I think one should try to test the installation procedures of downloads on dlang.org. The installation script fails on Os-X because GPG is not available, please consider using SHA instead with the fingerprint available from a https url, or use more than one method.

Also, the download.dlang.org subset is not available as https, dlang.org itself uses https, but not the http://downloads.dlang.org/releases/2.x/2.089.0/ .  traceroute lists a looooong list of servers, so this could be a potential issue.

Roadbumps like these are enough to loose new users before they even got started.

In comparison rust installs flawlessly using: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

On Monday, 18 November 2019 at 10:11:11 UTC, Ola Fosheim Grøstad wrote:
> Roadbumps like these are enough to loose new users before they even got started.

Another issue is that OS-X Catalina requires programs to be notarized with Apple, otherwise you have to go into preferences/security and make an exception for dmd... That this also applies to command line programs is new in the latest version of OS-X AFAIK. Maybe look at what rust does?

On Monday, 18 November 2019 at 13:26:54 UTC, Ola Fosheim Grøstad wrote:
> Another issue is that OS-X Catalina requires programs to be notarized with Apple, otherwise you have to go into preferences/security and make an exception for dmd... That this also applies to command line programs is new in the latest version of OS-X AFAIK. Maybe look at what rust does?

This has already been reported [1]. It doesn’t apply to all ways of downloading. It applies if the executable was downloaded using a web browser but not curl. It basically applies to executables with the quarantine bit set. Downloading using a browser will set that bit. It can also be manually removed with the `xattr` command.

IIRC, notarizing requires a paid developer account.

[1] https://issues.dlang.org/show_bug.cgi?id=20124

—
/Jacob Carlborg

On Monday, 18 November 2019 at 15:45:31 UTC, Jacob Carlborg wrote:
> This has already been reported [1]. It doesn’t apply to all ways of downloading. It applies if the executable was downloaded using a web browser but not curl. It basically applies to executables with the quarantine bit set. Downloading using a browser will set that bit. It can also be manually removed with the `xattr` command.

Hm. I thought I downloaded that tar file with curl... but maybe I didn't.

> IIRC, notarizing requires a paid developer account.

I wonder though, is it possible to distribute compilers with App Store, or are those apps always sandboxed?

On Monday, 18 November 2019 at 16:30:02 UTC, Ola Fosheim Gr wrote:
> On Monday, 18 November 2019 at 15:45:31 UTC, Jacob Carlborg wrote:
>> This has already been reported [1]. It doesn’t apply to all ways of downloading. It applies if the executable was downloaded using a web browser but not curl. It basically applies to executables with the quarantine bit set. Downloading using a browser will set that bit. It can also be manually removed with the `xattr` command.
>
> Hm. I thought I downloaded that tar file with curl... but maybe I didn't.

Yep, you are right. I downloaded the tar-archive with the browser. Interesting that they track files unpacked from the archive.

I personally dislike long installation scripts. It is kinda clever to support all compilers with one script, but it takes time to go over it to ensure that it does not mess up the file system...  I rarely download scripts and execute them without looking at them first.

On Monday, 18 November 2019 at 16:30:02 UTC, Ola Fosheim Gr wrote:

> I wonder though, is it possible to distribute compilers with App Store,

Yes. Xcode is distributed through the App Store. The compiler (and other command line tools) are bundled deep inside the Xcode.app bundled. The commands that you can access directly in the terminal are installed by default and just act as wrappers/forwarders to the tools inside the Xcode bundle. So Apple is cheating a bit.

> or are those apps always sandboxed?

Yes.

--
/Jacob Carlborg

On Tuesday, 19 November 2019 at 08:29:23 UTC, Ola Fosheim Grøstad wrote:

> I personally dislike long installation scripts. It is kinda clever to support all compilers with one script, but it takes time to go over it to ensure that it does not mess up the file system...  I rarely download scripts and execute them without looking at them first.

How do you deal with installers that are not scripts that you can not look at what they do? This includes package mangers.

--
/Jacob Carlborg

On Wednesday, 20 November 2019 at 08:57:43 UTC, Jacob Carlborg wrote:
> How do you deal with installers that are not scripts that you can not look at what they do? This includes package mangers.

They are a PITA and I use package mangers as little as possible (I'd rather grab from github where it makes sense).

I essentially split my coding platform in two:

1. Production use, here I only use the ones I really can't do without, e.g. macports, Google's stuff, and some npm (which unfortunately is needed to set up Angular, but I don't like that I have to trust it) and some pip (which I also am a bit weary about).

2. Fun stuff, I create a separate user account for this, but still try to read install scripts from smaller communities (larger communities have more eyeballs).

If I don't trust the install-script, or it breaks, then I look at what the script does and do it manually (like I did for building LDC the other day). Fortunately the D install script was well-structured (albeit a bit long).

On Wednesday, 20 November 2019 at 09:07:29 UTC, Ola Fosheim Grøstad wrote:

> If I don't trust the install-script, or it breaks, then I look at what the script does and do it manually (like I did for building LDC the other day). Fortunately the D install script was well-structured (albeit a bit long).

Neither DMD nor LDC need to be installed. Just download the archive, unpack and run the compiler.

--
/Jacob Carlborg

On Wednesday, 20 November 2019 at 12:17:26 UTC, Jacob Carlborg wrote:
> Neither DMD nor LDC need to be installed. Just download the archive, unpack and run the compiler.

Yes, but I ended up manually verifying the GPG signature.