Addendum: no remote fetching or tag validation. Downloading the jars and
git repo can easily be done outside the script, and tag validation
requires a bit of manual work (importing and setting key trust).
On 10-04-2012 20:51, Marco Schulze wrote:
Attached is a quick&dirty (and ugly) bash script which compares the
disassembly of class files inside freenet.jar with the disassembly of
class files compiled from the git repository. Because it uses javap,
it's extremely slow.
I'm running the script now, and so far it has found 8 class files with
different bytecode. I don't know enough to tell why they differ, but
my guess is that this is due to different compilers (official: JDK
1.6.0_26-b03, me: OpenJDK 1.7.0_03), or I screwed up somewhere...
On 10-04-2012 16:01, Matthew Toseland wrote:
We need a script that downloads the latest released jar, and fetches the
corresponding git tag, compiles the code, and compares it to what has been
released. Nextgens had a script doing something similar for a while to check
indenting changes; Java compilation to bytecode is deterministic, but you can't
just compare the jar's, you need to break out the class files and then compare
them. Whoever runs this (hopefully more than one person) would need to have the
same setup that builds are generated on. When I release a build, I compile on
my system, which is Debian stable. The script could be totally automated with a
little work (and would have to be adjusted for releases by other people, but
this is easily checked by who signed the tag).
Anyone want to write such a script? Nextgens do you have the old whitespace
change checker script still?
I suspect we could get suitable volunteers fairly easily.
IMHO it is important to have third party verification (with said third parties
not being connected to FPI and ideally some of them not being traceable). For
all we know my computer is backdoored and it's releasing patched builds with
surveillance addons already! And future laws, in the UK and elsewhere, may
compel developers to do this themselves, secretly.
This should be relatively easy to implement, and should put a lot of people's
minds at rest. So anyone want to develop such a script?
_______________________________________________
Devl mailing list
[email protected]
https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
_______________________________________________
Devl mailing list
[email protected]
https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
