You might know the reproducible-builds project, which tries to allow users to verify that what they install actually corresponds to the released source. Or GNU Guix, which provides transparent reproducible binaries — along with a challenge-function.
Given that Freenet is made for people with high expectations for integrity, it might not surprise you that Freenet has been providing a verifyable1 build and a verification script since 2012. However until release 1481, it was a hassle to set up, and few people used it.
But now that we’re on gradle, verifying that what I release is actually what’s tagged in the source is much easier than before.
The following instructions are for GNU/Linux, and maybe other *nixes, allowing you to verify the test release of 1482. You can easily adapt them for future releases.
Firstoff: to verify 1482 you NEED Java 7 - in general you need the Java version I release with. I hope that starting with 1483 it will be Java 8.
Update 2022: Now it’s Java 8.
Start by downloading the jar: SSK@…/jar-1482 (needs a running Freenet)
Copy it to
Then run the following:
failureWarning="FAILED TO VERIFY. If you determine that this failure is not due to build environent differences, then the source files used to build the published version of Freenet are different from the published source files. The build has been compromised. Take care to only run version of Freenet with published, reviewable source code, as compromised versions of Freenet could easily contain back doors." cd /tmp/ git clone email@example.com:freenet/fred.git cd fred git checkout build01482 ./gradlew jar mv build/libs/freenet.jar ../freenet-built.jar cd .. mkdir unpacked-built unzip freenet-built.jar -d unpacked-built (cd unpacked-built; find -type f) | sort > unpacked-built.list mkdir unpacked-official unzip freenet-1482.jar -d unpacked-official (cd unpacked-official; find -type f) | sort > unpacked-official.list if ! cmp unpacked-official.list unpacked-built.list; then echo FAILED TO VERIFY: Different files in official vs built echo Files in official but not in built are marked as + echo Files in built but not in official are marked with - diff -u unpacked-built.list unpacked-official.list echo "" echo "$failureWarning" fi while read x; do if ! cmp "unpacked-official/$x" "unpacked-built/$x"; then if [[ "$x" = "./META-INF/MANIFEST.MF" ]]; then echo "Manifest file is different; this is expected." echo "Please review the differences:" diff "unpacked-official/$x" "unpacked-built/$x" else echo "File is different: $x" echo "$x" >> "differences" fi fi done < unpacked-official.list if [[ -s "differences" ]]; then echo VERIFY FAILED: FILES ARE DIFFERENT: cat differences echo "" echo "$failureWarning" fi
That’s it. You just verified release 1482 of Freenet. If that code does not shout a huge warning at you, then what I released is actually what is tagged and signed as 1482 in the source.
PS: This is a shorter and somewhat cleaned up version of the verify-build script.
PPS: Yes, there is also a docker solution. I cannot test it right now, though, because my docker does not work. Ask in IRC (#freenet on libera.chat).
Since Java puts timestamps into class files and requires signing of jars, the jar is not byte-by-byte reproducible, but the verify-build script unpacks the jar and compares the class-files, ensuring that they only differ in timestamps and similar that do not affect functionality. ↩
⚙ Babcom is trying to load the comments ⚙
This textbox will disappear when the comments have been loaded.
Note: To make a comment which isn’t a reply visible to others here, include a link to this site somewhere in the text of your comment. It will then show up here. To ensure that I get notified of your comment, also include my Sone-ID.
Link to this site and my Sone ID:
This spam-resistant comment-field is made with babcom.
The European Copyright directive threatens online communication in Europe.
But thanks to massive shared action earlier this year, the European parliament can still prevent the problems. For each of the articles there are proposals which fix them. The parliamentarians (MEPs) just have to vote for them. And since they are under massive pressure from large media companies, that went as far as defaming those who took action as fake people, the MEPs need to hear your voice to know that your are real.
If you care about the future of the Internet in the EU, please Call your MEPs.