[cmake-developers] file(DOWNLOAD) + EXPECTED_HASH security issue
David Cole
dlrdave at aol.com
Thu Nov 21 10:46:30 EST 2013
> Once a command reports an error CMake will not generate the project
> so it is not worth allowing the configuration to do much after that.
> Failure of file(DOWNLOAD) should either be a cmake::FATAL_ERROR or
> just a STATUS setting with no CMake Error. The signature needs a
> way for CMake to know which one to do.
>
> I'm fine with changing the current non-fatal error to a fatal error
> in the next release.
Would this be:
(1) an unconditional, always-in-effect change?
(2) a policy with a NEW behavior?
(3) a change activated only by use of a new keyword argument to
file(DOWNLOAD ?
File download errors are quite common for many different reasons....
I'm not sure I like the idea of triggering a CMake fatal error for a
corrupt download.
File download should mostly be a build-time step in my opinion.
Configure should be as fast as possible, meaning: only do the minimum
try_compiles necessary, and defer until build time things that take a
long time, like download over a network.
?
D
More information about the cmake-developers
mailing list