On Wednesday 11 Apr 2012 23:21:40 Matthew Toseland wrote: > On Wednesday 11 Apr 2012 00:58:49 Marco Schulze wrote: > > Addendum: no remote fetching or tag validation. Downloading the jars and > > git repo can easily be done outside the script, and tag validation > > requires a bit of manual work (importing and setting key trust). > > Nextgens is of the view that disassemblers can be fooled into not > disassembling certain stretches of code. (Source?) > > It appears we can just compare the bytecode however. If you want to compare > the disassembly that's good too, but somebody should check the source.
Err I mean somebody should run the bytecode verification script. It's not ready for your crontab just yet though... > > I have uploaded a basic version of a bytecode verification script called > verify-build to the "Maintenance scripts" repository on github. Unfortunately > build 1406 includes some classes that are only in my local tree because > cleanup occurs a little too late. Anyway if you want to use it, or improve > it, that would be cool. > > I have completed proof of concept (the bytecode is the same for two builds, > including when doing a clean checkout in a separate folder). Provided that > you use the same java compiler as the person doing the release, it should > work (for 1407 onwards). > > Want to play with it? Post pull requests for any improvements ... I *may* get > around to improving it further, there are some major deficiencies, the main > one being that it figures out the latest build from the repository, which > could be spoofed; it should check from auto-update or pick up the > announcement or something. (And compare it to the HTTPS jars of course)
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl