On Wednesday 11 Apr 2012 00:58:49 Marco Schulze wrote: > Addendum: no remote fetching or tag validation. Downloading the jars and > git repo can easily be done outside the script, and tag validation > requires a bit of manual work (importing and setting key trust).
Nextgens is of the view that disassemblers can be fooled into not disassembling certain stretches of code. (Source?) It appears we can just compare the bytecode however. If you want to compare the disassembly that's good too, but somebody should check the source. I have uploaded a basic version of a bytecode verification script called verify-build to the "Maintenance scripts" repository on github. Unfortunately build 1406 includes some classes that are only in my local tree because cleanup occurs a little too late. Anyway if you want to use it, or improve it, that would be cool. I have completed proof of concept (the bytecode is the same for two builds, including when doing a clean checkout in a separate folder). Provided that you use the same java compiler as the person doing the release, it should work (for 1407 onwards). Want to play with it? Post pull requests for any improvements ... I *may* get around to improving it further, there are some major deficiencies, the main one being that it figures out the latest build from the repository, which could be spoofed; it should check from auto-update or pick up the announcement or something. (And compare it to the HTTPS jars of course) > > On 10-04-2012 20:51, Marco Schulze wrote: > > Attached is a quick&dirty (and ugly) bash script which compares the > > disassembly of class files inside freenet.jar with the disassembly of > > class files compiled from the git repository. Because it uses javap, > > it's extremely slow. > > > > I'm running the script now, and so far it has found 8 class files with > > different bytecode. I don't know enough to tell why they differ, but > > my guess is that this is due to different compilers (official: JDK > > 1.6.0_26-b03, me: OpenJDK 1.7.0_03), or I screwed up somewhere... > > > > On 10-04-2012 16:01, Matthew Toseland wrote: > >> We need a script that downloads the latest released jar, and fetches the > >> corresponding git tag, compiles the code, and compares it to what has been > >> released. Nextgens had a script doing something similar for a while to > >> check indenting changes; Java compilation to bytecode is deterministic, > >> but you can't just compare the jar's, you need to break out the class > >> files and then compare them. Whoever runs this (hopefully more than one > >> person) would need to have the same setup that builds are generated on. > >> When I release a build, I compile on my system, which is Debian stable. > >> The script could be totally automated with a little work (and would have > >> to be adjusted for releases by other people, but this is easily checked by > >> who signed the tag). > >> > >> Anyone want to write such a script? Nextgens do you have the old > >> whitespace change checker script still? > >> > >> I suspect we could get suitable volunteers fairly easily. > >> > >> IMHO it is important to have third party verification (with said third > >> parties not being connected to FPI and ideally some of them not being > >> traceable). For all we know my computer is backdoored and it's releasing > >> patched builds with surveillance addons already! And future laws, in the > >> UK and elsewhere, may compel developers to do this themselves, secretly. > >> > >> This should be relatively easy to implement, and should put a lot of > >> people's minds at rest. So anyone want to develop such a script? > >> > >> > >> _______________________________________________ > >> Devl mailing list > >> Devl at freenetproject.org > >> https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20120411/2445f386/attachment.pgp>
