34 comments

[ 2.5 ms ] story [ 74.4 ms ] thread
Quick FYI, if you "backup" your Stylish themes when migrating, it comes out with a file that ends in `.json,.bin,.dms`. Just drop it to `.json` and Stylus will be able to import it just fine.

Thanks to the author and submitter. I had no idea, been using Stylish for years. Very disappointing, but I'm glad there's an easy alternative.

And how do we know Stylus won't go the same route?
It's open source. You can install from source.
All extensions are open source. Just download the xpi/crx and decompress. Doesn't help much unless you are willing to read all diffs, or never update them (and be exposed to bugs which could lead to other security issues.)
You're right, we should never install software ever again unless we wrote it ourselves.
You could (and should) minify JS for builds, which essentially renders it useless for editing purposes. Heuristically you could still find parts that phone home and disable those but getting further than that is going to be a pain.
You're confusing 'source available' for 'open source'. Source available is where you can look at the source but don't have any right to do anything with it.

Open source is libre software.

We can't know for certain that they never will, but right now, I have more faith in the open-source community than an adtech company.
The older I have gotten the less I'm willing to install, either in my browser, my phone, or my local machine.

It's come to the point that it seems reasonable to assume that anything you install will pull every iota of data available to it.

I think this grew out of a good place, at least I hope, where early pioneers assumed good intentions and generally most software was designed with "open" as a core philosophy. However it's very clear that we're very far removed from that, it boggles my mind that if an expense app on my phone needs to take a picture of a receipt my only option is to allow it not only permanent use of my camera but also access to all of my photos and videos. Why is the default not to launch a sandboxed camera app that only exists to take the receipt photo, and then disappears taking with it any permissions the app needed to carry this out?

> it boggles my mind that if an expense app on my phone needs to take a picture of a receipt my only option is to allow it not only permanent use of my camera but also access to all of my photos and videos.

THIS! Seriously, it angers me so greatly that I have to deal with such stupidity as all or nothing permissions. If I want to allow a single photo, but not all photos, no such luck. If I want to allow access to save photos, but not read photos, tough. Etc etc

If Apple really cared about privacy instead of using it as a marketing ploy, this would be mandated already.

This already exists, it's just that the API for this is not being used by apps.
I share your sentiments about how software that was designed to be "open" with the best intentions (often done so before the world was as connected as it was), is now facing problems. A big part of the solution is getting rid of old and now insufficient practices and replacing them with new models that fit into the current world. For example, in-process plugin models with e.g. dynamic libraries loaded into the app are highly problematic, but can increasingly be replaced by out-of-process plugin executables (using very controlled communication channels like explicit shared memory regions), coupled with the proper sandboxing for those plugin executables, individually.

As an aside, access to the Camera and access to Photos is already separate on iOS, you have to approve both separately (which becomes apparent if you use Instagram, for example).

Sometimes when I want to save an image, instead of allowing access to Photos, I copy the image into the clipboard.

For Android specifically (perhaps this is not still the case, but at one point it was): Android puts you in a terrible place for all this. Downright hostile to sane permissions IMO.

Say you, as an app developer, want to improve the camera experience (say to recognize QR codes. it's a sane, useful thing to do). You need camera permission to do this, so you add it to your permissions list (users can still deny it).

Great. So say you want to allow people to reject it, and instead use their own camera app that they trust. Easy, you can do that with an open-camera intent, which doesn't require any permissions. You just get the image they took.

The problem is this: if you had your "let me control the camera and all photos" access rejected, Android also rejects your "open any camera" request. So now you're entirely unable to access cameras, and at best you can let users share an image to your app (which is extremely problematic and usually still requires file permissions in practice, since nobody builds file providers correctly (and legacy apps don't at all)).

Meanwhile, if you never requested camera access in the first place, "open any camera" will always work. But then you're unable to streamline anything.

---

tl;dr API permissions very nearly everywhere in consumer products are 100% shit, and something like 99% hostile to the very concept they're trying to support. It's ridiculous and in no way necessary and I don't know why companies keep doing it, except perhaps fear of alienating their ad revenue sources.

