We need a script that downloads the latest released jar, and fetches the corresponding git tag, compiles the code, and compares it to what has been released. Nextgens had a script doing something similar for a while to check indenting changes; Java compilation to bytecode is deterministic, but you can't just compare the jar's, you need to break out the class files and then compare them. Whoever runs this (hopefully more than one person) would need to have the same setup that builds are generated on. When I release a build, I compile on my system, which is Debian stable. The script could be totally automated with a little work (and would have to be adjusted for releases by other people, but this is easily checked by who signed the tag).
Anyone want to write such a script? Nextgens do you have the old whitespace change checker script still? I suspect we could get suitable volunteers fairly easily. IMHO it is important to have third party verification (with said third parties not being connected to FPI and ideally some of them not being traceable). For all we know my computer is backdoored and it's releasing patched builds with surveillance addons already! And future laws, in the UK and elsewhere, may compel developers to do this themselves, secretly. This should be relatively easy to implement, and should put a lot of people's minds at rest. So anyone want to develop such a script? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20120410/e516f8e6/attachment.pgp>
