DMD downloads over HTTPS
WebFreak001
d.forum at webfreak.org
Tue Oct 15 15:56:43 UTC 2019
On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir
Panteleev wrote:
> On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001
> wrote:
>> hi, at the setup-dlang repository (GitHub Action for
>> installing D in their CI environment) we are having a
>> discussion about downloading DMD over HTTP could lead to MITM
>> attacks. However downloads.dlang.org doesn't seem to have
>> HTTPS available at all.
>
> IIRC, the last time we looked into this, which admittedly was
> many years ago, was that SSL was an additional paid feature for
> the Amazon service we use to serve the downloads.
>
>> Is there some possibility to add HTTPS support to
>> downloads.dlang.org to make sure the downloads function
>> properly? GnuPG isn't listed on the installed binaries in a
>> GitHub Actions environment so it can't be called to check
>> using the provided keyring (which would need to be updated
>> every once in a while too)
>
> The keyring is available over HTTPS, so the procedure we
> currently recommend is to download that and use it to verify
> the downloads. This is what e.g. the install.sh script does.
>
> BTW, GnuPG is a dependency for many other software (e.g.
> attempting to remove it on Arch Linux pulls a long string of
> dependencies making this impossible). It's possible that there
> is an implied guarantee that GnuPG will be present on the CI
> systems even though it is not explicitly listed.
I think now it would be possible to set it up for free? As far as
I can read these amazon docs it looks like pricing doesn't change
with HTTPS:
-
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS
- https://aws.amazon.com/cloudfront/custom-ssl-domains/
More information about the Digitalmars-d
mailing list