Addendum: no remote fetching or tag validation. Downloading the jars and git repo can easily be done outside the script, and tag validation requires a bit of manual work (importing and setting key trust).
On 10-04-2012 20:51, Marco Schulze wrote: > Attached is a quick&dirty (and ugly) bash script which compares the > disassembly of class files inside freenet.jar with the disassembly of > class files compiled from the git repository. Because it uses javap, > it's extremely slow. > > I'm running the script now, and so far it has found 8 class files with > different bytecode. I don't know enough to tell why they differ, but > my guess is that this is due to different compilers (official: JDK > 1.6.0_26-b03, me: OpenJDK 1.7.0_03), or I screwed up somewhere... > > On 10-04-2012 16:01, Matthew Toseland wrote: >> We need a script that downloads the latest released jar, and fetches the >> corresponding git tag, compiles the code, and compares it to what has been >> released. Nextgens had a script doing something similar for a while to check >> indenting changes; Java compilation to bytecode is deterministic, but you >> can't just compare the jar's, you need to break out the class files and then >> compare them. Whoever runs this (hopefully more than one person) would need >> to have the same setup that builds are generated on. When I release a build, >> I compile on my system, which is Debian stable. The script could be totally >> automated with a little work (and would have to be adjusted for releases by >> other people, but this is easily checked by who signed the tag). >> >> Anyone want to write such a script? Nextgens do you have the old whitespace >> change checker script still? >> >> I suspect we could get suitable volunteers fairly easily. >> >> IMHO it is important to have third party verification (with said third >> parties not being connected to FPI and ideally some of them not being >> traceable). For all we know my computer is backdoored and it's releasing >> patched builds with surveillance addons already! And future laws, in the UK >> and elsewhere, may compel developers to do this themselves, secretly. >> >> This should be relatively easy to implement, and should put a lot of >> people's minds at rest. So anyone want to develop such a script? >> >> >> _______________________________________________ >> Devl mailing list >> Devl at freenetproject.org >> https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20120410/ea31fe0e/attachment.html>
