www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.announce - Beta 2.100.2

reply Martin Nowak <code dawg.eu> writes:
Glad to announce the first beta for the 2.100.2 point release, ♥ 
to the 16 contributors.

http://dlang.org/download.html#dmd_beta
http://dlang.org/changelog/2.100.2.html

As usual please report any bugs at
https://issues.dlang.org

N.B.: We had some delays to clarify the expired EV certificate 
and the next releases will ship without signed Windows binaries 
due to the complications and cost of EV certificates.

-Martin
Aug 31
parent reply matheus <matheus gmail.com> writes:
On Wednesday, 31 August 2022 at 13:20:51 UTC, Martin Nowak wrote:
 Glad to announce the first beta for the 2.100.2 point release,
Thanks.
 N.B.: We had some delays to clarify the expired EV certificate 
 and the next releases will ship without signed Windows binaries 
 due to the complications and cost of EV certificates.
Is possible to share the costs for this? Matheus.
Aug 31
parent reply Iain Buclaw <ibuclaw gdcproject.org> writes:
On Wednesday, 31 August 2022 at 15:48:05 UTC, matheus wrote:
 On Wednesday, 31 August 2022 at 13:20:51 UTC, Martin Nowak 
 wrote:
 Glad to announce the first beta for the 2.100.2 point release,
Thanks.
 N.B.: We had some delays to clarify the expired EV certificate 
 and the next releases will ship without signed Windows 
 binaries due to the complications and cost of EV certificates.
Is possible to share the costs for this?
Anywhere in the ballpark of an $750 to $1300 annual fee. Can only give an estimate as on top of the eye-watering EV prices, there may be more equally high fees for attestation and cloud signing. To put that in context, the original certificate ordered in 2018 cost only $267 and was valid for **3 years**. That's a price inflation of over 150% year-on-year! The process has gotten more complex too, as it is now required to have some sort of [hardware token](https://cabforum.org/2022/04/06/ballot-csc-13-update-to-subscriber-key-prote tion-requirements/) in order to sign, not exactly CI pipeline friendly. Cloud-based HSM solutions exist, but at an opaque cost, and our current workflow will still be broken after getting it set-up anyway. All this for at most only 12 signed Windows binaries per year (maybe 36 if you include the beta and rc releases). It's getting hard to justify proceeding with this cost unless we are *really* confident with just exactly what we are doing. I've only come across one other language compiler that has an open issue for a lack of code signed release binaries. It seems that an agreement was made with the Mozilla foundation to use their [autograph service](https://github.com/mozilla-services/autograph), but they've made no progress on it for the last 7 years, and there are still no signed releases. No one has raised an issue so far for all DMD releases since that occurred in the last 12 months, so either lack of signing isn't an problem, or people are just ignoring/working around whatever warning messages you might get for running unsigned binaries (NB: haven't used Windows since 2003 so I have no clue what happens when you run an unsigned binary).
Aug 31
next sibling parent Guillaume Piolat <first.last spam.org> writes:
On Thursday, 1 September 2022 at 04:34:40 UTC, Iain Buclaw wrote:
 No one has raised an issue so far for all DMD releases since 
 that occurred in the last 12 months, so either lack of signing 
 isn't an problem, or people are just ignoring/working around 
 whatever warning messages you might get for running unsigned 
 binaries (NB: haven't used Windows since 2003 so I have no clue 
 what happens when you run an unsigned binary).
When running an unsigned binary you get a warning at opening, that you can ignore. OV certificate are less expensive than EV certificates, for example you can get one at https://www.ksoftware.net/code-signing-certificates/ that last 3 years.
Sep 01
prev sibling parent matheus <matheus gmail.com> writes:
On Thursday, 1 September 2022 at 04:34:40 UTC, Iain Buclaw wrote:
 ...

 Anywhere in the ballpark of an $750 to $1300 annual fee. Can 
 only give an estimate as on top of the eye-watering EV prices, 
 there may be more equally high fees for attestation and cloud 
 signing.

 To put that in context, the original certificate ordered in 
 2018 cost only $267 and was valid for **3 years**.  That's a 
 price inflation of over 150% year-on-year!

 ...
Wow I didn't know it was so expensive. I mean it was somewhat reasonable back in the day ($267 for 36 months ~ $ 7.41 per month), now it can be around ~ $ 62 to $ 108, too much expensive. I'm foreigner and if in need I can throw in $ 30.00 per month, but I think this must be paid upfront for a year. But since you said nobody is complaining maybe just let it be. Thanks for the info, Matheus.
Sep 01