[metrics-team] onionoo questions/comments

Karsten Loesing karsten at torproject.org
Sat Apr 8 07:14:07 UTC 2017


On 08.04.17 02:33, someone wrote:
> Hi all,

Hi Josh,

> I'm starting to look at onionoo and have some questions. I didn't find an onionoo-specific mailing list so hopefully this is the most appropriate place.

Yes, this mailing list is fine.

> 1. the build.xml requires jetty8 jars, however as far as I can tell eclipse names their jetty jars "jetty" not "jetty8". Any reason they're named jetty8 in the build.xml? I'm using the jars from http://central.maven.org/maven2/org/eclipse/jetty/jetty-distribution/8.1.16.v20140903/.

We're using the .jar files from Debian stable.  That's where the file
names come from.

> 2. related to #1 above, what do you think about including checksums of the jars in the build.xml? Even if they're just comments in the build.xml like:
> 
> 	<!-- 70754552739398c669f8172f190c58e9784b4eb1cfeeed47c2634e5ffffe6eaa  descriptor-1.6.0.jar -->
> 	<!-- ad19d2601c3abf0b946b5c3a4113e226a8c1e3305e395b90013b78dd94a723ce  commons-codec-1.9.jar -->
> 	<!-- b8e0a1700023359a2b4d9f04b9287d7b9aa200f4feac1079812337eef2dcb8e2  commons-compress-1.9.jar -->
> 	<!-- 6b81d10754dadf184d386011486e6509c2cc0c3d33565ced4fb4402b9413d47d  commons-lang3-3.3.2.jar -->
> 	<!-- c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fb  gson-2.2.4.jar -->
> 	<!-- 30b792e2745752fad8e1f92ca750d5f2d480edd2c5e99bc098aaebe22eb48c22  logback-classic-1.1.2.jar -->
> 	<!-- 90f1dfca25cd776f28a589f58b181d0e6787668a1b1fa8510bead402f86edcb1  logback-core-1.1.2.jar -->
> 	<!-- 69980c038ca1b131926561591617d9c25fabfc7b29828af91597ca8570cf35fe  slf4j-api-1.7.7.jar -->
> 	<!-- 86f30fa8775fa3a62cdb39d1ed78a6019164c1058864048d42cbee244e26e840  xz-1.5.jar -->
> 
> This could increase confidence that the proper jars are being used, and that the jars haven't been modified by malicious actors. There might be fancier options out there like apache ivy, etc.

Well, I'm slightly worried that we'd at one point forget to update these
comments, and that would for sure confuse people.  I do see the point
though.  But maybe we can increase confidence by some other means (see
the release tarball comment below).

> 3. including a hint in the CONTRIB.md as to where folks can find these jars might help. For example I found the jars at 
> http://mvnrepository.com/
> https://dist.torproject.org/descriptor
> http://central.maven.org/maven2/org/eclipse/jetty/jetty-distribution/8.1.16.v20140903/
> 
> but maybe there's a one-stop-shop for them all I don't know about? Sadly I couldn't apt install them all (some, not all).

You should be able to get most of them from Debian stable, at least
those that are required for building and running Onionoo.  You'll still
need to get others for checking code style and measuring unit test
coverage, because we need newer versions than what was in Debian stable.

But if you really want a one-stop-shop, just download the latest release
tarball that comes with all jars that you need.  And it's even signed! :)

https://dist.torproject.org/onionoo/

> Just some thoughts. Thanks for any info. :)

Hope this helps.  Happy coding!

> Josh

All the best,
Karsten


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/metrics-team/attachments/20170408/1c6ad4c8/attachment.sig>


More information about the metrics-team mailing list