[
https://issues.apache.org/jira/browse/ARROW-13787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kouhei Sutou updated ARROW-13787:
---------------------------------
Summary: [C++] Verify third-party downloads (was: Verify third-party
downloads)
> [C++] Verify third-party downloads
> ----------------------------------
>
> Key: ARROW-13787
> URL: https://issues.apache.org/jira/browse/ARROW-13787
> Project: Apache Arrow
> Issue Type: Improvement
> Components: C++, Packaging
> Affects Versions: 5.0.0
> Reporter: Karl Dunkle Werner
> Assignee: Karl Dunkle Werner
> Priority: Minor
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> I think it might be helpful to have cmake use an SHA256 hash to verify the
> third-party files it downloads. I can submit a PR for this.
> Upsides:
> - Downloads are further verified for integrity (in addition to the
> verification from https)
> - cmake stops complaining about missing verification (when
> {{ARROW_VERBOSE_THIRDPARTY_BUILD=ON}})
> Downside:
> - Slightly more work in the future to add or update a third-party dependency.
> The [cmake
> docs|https://cmake.org/cmake/help/latest/module/ExternalProject.html] note:
> {quote}Specifying [URL_HASH] is strongly recommended for URL downloads, as it
> ensures the integrity of the downloaded content. It is also used as a check
> for a previously downloaded file, allowing connection to the remote location
> to be avoided altogether if the local directory already has a file from an
> earlier download that matches the specified hash.
> {quote}
> SHA256 was introduced in [cmake
> 2.8.7|https://blog.kitware.com/cmake-2-8-7-now-available/], released in late
> 2011.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
