www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - DMD downloads over HTTPS

reply WebFreak001 <d.forum webfreak.org> writes:
hi, at the setup-dlang repository (GitHub Action for installing D 
in their CI environment) we are having a discussion about 
downloading DMD over HTTP could lead to MITM attacks. However 
downloads.dlang.org doesn't seem to have HTTPS available at all.

Is there some possibility to add HTTPS support to 
downloads.dlang.org to make sure the downloads function properly? 
GnuPG isn't listed on the installed binaries in a GitHub Actions 
environment so it can't be called to check using the provided 
keyring (which would need to be updated every once in a while too)

See the discussion at 
https://github.com/mihails-strasuns/setup-dlang/issues/5
Sep 26
next sibling parent reply Vladimir Panteleev <thecybershadow.lists gmail.com> writes:
On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
 hi, at the setup-dlang repository (GitHub Action for installing 
 D in their CI environment) we are having a discussion about 
 downloading DMD over HTTP could lead to MITM attacks. However 
 downloads.dlang.org doesn't seem to have HTTPS available at all.
IIRC, the last time we looked into this, which admittedly was many years ago, was that SSL was an additional paid feature for the Amazon service we use to serve the downloads.
 Is there some possibility to add HTTPS support to 
 downloads.dlang.org to make sure the downloads function 
 properly? GnuPG isn't listed on the installed binaries in a 
 GitHub Actions environment so it can't be called to check using 
 the provided keyring (which would need to be updated every once 
 in a while too)
The keyring is available over HTTPS, so the procedure we currently recommend is to download that and use it to verify the downloads. This is what e.g. the install.sh script does. BTW, GnuPG is a dependency for many other software (e.g. attempting to remove it on Arch Linux pulls a long string of dependencies making this impossible). It's possible that there is an implied guarantee that GnuPG will be present on the CI systems even though it is not explicitly listed.
Sep 26
next sibling parent WebFreak001 <d.forum webfreak.org> writes:
On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
Panteleev wrote:
 [...]

 BTW, GnuPG is a dependency for many other software (e.g. 
 attempting to remove it on Arch Linux pulls a long string of 
 dependencies making this impossible). It's possible that there 
 is an implied guarantee that GnuPG will be present on the CI 
 systems even though it is not explicitly listed.
problem with not being listed is that it might not necessarily be installed on either Linux, OSX or Windows. (because it needs to work on all 3 and maybe even new ones when they become available like possibly FreeBSD)
Sep 26
prev sibling next sibling parent reply Jacob Carlborg <doob me.com> writes:
On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
Panteleev wrote:

 IIRC, the last time we looked into this, which admittedly was 
 many years ago, was that SSL was an additional paid feature for 
 the Amazon service we use to serve the downloads.
It is possible to setup SSL yourself? BTW, files attached to GitHub releases are over HTTPS. -- /Jacob Carlborg
Sep 27
parent sarn <sarn theartofmachinery.com> writes:
On Friday, 27 September 2019 at 07:50:58 UTC, Jacob Carlborg 
wrote:
 On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
 Panteleev wrote:

