As an AMO editor, one thing you have to do is code review for security flaws. When doing update reviews, the best way to do this is to download the extension update that is currently in sandbox, and the last public release and unzip the zippy and jar files (unless your lucky and your diff program does this for you), than compare the results using a tool such as kDiff3, meld, or WinMerge.
I’m trying to change that by starting a project that will let you compare two files online. I’ve done some work and think it’s a good time to get my idea out to those who will use it.
Here is a screenshot of the output. You can test a sample output at this page :
One of the first thing you might notice is that this isn’t a side-by-side diff. The reason for that is that editors typically aren’t worried about what was taken out, but what was put in (while what was taken out might be more useful for extension developers). There is also the code that hasn’t changed, which is useful for referencing functions if it is ever needed.
It’s a simple php file. I hope to have some feedback whether people will use this tool or not (and saying “I use x because I know it best” is totally fine too. I’m trying to focus my energy on what will be used).
June 27th, 2008 at 6:03 pm
Looks like an awesome idea. However I question the suggestion that AMO reviewers don’t care about removed code. I really hope that isn’t the case because I think it would be trivial to generate some code that is innocuous on its own but after removing lines becomes something entirely malicious.
June 27th, 2008 at 6:04 pm
So is this program going to provide diffing of all the files in the xpi at once or just one at a time?
I think it might have promise being an open source mechanism. I feel that ignoring removed lines is a bit dangerous. It makes it easier for someone to slip a vulnerability or exploit into the code without a reviewer catching it. I believe it should be a toggle to indicate whether you want to look at adds, removes, or changes.
I have to say that any time the topic of diffing comes up, I have to plug one of the best named programs I’ve ever seen, Beyond Compare from Scooter Software.
With their new version, Beyond Compare 3, they have a Windows and a Linux version (I’m begging for a Mac, but they have to update all their Delphi stuff first. :/). It is commercial, but it is reasonably priced. The latest version supports very easy diffing inside of zips and even through SFTP or http://FTP. It is a completely invaluable tool even as version three is approaching the end of beta. As a developer and general hacker, I find a use for it almost every day.
June 27th, 2008 at 7:05 pm
@ Mossop : Yes, you are right. I should have made clear that I am only speaking for myself in this post. I didn’t actually think of a scenario where an exploit could be generated by removing lines from one version to another. It’s crafty I must say, and totally possible :)
@ Daniel : I was thinking about 1 at a time. Great suggestion on the toggle idea.
June 27th, 2008 at 8:27 pm
Did you consider the diff part of http://www.review-board.org/ , with its syntax highlighting in diffs?
Or just use Review Board in its entirety if you’re doing code reviews.
Also Google for “web-based diff”.
June 27th, 2008 at 11:30 pm
https://bugzilla.mozilla.org/show_bug.cgi?id=430638
June 28th, 2008 at 8:29 am
MXR has a web diff feature, in case you want to steal some code:
http://hg.mozilla.org/webtools/mxr/index.cgi/file/df34452c5c07/diff
Dave
June 28th, 2008 at 10:47 am
This should absolutely be done for AMO. You should consider working on bug 430638!
June 29th, 2008 at 5:26 am
@Daniel
I’ve started the development of VisualDiffer an extension for Komodo editor (but it’s easy to move to Firefox), it is strong inspired to BC2.
I would add the ability to compare using FTP and SCP.
I what to make VisualDiffer a standalone application using XulRunner
@Cesar your work is cool and can dramatically improve the code comparison experience not only for editors but for AMO user if they can diff between extension source code
June 30th, 2008 at 4:24 am
Bugzilla also has a web-based diff viewer tool (examples: viewing a patch, interdiffing two patches on the same bug). You may want to look into that too.
September 9th, 2008 at 7:46 pm
[…] recorded first by jaylichtenberger on 2008-09-09→ Diffing files on the web […]
October 9th, 2008 at 7:56 pm
[…] made a post several months ago about an diffing zippy files on the web. While that stuff landed, it was difficult to use because I deferred actually showing […]