pbi-qfs
commented
7 years ago Thank you, @xnrand, for your valuable considerations.
In a first step, we tackled the points mentioned in [1] to provide a fork of the plugin which does not suffer from the obvious privacy and security shortcomings. Nevertheless, in a second step the review of the included dependencies is important, too. I split your issue into two parts:
- Issue #6 includes the verification that all included jars match their official counterparts
- Issue #7 handles the probable JD backend replacement. As part of #6, we will check for newer versions of the included decompilers and then create separate update-tickets, if required. That way, it's easier to track the progress. Can you give us a hand, maybe with a pull request for #7? Until now, I have no experiences with the interna of the used decompilers.
[1] https://0x10f8.wordpress.com/2017/08/07/reverse-engineering-an-eclipse-plugin/
thegrumble
This repository includes a lot of binaries. Considering the previous state of the project before it was forked (adware features present, auto-updater included in the plugin itself instead of relying on eclipse's update site mechanism), can the previous developer who wrote this software be considered trustworthy? Can the binaries that they included be considered trustworthy?
Currently (as of 8a76aea68d8aabf5b1380fca46ad134bea0089f2), the list of included binaries is as follows:
Long list collapsed, click to expand
[`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-vss-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-vss-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-clearcase-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-clearcase-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-cvsjava-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-cvsjava-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-api-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-api-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-cvs-commons-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-cvs-commons-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-svn-commons-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-svn-commons-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-gitexe-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-gitexe-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/commons-compress-1.3.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/commons-compress-1.3.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-svnexe-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-svnexe-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-bazaar-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-bazaar-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/nexus-restlet1x-model-2.9.2-01.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/nexus-restlet1x-model-2.9.2-01.jar) [`org.sf.feeling.decompiler.source.attach/lib/commons-lang-2.6.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/commons-lang-2.6.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-perforce-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-perforce-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-synergy-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-synergy-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-git-commons-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-git-commons-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/plexus-utils-3.0.15.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/plexus-utils-3.0.15.jar) [`org.sf.feeling.decompiler.source.attach/lib/cvsclient-20060125.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/cvsclient-20060125.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-local-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-local-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-starteam-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-starteam-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/nexus-indexer-lucene-model-2.9.2-01.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/nexus-indexer-lucene-model-2.9.2-01.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-tfs-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-tfs-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-integrity-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-integrity-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-accurev-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-accurev-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-hg-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-hg-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-jazz-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-jazz-1.9.4.jar) [`org.sf.feeling.decompiler.source.attach/lib/commons-io-2.2.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/commons-io-2.2.jar) [`org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-cvsexe-1.9.4.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.source.attach/lib/maven-scm-provider-cvsexe-1.9.4.jar) [`org.sf.feeling.decompiler.procyon/lib/procyon.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.procyon/lib/procyon.jar) [`org.sf.feeling.decompiler/lib/com.drgarbage.asm.util_5.0.3.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler/lib/com.drgarbage.asm.util_5.0.3.jar) [`org.sf.feeling.decompiler/lib/jsoup.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler/lib/jsoup.jar) [`org.sf.feeling.decompiler/lib/fernflower.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler/lib/fernflower.jar) [`org.sf.feeling.decompiler/lib/commons-codec-1.5.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler/lib/commons-codec-1.5.jar) [`org.sf.feeling.decompiler/lib/json.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler/lib/json.jar) [`org.sf.feeling.decompiler/lib/com.drgarbage.asm_5.0.3.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler/lib/com.drgarbage.asm_5.0.3.jar) [`org.sf.feeling.decompiler.jd/src/native/jd-core/linux/x86_64/libjd-eclipse.so`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.jd/src/native/jd-core/linux/x86_64/libjd-eclipse.so) [`org.sf.feeling.decompiler.jd/src/native/jd-core/linux/x86/libjd-eclipse.so`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.jd/src/native/jd-core/linux/x86/libjd-eclipse.so) [`org.sf.feeling.decompiler.jd/src/native/jd-core/win32/x86_64/jd-eclipse.dll`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.jd/src/native/jd-core/win32/x86_64/jd-eclipse.dll) [`org.sf.feeling.decompiler.jd/src/native/jd-core/win32/x86/jd-eclipse.dll`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.jd/src/native/jd-core/win32/x86/jd-eclipse.dll) [`org.sf.feeling.decompiler.jd/src/native/jd-core/macosx/x86_64/libjd-eclipse.jnilib`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.jd/src/native/jd-core/macosx/x86_64/libjd-eclipse.jnilib) [`org.sf.feeling.decompiler.jd/src/native/jd-core/macosx/x86/libjd-eclipse.jnilib`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.jd/src/native/jd-core/macosx/x86/libjd-eclipse.jnilib) [`org.sf.feeling.decompiler.cfr/lib/cfr_0_122.jar`](https://github.com/ecd-plugin/ecd/blob/8a76aea68d8aabf5b1380fca46ad134bea0089f2/org.sf.feeling.decompiler.cfr/lib/cfr_0_122.jar) (this list comes with no warranty, it's possible I missed a few)I find the native libraries (jd-eclipse) especially worrisome because they're practically impossible to audit (what if they contain malicious code?) and also limit platform compatibility to the included libraries. This way, the jd plugin cannot run on ARM (for example on a Raspberry Pi, Eclipse is available for Raspbian). The jd decompiler is available as a pure java/groovy program that does not include any native libraries, just java class files.
In my opinion, the following questions should be considered:
This goes hand-in-hand with updating the dependencies and using more up-to-date decompiler backends.