Verifying Scala distribution downloads

[Juha Heljoranta]

Was there any way to verify authenticity of Scala downloads from
http://www.scala-lang.org/download/
?

scala-lang.org domain doesn't support https nor there are any pgp signatures.

I remember this was discussed years ago somewhere but my google-fu yielded
None.

Cheers,
Juha

[Simon Ochsenreither]

I would recommend not downloading anything from scala-lang.org as the Scala distribution offered there is not something anyone actually uses.

I would try to download sbt through your package manager and let it handle all required dependencies (including Scala). That way you benefit from the authenticity that applies to all downloads through package managers.

[rtm...@googlemail.com]

Hi,

On Saturday, June 18, 2016 at 7:06:11 PM UTC+1, Simon Ochsenreither wrote:

I would recommend not downloading anything from scala-lang.org as the Scala distribution offered there is not something anyone actually uses.

I did. I'm a windows user so no package manager, also new to scala and no experience with SBT yet. Plz think of us n00bz!

cheers

jan
 

[Naftoli Gugenheim]

You can download the msi from scala-sbt.org

--
You received this message because you are subscribed to the Google Groups "scala-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scala-user+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[rtm...@googlemail.com]

OK, but how would I know that it's there, and that it's the better place? Think of someone coming new to Scala; perhaps modify <http://www.scala-lang.org/download/> to point or redirect to it instead?

cheers

jan

[Simon Ochsenreither]

OK, but how would I know that it's there, and that it's the better place? Think of someone coming new to Scala; perhaps modify <http://www.scala-lang.org/download/> to point or redirect to it instead?

Hahaha, that would be too easy! :-)

Seriously, we are trying to have this discussion for a few years already and roughly nothing ever happened. I forked the whole website in the meantime, but haven't redone that part yet.
After some talks at ScalaDays I'm slightly optimistic whether we can move scala-lang.org forward again, but actions speak louder than words, so I reserve my judgment here.

[Naftoli Gugenheim]

On Mon, Jun 20, 2016, 9:53 AM rtm443x via scala-user <scala...@googlegroups.com> wrote:

OK, but how would I know that it's there, and that it's the better place? Think of someone coming new to Scala; perhaps modify <http://www.scala-lang.org/download/> to point or redirect to it instead?

+100

[Oliver Ruebenacker]

     Hello,

  Actually, I have been using downloads from scala-lang.org, both the MSI for Windows and the RPM for Fedora Linux. Are you saying there are other, better versions of these downloads somewhere else?

  I often find, for example, that the Fedora repository does not have the latest version of various things.

     Best, Oliver

On Sat, Jun 18, 2016 at 2:06 PM, Simon Ochsenreither <simon.och...@gmail.com> wrote:

I would recommend not downloading anything from scala-lang.org as the Scala distribution offered there is not something anyone actually uses.

I would try to download sbt through your package manager and let it handle all required dependencies (including Scala). That way you benefit from the authenticity that applies to all downloads through package managers.

--

You received this message because you are subscribed to the Google Groups "scala-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to scala-user+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Oliver Ruebenacker

Senior Software Engineer, Diabetes Portal, Broad Institute

[Simon Ochsenreither]

  Actually, I have been using downloads from scala-lang.org, both the MSI for Windows and the RPM for Fedora Linux. Are you saying there are other, better versions of these downloads somewhere else?

Those MSIs/RPMs are still the Scala distribution, which is kind of useless for any task outside playing with the language for the first 5 minutes.

[Rex Kerr]

This is a little overstated.  What is true (and weird) is that the downloads of Scala from scala-lang.org do not give you an idiomatic Scala development environment.  It is idiomatic to use SBT, and SBT downloads its own copy/copies of Scala from a Maven repository.

On the other hand, it is possible to use a build system other than SBT, and in that case you will probably want a REPL, and in that case the standard distribution is perfectly fine.  You may want a REPL of the latest version anyway (as SBT clutters up every directory in which you run it), in which case the downloads from scala-lang.org are fine.

So there's nothing _wrong_ with the version you get from scala-lang.org.  It's just that you probably want to start using SBT sooner rather than later, and once you have SBT it handles fetching its own copies, so you may as well save yourself the trouble of an extra installation.

  --Rex

On Mon, Jun 20, 2016 at 7:55 AM, Simon Ochsenreither <simon.och...@gmail.com> wrote:

  Actually, I have been using downloads from scala-lang.org, both the MSI for Windows and the RPM for Fedora Linux. Are you saying there are other, better versions of these downloads somewhere else?

Those MSIs/RPMs are still the Scala distribution, which is kind of useless for any task outside playing with the language for the first 5 minutes.

--

[Juha Heljoranta]

On Monday, June 20, 2016 03:43:07 PM Rex Kerr wrote:
> So there's nothing _wrong_ with the version you get from scala-lang.org.
> It's just that you probably want to start using SBT sooner rather than
> later, and once you have SBT it handles fetching its own copies, so you may
> as well save yourself the trouble of an extra installation.

There is no guarantees if download has something wrong: I cannot verify if
it's authenticity (e.g. MITM attack).

From security point of view: https would be good, pgp signatures better and
https+pgp excellent.

scala-sbt.org doesn't supply CA verified https certificate although download
links them self seem to point into https resources.

Perhaps this is something where recently established Scala Center could help
with?

Cheers,
Juha

[Rex Kerr]

From a security standpoint, I agree.  I was responding specifically to Simon's characterization of the utility of the Scala distribution.

  --Rex

[Jasper-M]

Sbt should have an option like `sbt repl` that launches a repl of the latest stable Scala version without generating any files or folders. Then `sbt repl 2.10.5` does the same but with the specified version.

The icing on the cake would be the ability to add dependencies at runtime.

I'm gonna hazard a guess that a more accurate name for that option would be `sbt ammonite`...

Op maandag 20 juni 2016 16:55:44 UTC+2 schreef Simon Ochsenreither:

[Naftoli Gugenheim]

You should be able to do sbt "++2.10.5 consoleQuick"

--