DMD downloads over HTTPS
thecybershadow.lists at gmail.com
Thu Sep 26 21:26:38 UTC 2019
On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
> hi, at the setup-dlang repository (GitHub Action for installing
> D in their CI environment) we are having a discussion about
> downloading DMD over HTTP could lead to MITM attacks. However
> downloads.dlang.org doesn't seem to have HTTPS available at all.
IIRC, the last time we looked into this, which admittedly was
many years ago, was that SSL was an additional paid feature for
the Amazon service we use to serve the downloads.
> Is there some possibility to add HTTPS support to
> downloads.dlang.org to make sure the downloads function
> properly? GnuPG isn't listed on the installed binaries in a
> GitHub Actions environment so it can't be called to check using
> the provided keyring (which would need to be updated every once
> in a while too)
The keyring is available over HTTPS, so the procedure we
currently recommend is to download that and use it to verify the
downloads. This is what e.g. the install.sh script does.
BTW, GnuPG is a dependency for many other software (e.g.
attempting to remove it on Arch Linux pulls a long string of
dependencies making this impossible). It's possible that there is
an implied guarantee that GnuPG will be present on the CI systems
even though it is not explicitly listed.
More information about the Digitalmars-d