Karl Dunkle Werner created ARROW-13787:
------------------------------------------
Summary: Verify third-party downloads
Key: ARROW-13787
URL: https://issues.apache.org/jira/browse/ARROW-13787
Project: Apache Arrow
Issue Type: Improvement
Components: C++, Packaging
Affects Versions: 5.0.0
Reporter: Karl Dunkle Werner
Assignee: Karl Dunkle Werner
I think it might be helpful to have cmake use an SHA256 hash to verify the
third-party files it downloads. I can submit a PR for this.
Upsides:
- Downloads are further verified for integrity (in addition to the
verification from https)
- cmake stops complaining about missing verification (when
{{ARROW_VERBOSE_THIRDPARTY_BUILD=ON}})
Downside:
- Slightly more work in the future to add or update a third-party dependency.
The [cmake
docs|https://cmake.org/cmake/help/latest/module/ExternalProject.html] note:
{quote}Specifying [URL_HASH] is strongly recommended for URL downloads, as it
ensures the integrity of the downloaded content. It is also used as a check for
a previously downloaded file, allowing connection to the remote location to be
avoided altogether if the local directory already has a file from an earlier
download that matches the specified hash.
{quote}
SHA256 was introduced in [cmake
2.8.7|https://blog.kitware.com/cmake-2-8-7-now-available/], released in late
2011.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
