On Thursday 12 Apr 2012 04:07:02 Zlatin Balevsky wrote: > > > > It appears we can just compare the bytecode however. If you want to compare > > the disassembly that's good too, but somebody should check the source. > > > > I have uploaded a basic version of a bytecode verification script called > > verify-build to the "Maintenance scripts" repository on github. > > Unfortunately build 1406 includes some classes that are only in my local > > tree because cleanup occurs a little too late. Anyway if you want to use > > it, or improve it, that would be cool. > > > > I have completed proof of concept (the bytecode is the same for two builds, > > including when doing a clean checkout in a separate folder). Provided that > > you use the same java compiler as the person doing the release, it should > > work (for 1407 onwards). > > If at some point in the future the installers start using pack200 jar > compression that may mangle the bytecode and would complicate the > verification process as uncompressed .class files will be different > than javac output. If for whatever reason Freenet explodes in > popularity overnight you may not have choice - pack200 is far cheaper > than finding more hosting bandwidth.
As long as it is deterministic it can be verified by a third party. Also, Google Code is hardly likely to dump us, they must host much more popular projects, so download bandwidth is unlikely to be an issue.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl