• WebFreak001 (11/11) Sep 26 2019 hi, at the setup-dlang repository (GitHub Action for installing D
• Vladimir Panteleev (12/22) Sep 26 2019 IIRC, the last time we looked into this, which admittedly was
• WebFreak001 (6/12) Sep 26 2019 problem with not being listed is that it might not necessarily be
• Jacob Carlborg (6/9) Sep 27 2019 It is possible to setup SSL yourself?
• sarn (7/13) Sep 27 2019 That would mean downloading through a dlang.org server, but
• WebFreak001 (8/32) Oct 15 2019 I think now it would be possible to set it up for free? As far as
• Seb (6/33) Oct 15 2019 You pay per GB - see e.g.
• WebFreak001 (7/23) Oct 15 2019 an HTTPS endpoint on dlang.org which redirects to the latest
• Petar Kirov [ZombineDev] (4/20) Oct 15 2019 Cloudflare has a free plan which includes DNS + CDN + SSL among
• Seb (5/17) Sep 26 2019 It's possible to access it directly, e.g.
• Kagamin (1/1) Sep 30 2019 Just check the hashes, it's not different from gnupg.
• WebFreak001 (3/4) Sep 30 2019 where do I find the hashes for all past versions, all future

WebFreak001 <d.forum webfreak.org> writes:

hi, at the setup-dlang repository (GitHub Action for installing D 
in their CI environment) we are having a discussion about 
downloading DMD over HTTP could lead to MITM attacks. However 
downloads.dlang.org doesn't seem to have HTTPS available at all.

Is there some possibility to add HTTPS support to 
downloads.dlang.org to make sure the downloads function properly? 
GnuPG isn't listed on the installed binaries in a GitHub Actions 
environment so it can't be called to check using the provided 
keyring (which would need to be updated every once in a while too)

See the discussion at 
https://github.com/mihails-strasuns/setup-dlang/issues/5

Vladimir Panteleev <thecybershadow.lists gmail.com> writes:

On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
 hi, at the setup-dlang repository (GitHub Action for installing 
 D in their CI environment) we are having a discussion about 
 downloading DMD over HTTP could lead to MITM attacks. However 
 downloads.dlang.org doesn't seem to have HTTPS available at all.

IIRC, the last time we looked into this, which admittedly was 
many years ago, was that SSL was an additional paid feature for 
the Amazon service we use to serve the downloads.

 Is there some possibility to add HTTPS support to 
 downloads.dlang.org to make sure the downloads function 
 properly? GnuPG isn't listed on the installed binaries in a 
 GitHub Actions environment so it can't be called to check using 
 the provided keyring (which would need to be updated every once 
 in a while too)

The keyring is available over HTTPS, so the procedure we 
currently recommend is to download that and use it to verify the 
downloads. This is what e.g. the install.sh script does.

BTW, GnuPG is a dependency for many other software (e.g. 
attempting to remove it on Arch Linux pulls a long string of 
dependencies making this impossible). It's possible that there is 
an implied guarantee that GnuPG will be present on the CI systems 
even though it is not explicitly listed.

WebFreak001 <d.forum webfreak.org> writes:

On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
Panteleev wrote:
 [...]

 BTW, GnuPG is a dependency for many other software (e.g. 
 attempting to remove it on Arch Linux pulls a long string of 
 dependencies making this impossible). It's possible that there 
 is an implied guarantee that GnuPG will be present on the CI 
 systems even though it is not explicitly listed.

problem with not being listed is that it might not necessarily be 
installed on either Linux, OSX or Windows. (because it needs to 
work on all 3 and maybe even new ones when they become available 
like possibly FreeBSD)

Jacob Carlborg <doob me.com> writes:

On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
Panteleev wrote:

 IIRC, the last time we looked into this, which admittedly was 
 many years ago, was that SSL was an additional paid feature for 
 the Amazon service we use to serve the downloads.

It is possible to setup SSL yourself?

BTW, files attached to GitHub releases are over HTTPS.

--
/Jacob Carlborg

sarn <sarn theartofmachinery.com> writes:

On Friday, 27 September 2019 at 07:50:58 UTC, Jacob Carlborg 
wrote:
 On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
 Panteleev wrote:

 IIRC, the last time we looked into this, which admittedly was 
 many years ago, was that SSL was an additional paid feature 
 for the Amazon service we use to serve the downloads.

 It is possible to setup SSL yourself?

That would mean downloading through a dlang.org server, but 
they've chosen to host the downloads in S3.

I'm guessing Vladimir is talking about using Cloudfront in front 
of the existing S3 bucket (though any CDN would do the job, 
Cloudfront is the AWS-integrated option).

WebFreak001 <d.forum webfreak.org> writes:

On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
Panteleev wrote:
 On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 
 wrote:
 hi, at the setup-dlang repository (GitHub Action for 
 installing D in their CI environment) we are having a 
 discussion about downloading DMD over HTTP could lead to MITM 
 attacks. However downloads.dlang.org doesn't seem to have 
 HTTPS available at all.

 IIRC, the last time we looked into this, which admittedly was 
 many years ago, was that SSL was an additional paid feature for 
 the Amazon service we use to serve the downloads.

 Is there some possibility to add HTTPS support to 
 downloads.dlang.org to make sure the downloads function 
 properly? GnuPG isn't listed on the installed binaries in a 
 GitHub Actions environment so it can't be called to check 
 using the provided keyring (which would need to be updated 
 every once in a while too)

 The keyring is available over HTTPS, so the procedure we 
 currently recommend is to download that and use it to verify 
 the downloads. This is what e.g. the install.sh script does.

