Attached is a quick&dirty (and ugly) bash script which compares the disassembly of class files inside freenet.jar with the disassembly of class files compiled from the git repository. Because it uses javap, it's extremely slow.
I'm running the script now, and so far it has found 8 class files with different bytecode. I don't know enough to tell why they differ, but my guess is that this is due to different compilers (official: JDK 1.6.0_26-b03, me: OpenJDK 1.7.0_03), or I screwed up somewhere... On 10-04-2012 16:01, Matthew Toseland wrote: > We need a script that downloads the latest released jar, and fetches the > corresponding git tag, compiles the code, and compares it to what has been > released. Nextgens had a script doing something similar for a while to check > indenting changes; Java compilation to bytecode is deterministic, but you > can't just compare the jar's, you need to break out the class files and then > compare them. Whoever runs this (hopefully more than one person) would need > to have the same setup that builds are generated on. When I release a build, > I compile on my system, which is Debian stable. The script could be totally > automated with a little work (and would have to be adjusted for releases by > other people, but this is easily checked by who signed the tag). > > Anyone want to write such a script? Nextgens do you have the old whitespace > change checker script still? > > I suspect we could get suitable volunteers fairly easily. > > IMHO it is important to have third party verification (with said third > parties not being connected to FPI and ideally some of them not being > traceable). For all we know my computer is backdoored and it's releasing > patched builds with surveillance addons already! And future laws, in the UK > and elsewhere, may compel developers to do this themselves, secretly. > > This should be relatively easy to implement, and should put a lot of people's > minds at rest. So anyone want to develop such a script? > > > _______________________________________________ > Devl mailing list > Devl at freenetproject.org > https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20120410/2f6c58e6/attachment.html> -------------- next part -------------- #!/bin/bash # Check command-line if [ -z "$1" -o -z "$2" ]; then echo Usage: "$0" FREENET_DIR SOURCE_DIR exit 1 fi # Check for freenet.jar and freenet-ext.jar jar="$1/freenet.jar" ext="$1/freenet-ext.jar" if ! [ -f "$jar" -a -f "$ext" ]; then echo "$jar" or "$ext" does not exist exit 2 fi # Extract tag from manifest (is there a better way to do this?) tag=$(unzip -qcx "$jar" META-INF/MANIFEST.MF | \ grep Implementation-Version | \ awk '{print $6}') if [ -z $tag ] || ! grep build &> /dev/null <<<$tag; then echo Failed to extract tag from manifest exit 2 fi # Create temporary dir. Subdirectories to be used are: # - cmp: class files compiled from source # - jar: class files from freenet.jar # - src: source files from git repository tmp=$(mktemp -d) if [ $? -ne 0 ]; then echo Failed to create temporary directory exit 2 fi echo Using "$tmp" as temporary directory # Extract all class files from jar echo Extracting "$jar" unzip -d "$tmp/jar" -qx "$jar" \*.class # Get freenet sources at specified tag echo Checking out $tag if ! git --git-dir="$2/.git" --work-tree="$tmp" checkout $tag -- src; then rm -rf "$tmp" echo Failed to checkout $tag exit 2 fi # Compile echo Compiling $tag mkdir "$tmp/cmp" # Output dir javac $(find "$tmp/src" -name \*.java) -d "$tmp/cmp" -cp "$ext" &> /dev/null # Compare echo Comparing class files rm "$tmp"/{cmp,jar}/freenet/node/Version*.class # Do not compare these IFS=$'\n' for f in $(find "$tmp/jar" -type f | sort); do name=$(sed "s|$tmp/jar/||" <<<"$f") cmp_f="$tmp/cmp/$name" if [ "$(javap -c "$f")" != "$(javap -c "$cmp_f")" ]; then echo File "$name" differ fi done # Cleanup echo Cleaning up rm -rf "$tmp"