We need something akin to SELinux/Mandatory Access Control, but that's user friendly for consumer devices while also being fine-grained, meaning you can give programs permissions to access your photos, contacts, etc. but you can also audit and control the individual points of data that are being accessed. Then, once you're comfortable with the access patterns, you can automate approval if you trust the application/institution enough.
On Android, camera is a separate permission from reading storage. In addition, the permission is not even required if you're just getting a photo from the user - your app can launch the camera app, and get a callback when the user has taken a photo, with access only to that photo.
> your app can launch the camera app, and get a callback when the user has taken a photo, with access only to that photo

I did that on an Android app I had to build for a client. It was quite a nightmare to make it works on different phone because many manufacturer added their own camera apps. Some were giving a full size image, other were giving a tiny thumbnail, but you were able to get the full size from the file system, but some didn't returned anything at all, so to actually get the picture, I had to scan the gallery pictures beforehand, scan it afterward, and take the new one. It was a long time ago though, near 2011, Honeycomb was just released, so maybe it's different now but I seriously doubt it.

I'm very much the same. When I was young my devices were filled with every program and extension I could find and my devices were slow, full of ads and likely sucking up all my personal info.

These days I have everything trimmed down to the bare minimum open source programs only. My "old" phone runs faster than everyones current year phone and I have no adverts on anything. I use next to no social media and I feel I live a better life and get better experiences with tech than the general public.

Most modern tech is actively hostile to the user and having some restraint and avoiding the crap will reward you well.

> Why is the default not to launch a sandboxed camera app that only exists to take the receipt photo, and then disappears taking with it any permissions the app needed to carry this out?

Mobile OS and phone makers are incentivize not to do this because of various vested interests.

When looking at google play store I will only look for non-free apps.

Using the 'follow the money' idea, if the app maker can get income from selling it they are LESS likely to try to make money by mugging you for data. It's not 100% but it helps.

By that logic, Windows 10 ought to be ad-free.
by that logic it should have less ads than android
You could go the other route and only use apps from F-Droid. Speaking from experience, it works quite well.
(comment deleted)
(comment deleted)
I've been using Stylus for many months now, it works exactly the same but is open source.

That, combined with "Dark Background + Light Text" with custom colors makes Firefox a beautiful sight in my personal night mode.

"Dark Background" for the majority of sites that don't have good dark Stylus themes, disabled on the ones that do.

This one is nice:

https://github.com/dparpyani/HackerNews-DarkTheme

DarkReader is great if you just want want dark-mode. It automates what used to take me ages overriding CSS in Stylish. I’m fairly confident it’s not spyware.
From the article:

> I’m surprised that SimilarWeb finds the personal browsing data that it siphons off via Stylish so valuable. The data almost certainly feeds into SimilarWeb’s main product, the SimilarWeb platform, a tool that provides reports on the aggregate usage statistics of websites and apps... But data collected via Stylish will surely be riddled with so much sampling bias that it becomes worthless... A giant stew of miscellaneous, unattributed scraps of data can’t ever turn into a representative sample, no matter how much salt and machine learning you add.

I'm not surprised at all. It's important to note that SimilarWeb sells its data to non-statisticians.

Imagine this scenario: Marketing analyst has a gut feeling that the product would be popular with millennials on Reddit, but old-school marketing execs barely know what Reddit is. Analyst sneaks a SimilarWeb subscription into the budget. Analyst gets Stylish-based data that is heavily biased towards Reddit. Analyst may know this. Analyst doesn't care. Analyst uses the data to "prove" that the company's users are on Reddit and justify the Reddit ad spend they wanted anyways. Campaign is a success. Pretty much everyone wins (kind of): Reddit users get more relevant ads. Analyst advances their career and reputation. SimilarWeb gets paid. Stylish extension can be maintained and polished. SimilarWeb maybe even affords to hire for their security team, who makes sure that the data is anonymized at rest.

At the end of the day, adtech is a beast that grows because it tells people what they want to hear, and remains silent when it can't find that answer. p-hacking and survivorship bias are the way of the world. This isn't necessarily a bad thing. But... if this sounds like a bubble to you, all I can say is that you should diversify your holdings outside of tech stocks.

I've been Stylus instead of it just fine.