www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.announce - Release D 2.100.2

reply Martin Nowak <code dawg.eu> writes:
Glad to announce D 2.100.2, ♥ to the 18 contributors.

http://dlang.org/download.html

This point release fixes a few issues over 2.100.2, see the 
changelog for more details.

http://dlang.org/changelog/2.100.2.html

-Martin
Sep 11 2022
next sibling parent Iain Buclaw <ibuclaw gdcproject.org> writes:
On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote:
 Glad to announce D 2.100.2, ♥ to the 18 contributors.

 http://dlang.org/download.html

 This point release fixes a few issues over 2.100.2, see the 
 changelog for more details.

 http://dlang.org/changelog/2.100.2.html

 -Martin
Thanks for your hard work and effort doing this! Not nearly enough praise has been given for you keeping this up for many years. Wish you all the best!
Sep 22 2022
prev sibling parent reply JN <666total wp.pl> writes:
On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote:
 Glad to announce D 2.100.2, ♥ to the 18 contributors.

 http://dlang.org/download.html

 This point release fixes a few issues over 2.100.2, see the 
 changelog for more details.

 http://dlang.org/changelog/2.100.2.html

 -Martin
Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty.
Nov 01 2022
parent reply Ruby The Roobster <rubytheroobster yandex.com> writes:
On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
 On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak 
 wrote:
 Glad to announce D 2.100.2, ♥ to the 18 contributors.

 http://dlang.org/download.html

 This point release fixes a few issues over 2.100.2, see the 
 changelog for more details.

 http://dlang.org/changelog/2.100.2.html

 -Martin
Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty.
The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.)
Nov 01 2022
parent reply Iain Buclaw <ibuclaw gdcproject.org> writes:
On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster 
wrote:
 On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
 Windows is showing SmartScreen warnings when trying to run the 
 Windows installer. Also, the installed version reports as 
 v2.100.2-dirty.
The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.)
Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform.
Nov 03 2022
parent reply Guillaume Piolat <first.last spam.org> writes:
On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:
 On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster 
 wrote:
 On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
 Windows is showing SmartScreen warnings when trying to run 
 the Windows installer. Also, the installed version reports as 
 v2.100.2-dirty.
The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.)
Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform.
Last time I had to do this: Basically you have Certum.pl which provides cloud-signing, this company responds quickly, getting a individual OV certificate takes about 2-3 days. "cloud" signing with needs a phone token, a phone app SimplySign, that last 15 minutes or so. On the other hand, .p12/.pfx vendors are almost entirely COMODO/Sectigo now, it works offline, getting a certificate is more painful with them and will require a hardware token even for OV beginning this month. 0. It's less hassle not to do anything, but well we could have a supply-chain attack one day. 1. If cloud/simplysign workflow is OK, Certum may be less hassle. 2. Possibly safer / less problems in build to just get the EV from Sectigo in a hardware token. Especially if you commit the secret in CI. Since November signing will require hardware token or private key in cloud (2FA).
Nov 04 2022
parent reply Iain Buclaw <ibuclaw gdcproject.org> writes:
On Friday, 4 November 2022 at 12:39:04 UTC, Guillaume Piolat 
wrote:
 On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote:
 On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster 
 wrote:
 On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote:
 Windows is showing SmartScreen warnings when trying to run 
 the Windows installer. Also, the installed version reports 
 as v2.100.2-dirty.
The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.)
Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform.
Last time I had to do this: Basically you have Certum.pl which provides cloud-signing, this company responds quickly, getting a individual OV certificate takes about 2-3 days. "cloud" signing with needs a phone token, a phone app SimplySign, that last 15 minutes or so.
If this can be distributed between a group of people - let's say six or more - that might be OK, but not exactly as seamless as, say, just trigger a GitHub runner pipeline an walk away.
 On the other hand, .p12/.pfx vendors are almost entirely 
 COMODO/Sectigo now, it works offline, getting a certificate is 
 more painful with them and will require a hardware token even 
 for OV beginning this month.

 0. It's less hassle not to do anything, but well we could have 
 a supply-chain attack one day.
 1. If cloud/simplysign workflow is OK, Certum may be less 
 hassle.
 2. Possibly safer / less problems in build to just get the EV 
 from Sectigo in a hardware token. Especially if you commit the 
 secret in CI.

 Since November signing will require hardware token or private 
 key in cloud (2FA).
What does in a hardware token mean for us? Is it required to have it to hand every time we have to sign a beta, rc, final release binary? Does it bound us to a specific OS because of locked in proprietary tools? In what way would it hamper the ability to sign built binaries on a virtual machine, in a remote server, behind a read-only console UI?
Nov 04 2022
parent reply Guillaume Piolat <first.last spam.org> writes:
On Friday, 4 November 2022 at 13:01:09 UTC, Iain Buclaw wrote:
 What does in a hardware token mean for us? Is it required to 
 have it to hand every time we have to sign a beta, rc, final 
 release binary?  Does it bound us to a specific OS because of 
 locked in proprietary tools?
Unfortunately I don't know.
 In what way would it hamper the ability to sign built binaries 
 on a virtual machine, in a remote server, behind a read-only 
 console UI?
Probably in a big way. Previously, I would just commit the .pfx//.p12, this will be soon impossible (granted, this lower security to commit the cert). This won't be possible, perhaps already is. The Certum "cloud" solution needs a desktop app AND a phone APP (Android/iPhone), and is unsuitable for CI. All this just for Windows code signing. My prediction is that in a few years Microsoft will stop this nightmare and do like Apple and you will just cloud-sign stuff with a microsoft.com account. This will be a lot better. ---- THAT SAID ---- Now, codesigning certificates do not preovide automatic warning removal. Every Windows program has an Authenticode score, having an EV just gets you a high score from the get go, but you still have reputation. So the only thing you buy is freedom from the warning pop-up and the user gets some safety. An OV gets no initial reputation, and the word on the street is that when you change cert every 3 years you must regain that reputation. One could perhaps use a self-signed certificate that will allow to reuse that Authenticode reputation, I'm not sure.
Nov 04 2022
parent Guillaume Piolat <first.last spam.org> writes:
On Friday, 4 November 2022 at 14:14:43 UTC, Guillaume Piolat 
wrote:
 One could perhaps use a self-signed certificate that will allow 
 to reuse that Authenticode reputation, I'm not sure.
Now, to be very clear: there is a chance that even a non-CA certificate would accumulate trust, since according to MS:
 Application reputation for unsigned software is based on 
 fingerprints while publisher reputation is based on signed 
 software associated with a code signing certificate.
It's not entirely clear that you absolutely require a real trustedd CA to get that reputation.
Nov 04 2022