[metrics-team] onionoo questions/comments

someone someone at aprivatesub.net
Sat Apr 8 00:33:46 UTC 2017 

Hi all,

I'm starting to look at onionoo and have some questions. I didn't find an onionoo-specific mailing list so hopefully this is the most appropriate place.

1. the build.xml requires jetty8 jars, however as far as I can tell eclipse names their jetty jars "jetty" not "jetty8". Any reason they're named jetty8 in the build.xml? I'm using the jars from http://central.maven.org/maven2/org/eclipse/jetty/jetty-distribution/8.1.16.v20140903/.

2. related to #1 above, what do you think about including checksums of the jars in the build.xml? Even if they're just comments in the build.xml like:

	<!-- 70754552739398c669f8172f190c58e9784b4eb1cfeeed47c2634e5ffffe6eaa  descriptor-1.6.0.jar -->
	<!-- ad19d2601c3abf0b946b5c3a4113e226a8c1e3305e395b90013b78dd94a723ce  commons-codec-1.9.jar -->
	<!-- b8e0a1700023359a2b4d9f04b9287d7b9aa200f4feac1079812337eef2dcb8e2  commons-compress-1.9.jar -->
	<!-- 6b81d10754dadf184d386011486e6509c2cc0c3d33565ced4fb4402b9413d47d  commons-lang3-3.3.2.jar -->
	<!-- c0328cd07ca9e363a5acd00c1cf4afe8cf554bd6d373834981ba05cebec687fb  gson-2.2.4.jar -->
	<!-- 30b792e2745752fad8e1f92ca750d5f2d480edd2c5e99bc098aaebe22eb48c22  logback-classic-1.1.2.jar -->
	<!-- 90f1dfca25cd776f28a589f58b181d0e6787668a1b1fa8510bead402f86edcb1  logback-core-1.1.2.jar -->
	<!-- 69980c038ca1b131926561591617d9c25fabfc7b29828af91597ca8570cf35fe  slf4j-api-1.7.7.jar -->
	<!-- 86f30fa8775fa3a62cdb39d1ed78a6019164c1058864048d42cbee244e26e840  xz-1.5.jar -->

This could increase confidence that the proper jars are being used, and that the jars haven't been modified by malicious actors. There might be fancier options out there like apache ivy, etc.

3. including a hint in the CONTRIB.md as to where folks can find these jars might help. For example I found the jars at 
http://mvnrepository.com/
https://dist.torproject.org/descriptor
http://central.maven.org/maven2/org/eclipse/jetty/jetty-distribution/8.1.16.v20140903/

but maybe there's a one-stop-shop for them all I don't know about? Sadly I couldn't apt install them all (some, not all).

Just some thoughts. Thanks for any info. :)

Josh

------------------------------------------------------
0B52 3A1A 7CDE 138A 3579  84CD 4F8B B1BC 13E4 2259
contact info: https://someone.aprivatesub.net

More information about the metrics-team mailing list