Beta 2.100.2
Iain Buclaw
ibuclaw at gdcproject.org
Thu Sep 1 04:34:40 UTC 2022
On Wednesday, 31 August 2022 at 15:48:05 UTC, matheus wrote:
> On Wednesday, 31 August 2022 at 13:20:51 UTC, Martin Nowak
> wrote:
>> Glad to announce the first beta for the 2.100.2 point release,
>
> Thanks.
>
>> N.B.: We had some delays to clarify the expired EV certificate
>> and the next releases will ship without signed Windows
>> binaries due to the complications and cost of EV certificates.
>
> Is possible to share the costs for this?
>
Anywhere in the ballpark of an $750 to $1300 annual fee. Can only
give an estimate as on top of the eye-watering EV prices, there
may be more equally high fees for attestation and cloud signing.
To put that in context, the original certificate ordered in 2018
cost only $267 and was valid for **3 years**. That's a price
inflation of over 150% year-on-year!
The process has gotten more complex too, as it is now required to
have some sort of [hardware
token](https://cabforum.org/2022/04/06/ballot-csc-13-update-to-subscriber-key-protection-requirements/) in order to sign, not exactly CI pipeline friendly. Cloud-based HSM solutions exist, but at an opaque cost, and our current workflow will still be broken after getting it set-up anyway.
All this for at most only 12 signed Windows binaries per year
(maybe 36 if you include the beta and rc releases). It's getting
hard to justify proceeding with this cost unless we are *really*
confident with just exactly what we are doing.
I've only come across one other language compiler that has an
open issue for a lack of code signed release binaries. It seems
that an agreement was made with the Mozilla foundation to use
their [autograph
service](https://github.com/mozilla-services/autograph), but
they've made no progress on it for the last 7 years, and there
are still no signed releases.
No one has raised an issue so far for all DMD releases since that
occurred in the last 12 months, so either lack of signing isn't
an problem, or people are just ignoring/working around whatever
warning messages you might get for running unsigned binaries (NB:
haven't used Windows since 2003 so I have no clue what happens
when you run an unsigned binary).
More information about the Digitalmars-d-announce
mailing list