 IIRC, the last time we looked into this, which admittedly was 
 many years ago, was that SSL was an additional paid feature 
 for the Amazon service we use to serve the downloads.
It is possible to setup SSL yourself?
That would mean downloading through a dlang.org server, but they've chosen to host the downloads in S3. I'm guessing Vladimir is talking about using Cloudfront in front of the existing S3 bucket (though any CDN would do the job, Cloudfront is the AWS-integrated option).
Sep 27
prev sibling parent reply WebFreak001 <d.forum webfreak.org> writes:
On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
Panteleev wrote:
 On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 
 wrote:
 hi, at the setup-dlang repository (GitHub Action for 
 installing D in their CI environment) we are having a 
 discussion about downloading DMD over HTTP could lead to MITM 
 attacks. However downloads.dlang.org doesn't seem to have 
 HTTPS available at all.
IIRC, the last time we looked into this, which admittedly was many years ago, was that SSL was an additional paid feature for the Amazon service we use to serve the downloads.
 Is there some possibility to add HTTPS support to 
 downloads.dlang.org to make sure the downloads function 
 properly? GnuPG isn't listed on the installed binaries in a 
 GitHub Actions environment so it can't be called to check 
 using the provided keyring (which would need to be updated 
 every once in a while too)
The keyring is available over HTTPS, so the procedure we currently recommend is to download that and use it to verify the downloads. This is what e.g. the install.sh script does. BTW, GnuPG is a dependency for many other software (e.g. attempting to remove it on Arch Linux pulls a long string of dependencies making this impossible). It's possible that there is an implied guarantee that GnuPG will be present on the CI systems even though it is not explicitly listed.
I think now it would be possible to set it up for free? As far as I can read these amazon docs it looks like pricing doesn't change with HTTPS: - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS - https://aws.amazon.com/cloudfront/custom-ssl-domains/
Oct 15
parent reply Seb <seb wilzba.ch> writes:
On Tuesday, 15 October 2019 at 15:56:43 UTC, WebFreak001 wrote:
 On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
 Panteleev wrote:
 On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 
 wrote:
 [...]
IIRC, the last time we looked into this, which admittedly was many years ago, was that SSL was an additional paid feature for the Amazon service we use to serve the downloads.
 [...]
The keyring is available over HTTPS, so the procedure we currently recommend is to download that and use it to verify the downloads. This is what e.g. the install.sh script does. BTW, GnuPG is a dependency for many other software (e.g. attempting to remove it on Arch Linux pulls a long string of dependencies making this impossible). It's possible that there is an implied guarantee that GnuPG will be present on the CI systems even though it is not explicitly listed.
I think now it would be possible to set it up for free? As far as I can read these amazon docs it looks like pricing doesn't change with HTTPS: - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS - https://aws.amazon.com/cloudfront/custom-ssl-domains/
You pay per GB - see e.g. https://aws.amazon.com/cloudfront/pricing. This is vastly more expensive than the public S3 bucket. Anyhow, we could be sth. using GitHub releases like LDC or DUB. It's free and they even use S3 buckets under the hood as well.
Oct 15
next sibling parent WebFreak001 <d.forum webfreak.org> writes:
On Tuesday, 15 October 2019 at 16:49:25 UTC, Seb wrote:
 On Tuesday, 15 October 2019 at 15:56:43 UTC, WebFreak001 wrote:
 On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
 Panteleev wrote:
 [...]
I think now it would be possible to set it up for free? As far as I can read these amazon docs it looks like pricing doesn't change with HTTPS: - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS - https://aws.amazon.com/cloudfront/custom-ssl-domains/
You pay per GB - see e.g. https://aws.amazon.com/cloudfront/pricing. This is vastly more expensive than the public S3 bucket. Anyhow, we could be sth. using GitHub releases like LDC or DUB. It's free and they even use S3 buckets under the hood as well.
an HTTPS endpoint on dlang.org which redirects to the latest HTTPS GitHub release would be fine I think. How is downloads.dlang.org currently setup then if HTTPS is not an option and it's not cloudfront? If the domain is under D's control then it's possible to add a LetsEncrypt certificate like on the main page, no?
Oct 15
prev sibling parent Petar Kirov [ZombineDev] <petar.p.kirov gmail.com> writes:
On Tuesday, 15 October 2019 at 16:49:25 UTC, Seb wrote:
 On Tuesday, 15 October 2019 at 15:56:43 UTC, WebFreak001 wrote:
 On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir 
 Panteleev wrote:
 [...]
I think now it would be possible to set it up for free? As far as I can read these amazon docs it looks like pricing doesn't change with HTTPS: - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS - https://aws.amazon.com/cloudfront/custom-ssl-domains/
You pay per GB - see e.g. https://aws.amazon.com/cloudfront/pricing. This is vastly more expensive than the public S3 bucket. Anyhow, we could be sth. using GitHub releases like LDC or DUB. It's free and they even use S3 buckets under the hood as well.
Cloudflare has a free plan which includes DNS + CDN + SSL among another things and I think it would be our best option going forward.
Oct 15
prev sibling next sibling parent Seb <seb wilzba.ch> writes:
On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
 hi, at the setup-dlang repository (GitHub Action for installing 
 D in their CI environment) we are having a discussion about 
 downloading DMD over HTTP could lead to MITM attacks. However 
 downloads.dlang.org doesn't seem to have HTTPS available at all.

 Is there some possibility to add HTTPS support to 
 downloads.dlang.org to make sure the downloads function 
 properly? GnuPG isn't listed on the installed binaries in a 
 GitHub Actions environment so it can't be called to check using 
 the provided keyring (which would need to be updated every once 
 in a while too)

 See the discussion at 
 https://github.com/mihails-strasuns/setup-dlang/issues/5
It's possible to access it directly, e.g. https://s3-us-west-2.amazonaws.com/downloads.dlang.org/releases/2.x/2.072.1/dmd_2.072.1-0_amd64.deb Though this might break if the bucket gets moved to a different region or if there would ever be switch to a different platform.
Sep 26
prev sibling parent reply Kagamin <spam here.lot> writes:
Just check the hashes, it's not different from gnupg.
Sep 30
parent WebFreak001 <d.forum webfreak.org> writes:
On Monday, 30 September 2019 at 08:26:26 UTC, Kagamin wrote:
 Just check the hashes, it's not different from gnupg.
where do I find the hashes for all past versions, all future versions, all pre-release versions and the nightly builds?
Sep 30