Permalink
ReplyGlad to announce D 2.100.2, ♥ to the 18 contributors.
http://dlang.org/download.html
This point release fixes a few issues over 2.100.2, see the changelog for more details.
http://dlang.org/changelog/2.100.2.html
-Martin
| Thread overview | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
September 11, 2022 Release D 2.100.2 | ||||
|---|---|---|---|---|
| ||||
 | ||||
September 22, 2022 Re: Release D 2.100.2 | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Martin Nowak | On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote: >Glad to announce D 2.100.2, ♥ to the 18 contributors. http://dlang.org/download.html This point release fixes a few issues over 2.100.2, see the changelog for more details. http://dlang.org/changelog/2.100.2.html -Martin Thanks for your hard work and effort doing this! Not nearly enough praise has been given for you keeping this up for many years. Wish you all the best! | |||
November 01, 2022 Re: Release D 2.100.2 | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Martin Nowak | On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote: >Glad to announce D 2.100.2, ♥ to the 18 contributors. http://dlang.org/download.html This point release fixes a few issues over 2.100.2, see the changelog for more details. http://dlang.org/changelog/2.100.2.html -Martin Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty. | |||
November 01, 2022 Re: Release D 2.100.2 | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to JN | On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote: >On Sunday, 11 September 2022 at 08:34:40 UTC, Martin Nowak wrote: >Glad to announce D 2.100.2, ♥ to the 18 contributors. http://dlang.org/download.html This point release fixes a few issues over 2.100.2, see the changelog for more details. http://dlang.org/changelog/2.100.2.html -Martin Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty. The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.) | |||
November 04, 2022 Re: Release D 2.100.2 | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Ruby The Roobster | On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster wrote: >On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote: >Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty. The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.) Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform. | |||
November 04, 2022 Re: Release D 2.100.2 | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Iain Buclaw | On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote: >On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster wrote: >On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote: >Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty. The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.) Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform. Last time I had to do this: Basically you have Certum.pl which provides cloud-signing, this company responds quickly, getting a individual OV certificate takes about 2-3 days. On the other hand, .p12/.pfx vendors are almost entirely COMODO/Sectigo now, it works offline, getting a certificate is more painful with them and will require a hardware token even for OV beginning this month.
Since November signing will require hardware token or private key in cloud (2FA). | |||
November 04, 2022 Re: Release D 2.100.2 | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Guillaume Piolat | On Friday, 4 November 2022 at 12:39:04 UTC, Guillaume Piolat wrote: >On Friday, 4 November 2022 at 02:44:57 UTC, Iain Buclaw wrote: >On Tuesday, 1 November 2022 at 21:56:39 UTC, Ruby The Roobster wrote: >On Tuesday, 1 November 2022 at 19:57:11 UTC, JN wrote: >Windows is showing SmartScreen warnings when trying to run the Windows installer. Also, the installed version reports as v2.100.2-dirty. The next few releases are unsigned as those with the keys cannot be contacted (or, that's from what I've heard.) Code signing certs have been expired for nearly two years now, and are no longer functional. It is not yet decided what this should be replaced with, granted that buying a cert now is both eye-wateringly more expensive compared to 2016, and appears to force you to have some form of 2FA - be it hardware token or cloud signing platform. Last time I had to do this: Basically you have Certum.pl which provides cloud-signing, this company responds quickly, getting a individual OV certificate takes about 2-3 days. If this can be distributed between a group of people - let's say six or more - that might be OK, but not exactly as seamless as, say, just trigger a GitHub runner pipeline an walk away. >On the other hand, .p12/.pfx vendors are almost entirely COMODO/Sectigo now, it works offline, getting a certificate is more painful with them and will require a hardware token even for OV beginning this month.
Since November signing will require hardware token or private key in cloud (2FA). What does in a hardware token mean for us? Is it required to have it to hand every time we have to sign a beta, rc, final release binary? Does it bound us to a specific OS because of locked in proprietary tools? In what way would it hamper the ability to sign built binaries on a virtual machine, in a remote server, behind a read-only console UI? | |||
November 04, 2022 Re: Release D 2.100.2 | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Iain Buclaw | On Friday, 4 November 2022 at 13:01:09 UTC, Iain Buclaw wrote: >What does in a hardware token mean for us? Is it required to have it to hand every time we have to sign a beta, rc, final release binary? Does it bound us to a specific OS because of locked in proprietary tools? Unfortunately I don't know. >In what way would it hamper the ability to sign built binaries on a virtual machine, in a remote server, behind a read-only console UI? Probably in a big way. Previously, I would just commit the .pfx//.p12, this will be soon impossible (granted, this lower security to commit the cert). This won't be possible, perhaps already is. The Certum "cloud" solution needs a desktop app AND a phone APP (Android/iPhone), and is unsuitable for CI. All this just for Windows code signing. My prediction is that in a few years Microsoft will stop this nightmare and do like Apple and you will just cloud-sign stuff with a microsoft.com account. This will be a lot better. ---- THAT SAID ---- Now, codesigning certificates do not preovide automatic warning removal. Every Windows program has an Authenticode score, having an EV just gets you a high score from the get go, but you still have reputation. So the only thing you buy is freedom from the warning pop-up and the user gets some safety. An OV gets no initial reputation, and the word on the street is that when you change cert every 3 years you must regain that reputation. One could perhaps use a self-signed certificate that will allow to reuse that Authenticode reputation, I'm not sure. | |||
November 04, 2022 Re: Release D 2.100.2 | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Guillaume Piolat | On Friday, 4 November 2022 at 14:14:43 UTC, Guillaume Piolat wrote: >One could perhaps use a self-signed certificate that will allow to reuse that Authenticode reputation, I'm not sure. Now, to be very clear: there is a chance that even a non-CA certificate would accumulate trust, since according to MS: >Application reputation for unsigned software is based on fingerprints while publisher reputation is based on signed software associated with a code signing certificate. It's not entirely clear that you absolutely require a real trustedd CA to get that reputation. | |||
Copyright © 1999-2021 by the D Language Foundation