 BTW, GnuPG is a dependency for many other software (e.g. 
 attempting to remove it on Arch Linux pulls a long string of 
 dependencies making this impossible). It's possible that there 
 is an implied guarantee that GnuPG will be present on the CI 
 systems even though it is not explicitly listed.

I think now it would be possible to set it up for free? As far as 
I can read these amazon docs it looks like pricing doesn't change 
with HTTPS:
- 
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS
- https://aws.amazon.com/cloudfront/custom-ssl-domains/

Seb <seb wilzba.ch> writes:

On Tuesday, 15 October 2019 at 15:56:43 UTC, WebFreak001 wrote:
 On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
 Panteleev wrote:
 On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 
 wrote:
 [...]

 IIRC, the last time we looked into this, which admittedly was 
 many years ago, was that SSL was an additional paid feature 
 for the Amazon service we use to serve the downloads.

 [...]

 The keyring is available over HTTPS, so the procedure we 
 currently recommend is to download that and use it to verify 
 the downloads. This is what e.g. the install.sh script does.

 BTW, GnuPG is a dependency for many other software (e.g. 
 attempting to remove it on Arch Linux pulls a long string of 
 dependencies making this impossible). It's possible that there 
 is an implied guarantee that GnuPG will be present on the CI 
 systems even though it is not explicitly listed.

 I think now it would be possible to set it up for free? As far 
 as I can read these amazon docs it looks like pricing doesn't 
 change with HTTPS:
 - 
 https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS
 - https://aws.amazon.com/cloudfront/custom-ssl-domains/

You pay per GB - see e.g. 
https://aws.amazon.com/cloudfront/pricing. This is vastly more 
expensive than the public S3 bucket.

Anyhow, we could be sth. using GitHub releases like LDC or DUB. 
It's free and they even use S3 buckets under the hood as well.

WebFreak001 <d.forum webfreak.org> writes:

On Tuesday, 15 October 2019 at 16:49:25 UTC, Seb wrote:
 On Tuesday, 15 October 2019 at 15:56:43 UTC, WebFreak001 wrote:
 On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
 Panteleev wrote:
 [...]

 I think now it would be possible to set it up for free? As far 
 as I can read these amazon docs it looks like pricing doesn't 
 change with HTTPS:
 - 
 https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS
 - https://aws.amazon.com/cloudfront/custom-ssl-domains/

 You pay per GB - see e.g. 
 https://aws.amazon.com/cloudfront/pricing. This is vastly more 
 expensive than the public S3 bucket.

 Anyhow, we could be sth. using GitHub releases like LDC or DUB. 
 It's free and they even use S3 buckets under the hood as well.

an HTTPS endpoint on dlang.org which redirects to the latest 
HTTPS GitHub release would be fine I think.

How is downloads.dlang.org currently setup then if HTTPS is not 
an option and it's not cloudfront? If the domain is under D's 
control then it's possible to add a LetsEncrypt certificate like 
on the main page, no?

Petar Kirov [ZombineDev] <petar.p.kirov gmail.com> writes:

On Tuesday, 15 October 2019 at 16:49:25 UTC, Seb wrote:
 On Tuesday, 15 October 2019 at 15:56:43 UTC, WebFreak001 wrote:
 On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
 Panteleev wrote:
 [...]

 I think now it would be possible to set it up for free? As far 
 as I can read these amazon docs it looks like pricing doesn't 
 change with HTTPS:
 - 
 https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS
 - https://aws.amazon.com/cloudfront/custom-ssl-domains/

 You pay per GB - see e.g. 
 https://aws.amazon.com/cloudfront/pricing. This is vastly more 
 expensive than the public S3 bucket.

 Anyhow, we could be sth. using GitHub releases like LDC or DUB. 
 It's free and they even use S3 buckets under the hood as well.

Cloudflare has a free plan which includes DNS + CDN + SSL among 
another things and I think it would be our best option going 
forward.

Seb <seb wilzba.ch> writes:

On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
 hi, at the setup-dlang repository (GitHub Action for installing 
 D in their CI environment) we are having a discussion about 
 downloading DMD over HTTP could lead to MITM attacks. However 
 downloads.dlang.org doesn't seem to have HTTPS available at all.

 Is there some possibility to add HTTPS support to 
 downloads.dlang.org to make sure the downloads function 
 properly? GnuPG isn't listed on the installed binaries in a 
 GitHub Actions environment so it can't be called to check using 
 the provided keyring (which would need to be updated every once 
 in a while too)

 See the discussion at 
 https://github.com/mihails-strasuns/setup-dlang/issues/5


It's possible to access it directly, e.g.

https://s3-us-west-2.amazonaws.com/downloads.dlang.org/releases/2.x/2.072.1/dmd_2.072.1-0_amd64.deb

Though this might break if the bucket gets moved to a different 
region or if there would ever be switch to a different platform.

Kagamin <spam here.lot> writes:

Just check the hashes, it's not different from gnupg.

WebFreak001 <d.forum webfreak.org> writes:

On Monday, 30 September 2019 at 08:26:26 UTC, Kagamin wrote:
 Just check the hashes, it's not different from gnupg.

where do I find the hashes for all past versions, all future 
versions, all pre-release versions and the nightly builds?