www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - Installation failures and https

reply Ola Fosheim =?UTF-8?B?R3LDuHN0YWQ=?= <ola.fosheim.grostad gmail.com> writes:
I think one should try to test the installation procedures of 
downloads on dlang.org. The installation script fails on Os-X 
because GPG is not available, please consider using SHA instead 
with the fingerprint available from a https url, or use more than 
one method.

Also, the download.dlang.org subset is not available as https, 
dlang.org itself uses https, but not the 
http://downloads.dlang.org/releases/2.x/2.089.0/ .  traceroute 
lists a looooong list of servers, so this could be a potential 
issue.

Roadbumps like these are enough to loose new users before they 
even got started.

In comparison rust installs flawlessly using: curl --proto 
'=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Nov 18 2019
parent reply Ola Fosheim =?UTF-8?B?R3LDuHN0YWQ=?= <ola.fosheim.grostad gmail.com> writes:
On Monday, 18 November 2019 at 10:11:11 UTC, Ola Fosheim Grøstad 
wrote:
 Roadbumps like these are enough to loose new users before they 
 even got started.
Another issue is that OS-X Catalina requires programs to be notarized with Apple, otherwise you have to go into preferences/security and make an exception for dmd... That this also applies to command line programs is new in the latest version of OS-X AFAIK. Maybe look at what rust does?
Nov 18 2019
parent reply Jacob Carlborg <doob me.com> writes:
On Monday, 18 November 2019 at 13:26:54 UTC, Ola Fosheim Grøstad 
wrote:
 Another issue is that OS-X Catalina requires programs to be 
 notarized with Apple, otherwise you have to go into 
 preferences/security and make an exception for dmd... That this 
 also applies to command line programs is new in the latest 
 version of OS-X AFAIK. Maybe look at what rust does?
This has already been reported [1]. It doesn’t apply to all ways of downloading. It applies if the executable was downloaded using a web browser but not curl. It basically applies to executables with the quarantine bit set. Downloading using a browser will set that bit. It can also be manually removed with the `xattr` command. IIRC, notarizing requires a paid developer account. [1] https://issues.dlang.org/show_bug.cgi?id=20124 — /Jacob Carlborg
Nov 18 2019
parent reply Ola Fosheim Gr <ola.fosheim.grostad gmail.com> writes:
On Monday, 18 November 2019 at 15:45:31 UTC, Jacob Carlborg wrote:
 This has already been reported [1]. It doesn’t apply to all 
 ways of downloading. It applies if the executable was 
 downloaded using a web browser but not curl. It basically 
 applies to executables with the quarantine bit set. Downloading 
 using a browser will set that bit. It can also be manually 
 removed with the `xattr` command.
Hm. I thought I downloaded that tar file with curl... but maybe I didn't.
 IIRC, notarizing requires a paid developer account.
I wonder though, is it possible to distribute compilers with App Store, or are those apps always sandboxed?
Nov 18 2019
next sibling parent reply Ola Fosheim =?UTF-8?B?R3LDuHN0YWQ=?= <ola.fosheim.grostad gmail.com> writes:
On Monday, 18 November 2019 at 16:30:02 UTC, Ola Fosheim Gr wrote:
 On Monday, 18 November 2019 at 15:45:31 UTC, Jacob Carlborg 
 wrote:
 This has already been reported [1]. It doesn’t apply to all 
 ways of downloading. It applies if the executable was 
 downloaded using a web browser but not curl. It basically 
 applies to executables with the quarantine bit set. 
 Downloading using a browser will set that bit. It can also be 
 manually removed with the `xattr` command.
Hm. I thought I downloaded that tar file with curl... but maybe I didn't.
Yep, you are right. I downloaded the tar-archive with the browser. Interesting that they track files unpacked from the archive. I personally dislike long installation scripts. It is kinda clever to support all compilers with one script, but it takes time to go over it to ensure that it does not mess up the file system... I rarely download scripts and execute them without looking at them first.
Nov 19 2019
parent reply Jacob Carlborg <doob me.com> writes:
On Tuesday, 19 November 2019 at 08:29:23 UTC, Ola Fosheim Grøstad 
wrote:

 I personally dislike long installation scripts. It is kinda 
 clever to support all compilers with one script, but it takes 
 time to go over it to ensure that it does not mess up the file 
 system...  I rarely download scripts and execute them without 
 looking at them first.
How do you deal with installers that are not scripts that you can not look at what they do? This includes package mangers. -- /Jacob Carlborg
Nov 20 2019
parent reply Ola Fosheim =?UTF-8?B?R3LDuHN0YWQ=?= <ola.fosheim.grostad gmail.com> writes:
On Wednesday, 20 November 2019 at 08:57:43 UTC, Jacob Carlborg 
wrote:
 How do you deal with installers that are not scripts that you 
 can not look at what they do? This includes package mangers.
They are a PITA and I use package mangers as little as possible (I'd rather grab from github where it makes sense). I essentially split my coding platform in two: 1. Production use, here I only use the ones I really can't do without, e.g. macports, Google's stuff, and some npm (which unfortunately is needed to set up Angular, but I don't like that I have to trust it) and some pip (which I also am a bit weary about). 2. Fun stuff, I create a separate user account for this, but still try to read install scripts from smaller communities (larger communities have more eyeballs). If I don't trust the install-script, or it breaks, then I look at what the script does and do it manually (like I did for building LDC the other day). Fortunately the D install script was well-structured (albeit a bit long).
Nov 20 2019
parent reply Jacob Carlborg <doob me.com> writes:
On Wednesday, 20 November 2019 at 09:07:29 UTC, Ola Fosheim 
Grøstad wrote:

 If I don't trust the install-script, or it breaks, then I look 
 at what the script does and do it manually (like I did for 
 building LDC the other day). Fortunately the D install script 
 was well-structured (albeit a bit long).
Neither DMD nor LDC need to be installed. Just download the archive, unpack and run the compiler. -- /Jacob Carlborg
Nov 20 2019
parent Ola Fosheim =?UTF-8?B?R3LDuHN0YWQ=?= <ola.fosheim.grostad gmail.com> writes:
On Wednesday, 20 November 2019 at 12:17:26 UTC, Jacob Carlborg 
wrote:
 Neither DMD nor LDC need to be installed. Just download the 
 archive, unpack and run the compiler.
Yes, but I ended up manually verifying the GPG signature.
Nov 20 2019
prev sibling parent Jacob Carlborg <doob me.com> writes:
On Monday, 18 November 2019 at 16:30:02 UTC, Ola Fosheim Gr wrote:

 I wonder though, is it possible to distribute compilers with 
 App Store,
Yes. Xcode is distributed through the App Store. The compiler (and other command line tools) are bundled deep inside the Xcode.app bundled. The commands that you can access directly in the terminal are installed by default and just act as wrappers/forwarders to the tools inside the Xcode bundle. So Apple is cheating a bit.
 or are those apps always sandboxed?
Yes. -- /Jacob Carlborg
Nov 20 2019