DMD downloads over HTTPS
d.forum at webfreak.org
Tue Oct 15 15:56:43 UTC 2019
On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir
> On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001
>> hi, at the setup-dlang repository (GitHub Action for
>> installing D in their CI environment) we are having a
>> discussion about downloading DMD over HTTP could lead to MITM
>> attacks. However downloads.dlang.org doesn't seem to have
>> HTTPS available at all.
> IIRC, the last time we looked into this, which admittedly was
> many years ago, was that SSL was an additional paid feature for
> the Amazon service we use to serve the downloads.
>> Is there some possibility to add HTTPS support to
>> downloads.dlang.org to make sure the downloads function
>> properly? GnuPG isn't listed on the installed binaries in a
>> GitHub Actions environment so it can't be called to check
>> using the provided keyring (which would need to be updated
>> every once in a while too)
> The keyring is available over HTTPS, so the procedure we
> currently recommend is to download that and use it to verify
> the downloads. This is what e.g. the install.sh script does.
> BTW, GnuPG is a dependency for many other software (e.g.
> attempting to remove it on Arch Linux pulls a long string of
> dependencies making this impossible). It's possible that there
> is an implied guarantee that GnuPG will be present on the CI
> systems even though it is not explicitly listed.
I think now it would be possible to set it up for free? As far as
I can read these amazon docs it looks like pricing doesn't change
More information about the Digitalmars-d