DMD downloads over HTTPS

WebFreak001 at
Tue Oct 15 15:56:43 UTC 2019

On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
Panteleev wrote:
> On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 
> wrote:
>> hi, at the setup-dlang repository (GitHub Action for 
>> installing D in their CI environment) we are having a 
>> discussion about downloading DMD over HTTP could lead to MITM 
>> attacks. However doesn't seem to have 
>> HTTPS available at all.
> IIRC, the last time we looked into this, which admittedly was 
> many years ago, was that SSL was an additional paid feature for 
> the Amazon service we use to serve the downloads.
>> Is there some possibility to add HTTPS support to 
>> to make sure the downloads function 
>> properly? GnuPG isn't listed on the installed binaries in a 
>> GitHub Actions environment so it can't be called to check 
>> using the provided keyring (which would need to be updated 
>> every once in a while too)
> The keyring is available over HTTPS, so the procedure we 
> currently recommend is to download that and use it to verify 
> the downloads. This is what e.g. the script does.
> BTW, GnuPG is a dependency for many other software (e.g. 
> attempting to remove it on Arch Linux pulls a long string of 
> dependencies making this impossible). It's possible that there 
> is an implied guarantee that GnuPG will be present on the CI 
> systems even though it is not explicitly listed.

I think now it would be possible to set it up for free? As far as 
I can read these amazon docs it looks like pricing doesn't change 
with HTTPS:

More information about the Digitalmars-d mailing list