very efficient in terms of browser performance, and uses the new API.
PS: Perhaps https://www.ghacks.net/ will be interested on writing a FireMonkey' article.