[metrics-team] onionoo questions/comments

someone someone at aprivatesub.net
Sun Apr 9 18:07:39 UTC 2017 

Thanks for the help. I was concentrating too much on CONTRIB.md and not enough on INSTALL.md (I see that url listed in INSTALL.md). 
Josh

------------------------------------------------------
0B52 3A1A 7CDE 138A 3579  84CD 4F8B B1BC 13E4 2259
contact info: https://someone.aprivatesub.net

On Saturday, April 8, 2017 3:14 AM, Karsten Loesing <karsten at torproject.org> wrote:
> On 08.04.17 02:33, someone wrote:
>> Hi all,
> 
> Hi Josh,
> 
>> I'm starting to look at onionoo and have some questions. I didn't find
>> an onionoo-specific mailing list so hopefully this is the most
>> appropriate place.
> 
> Yes, this mailing list is fine.
> 
>> 1. the build.xml requires jetty8 jars, however as far as I can tell
>> eclipse names their jetty jars "jetty" not "jetty8". Any reason they're
>> named jetty8 in the build.xml? I'm using the jars from
>> http://central.maven.org/maven2/org/eclipse/jetty/jetty-distribution/8.1.16.v20140903/.
> 
> We're using the .jar files from Debian stable.  That's where the file
> names come from.
> 
>> 2. related to #1 above, what do you think about including checksums of
>> the jars in the build.xml? Even if they're just comments in the
>> build.xml like:
>>
>> 	<!-- 70754552739398c669f8172f190c58e9784b4eb1cfeeed47c2634e5ffffe6eaa 
>> descriptor-1.6.0.jar -->
>> 	<!-- ad19d2601c3abf0b946b5c3a4113e226a8c1e3305e395b90013b78dd94a723ce 
>> commons-codec-1.9.jar -->
>> 	<!-- b8e0a1700023359a2b4d9f04b9287d7b9aa200f4feac1079812337eef2dcb8e2 
>> commons-compress-1.9.jar -->
>> 	<!-- 6b81d10754dadf184d386011486e6509c2cc0c3d33565ced4fb4402b9413d47d 
>> commons-lang3-3.3.2.jar -->
>> 	<!-- c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fb 
>> gson-2.2.4.jar -->
>> 	<!-- 30b792e2745752fad8e1f92ca750d5f2d480edd2c5e99bc098aaebe22eb48c22 
>> logback-classic-1.1.2.jar -->
>> 	<!-- 90f1dfca25cd776f28a589f58b181d0e6787668a1b1fa8510bead402f86edcb1 
>> logback-core-1.1.2.jar -->
>> 	<!-- 69980c038ca1b131926561591617d9c25fabfc7b29828af91597ca8570cf35fe 
>> slf4j-api-1.7.7.jar -->
>> 	<!-- 86f30fa8775fa3a62cdb39d1ed78a6019164c1058864048d42cbee244e26e840 
>> xz-1.5.jar -->
>>
>> This could increase confidence that the proper jars are being used, and
>> that the jars haven't been modified by malicious actors. There might be
>> fancier options out there like apache ivy, etc.
> 
> Well, I'm slightly worried that we'd at one point forget to update these
> comments, and that would for sure confuse people.  I do see the point
> though.  But maybe we can increase confidence by some other means (see
> the release tarball comment below).
> 
>> 3. including a hint in the CONTRIB.md as to where folks can find these
>> jars might help. For example I found the jars at
>> http://mvnrepository.com/
>> https://dist.torproject.org/descriptor
>> http://central.maven.org/maven2/org/eclipse/jetty/jetty-distribution/8.1.16.v20140903/
>>
>> but maybe there's a one-stop-shop for them all I don't know about? Sadly
>> I couldn't apt install them all (some, not all).
> 
> You should be able to get most of them from Debian stable, at least
> those that are required for building and running Onionoo.  You'll still
> need to get others for checking code style and measuring unit test
> coverage, because we need newer versions than what was in Debian stable.
> 
> But if you really want a one-stop-shop, just download the latest release
> tarball that comes with all jars that you need.  And it's even signed! :)
> 
> https://dist.torproject.org/onionoo/
> 
>> Just some thoughts. Thanks for any info. :)
> 
> Hope this helps.  Happy coding!
> 
>> Josh
> 
> All the best,
> Karsten

More information about the metrics-team mailing list