hi, at the setup-dlang repository (GitHub Action for installing D in their CI environment) we are having a discussion about downloading DMD over HTTP could lead to MITM attacks. However downloads.dlang.org doesn't seem to have HTTPS available at all.

Is there some possibility to add HTTPS support to downloads.dlang.org to make sure the downloads function properly? GnuPG isn't listed on the installed binaries in a GitHub Actions environment so it can't be called to check using the provided keyring (which would need to be updated every once in a while too)

See the discussion at https://github.com/mihails-strasuns/setup-dlang/issues/5

On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
> hi, at the setup-dlang repository (GitHub Action for installing D in their CI environment) we are having a discussion about downloading DMD over HTTP could lead to MITM attacks. However downloads.dlang.org doesn't seem to have HTTPS available at all.

IIRC, the last time we looked into this, which admittedly was many years ago, was that SSL was an additional paid feature for the Amazon service we use to serve the downloads.

> Is there some possibility to add HTTPS support to downloads.dlang.org to make sure the downloads function properly? GnuPG isn't listed on the installed binaries in a GitHub Actions environment so it can't be called to check using the provided keyring (which would need to be updated every once in a while too)

The keyring is available over HTTPS, so the procedure we currently recommend is to download that and use it to verify the downloads. This is what e.g. the install.sh script does.

BTW, GnuPG is a dependency for many other software (e.g. attempting to remove it on Arch Linux pulls a long string of dependencies making this impossible). It's possible that there is an implied guarantee that GnuPG will be present on the CI systems even though it is not explicitly listed.

On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
> hi, at the setup-dlang repository (GitHub Action for installing D in their CI environment) we are having a discussion about downloading DMD over HTTP could lead to MITM attacks. However downloads.dlang.org doesn't seem to have HTTPS available at all.
>
> Is there some possibility to add HTTPS support to downloads.dlang.org to make sure the downloads function properly? GnuPG isn't listed on the installed binaries in a GitHub Actions environment so it can't be called to check using the provided keyring (which would need to be updated every once in a while too)
>
> See the discussion at https://github.com/mihails-strasuns/setup-dlang/issues/5


It's possible to access it directly, e.g.

https://s3-us-west-2.amazonaws.com/downloads.dlang.org/releases/2.x/2.072.1/dmd_2.072.1-0_amd64.deb

Though this might break if the bucket gets moved to a different region or if there would ever be switch to a different platform.

On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir Panteleev wrote:
> [...]
>
> BTW, GnuPG is a dependency for many other software (e.g. attempting to remove it on Arch Linux pulls a long string of dependencies making this impossible). It's possible that there is an implied guarantee that GnuPG will be present on the CI systems even though it is not explicitly listed.

problem with not being listed is that it might not necessarily be installed on either Linux, OSX or Windows. (because it needs to work on all 3 and maybe even new ones when they become available like possibly FreeBSD)

On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir Panteleev wrote:

> IIRC, the last time we looked into this, which admittedly was many years ago, was that SSL was an additional paid feature for the Amazon service we use to serve the downloads.

It is possible to setup SSL yourself?

BTW, files attached to GitHub releases are over HTTPS.

--
/Jacob Carlborg

On Friday, 27 September 2019 at 07:50:58 UTC, Jacob Carlborg wrote:
> On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir Panteleev wrote:
>
>> IIRC, the last time we looked into this, which admittedly was many years ago, was that SSL was an additional paid feature for the Amazon service we use to serve the downloads.
>
> It is possible to setup SSL yourself?

That would mean downloading through a dlang.org server, but they've chosen to host the downloads in S3.

I'm guessing Vladimir is talking about using Cloudfront in front of the existing S3 bucket (though any CDN would do the job, Cloudfront is the AWS-integrated option).

Just check the hashes, it's not different from gnupg.

On Monday, 30 September 2019 at 08:26:26 UTC, Kagamin wrote:
> Just check the hashes, it's not different from gnupg.

where do I find the hashes for all past versions, all future versions, all pre-release versions and the nightly builds?

On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir Panteleev wrote:
> On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
>> hi, at the setup-dlang repository (GitHub Action for installing D in their CI environment) we are having a discussion about downloading DMD over HTTP could lead to MITM attacks. However downloads.dlang.org doesn't seem to have HTTPS available at all.
>
> IIRC, the last time we looked into this, which admittedly was many years ago, was that SSL was an additional paid feature for the Amazon service we use to serve the downloads.
>
>> Is there some possibility to add HTTPS support to downloads.dlang.org to make sure the downloads function properly? GnuPG isn't listed on the installed binaries in a GitHub Actions environment so it can't be called to check using the provided keyring (which would need to be updated every once in a while too)
>
> The keyring is available over HTTPS, so the procedure we currently recommend is to download that and use it to verify the downloads. This is what e.g. the install.sh script does.
>
> BTW, GnuPG is a dependency for many other software (e.g. attempting to remove it on Arch Linux pulls a long string of dependencies making this impossible). It's possible that there is an implied guarantee that GnuPG will be present on the CI systems even though it is not explicitly listed.

I think now it would be possible to set it up for free? As far as I can read these amazon docs it looks like pricing doesn't change with HTTPS:
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS
- https://aws.amazon.com/cloudfront/custom-ssl-domains/

On Tuesday, 15 October 2019 at 15:56:43 UTC, WebFreak001 wrote:
> On Thursday, 26 September 2019 at 21:26:38 UTC, Vladimir Panteleev wrote:
>> On Thursday, 26 September 2019 at 20:06:20 UTC, WebFreak001 wrote:
>>> [...]
>>
>> IIRC, the last time we looked into this, which admittedly was many years ago, was that SSL was an additional paid feature for the Amazon service we use to serve the downloads.
>>
>>> [...]
>>
>> The keyring is available over HTTPS, so the procedure we currently recommend is to download that and use it to verify the downloads. This is what e.g. the install.sh script does.
>>
>> BTW, GnuPG is a dependency for many other software (e.g. attempting to remove it on Arch Linux pulls a long string of dependencies making this impossible). It's possible that there is an implied guarantee that GnuPG will be present on the CI systems even though it is not explicitly listed.
>
> I think now it would be possible to set it up for free? As far as I can read these amazon docs it looks like pricing doesn't change with HTTPS:
> - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html#CNAMEsAndHTTPS
> - https://aws.amazon.com/cloudfront/custom-ssl-domains/

You pay per GB - see e.g. https://aws.amazon.com/cloudfront/pricing. This is vastly more expensive than the public S3 bucket.

Anyhow, we could be sth. using GitHub releases like LDC or DUB. It's free and they even use S3 buckets under the hood as well.