> > It appears we can just compare the bytecode however. If you want to compare > the disassembly that's good too, but somebody should check the source. > > I have uploaded a basic version of a bytecode verification script called > verify-build to the "Maintenance scripts" repository on github. Unfortunately > build 1406 includes some classes that are only in my local tree because > cleanup occurs a little too late. Anyway if you want to use it, or improve > it, that would be cool. > > I have completed proof of concept (the bytecode is the same for two builds, > including when doing a clean checkout in a separate folder). Provided that > you use the same java compiler as the person doing the release, it should > work (for 1407 onwards).
If at some point in the future the installers start using pack200 jar compression that may mangle the bytecode and would complicate the verification process as uncompressed .class files will be different than javac output. If for whatever reason Freenet explodes in popularity overnight you may not have choice - pack200 is far cheaper than finding more hosting bandwidth. _______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl