summaryrefslogtreecommitdiffstats
path: root/Modules/FetchContent.cmake
diff options
context:
space:
mode:
authorHarmen Stoppels <harmenstoppels@gmail.com>2021-02-19 13:32:22 (GMT)
committerCraig Scott <craig.scott@crascit.com>2021-02-25 10:14:15 (GMT)
commit24b467c043a600c301f8e3037712fb18ed9a9ae4 (patch)
tree5ea99c01678f2099a717df42bb0fe99b39de613d /Modules/FetchContent.cmake
parentebcb8896e31abfeb37422bf0ac6501b2f26ee3d0 (diff)
downloadCMake-24b467c043a600c301f8e3037712fb18ed9a9ae4.zip
CMake-24b467c043a600c301f8e3037712fb18ed9a9ae4.tar.gz
CMake-24b467c043a600c301f8e3037712fb18ed9a9ae4.tar.bz2
Help: Prefer commit hashes in FetchContent examples for security reasons
Fixes: #21841 Co-Authored-By: Craig Scott <craig.scott@crascit.com>
Diffstat (limited to 'Modules/FetchContent.cmake')
-rw-r--r--Modules/FetchContent.cmake17
1 files changed, 11 insertions, 6 deletions
diff --git a/Modules/FetchContent.cmake b/Modules/FetchContent.cmake
index 7224900..297eec7 100644
--- a/Modules/FetchContent.cmake
+++ b/Modules/FetchContent.cmake
@@ -34,7 +34,7 @@ The following shows a typical example of declaring content details:
FetchContent_Declare(
googletest
GIT_REPOSITORY https://github.com/google/googletest.git
- GIT_TAG release-1.8.0
+ GIT_TAG 703bd9caab50b139428cea1aaff9974ebee5742e # release-1.10.0
)
For most typical cases, populating the content can then be done with a single
@@ -126,7 +126,7 @@ Declaring Content Details
FetchContent_Declare(
googletest
GIT_REPOSITORY https://github.com/google/googletest.git
- GIT_TAG release-1.8.0
+ GIT_TAG 703bd9caab50b139428cea1aaff9974ebee5742e # release-1.10.0
)
FetchContent_Declare(
@@ -141,6 +141,11 @@ Declaring Content Details
SVN_REVISION -r12345
)
+ Where contents are being fetched from a remote location and you do not
+ control that server, it is advisable to use a hash for ``GIT_TAG`` rather
+ than a branch or tag name. A commit hash is more secure and helps to
+ confirm that the downloaded contents are what you expected.
+
Populating The Content
""""""""""""""""""""""
@@ -456,12 +461,12 @@ frameworks are available to the main build:
FetchContent_Declare(
googletest
GIT_REPOSITORY https://github.com/google/googletest.git
- GIT_TAG release-1.8.0
+ GIT_TAG 703bd9caab50b139428cea1aaff9974ebee5742e # release-1.10.0
)
FetchContent_Declare(
Catch2
GIT_REPOSITORY https://github.com/catchorg/Catch2.git
- GIT_TAG v2.5.0
+ GIT_TAG de6fe184a9ac1a06895cdd1c9b437f0a0bdf14ad # v2.13.4
)
# After the following call, the CMake targets defined by googletest and
@@ -480,7 +485,7 @@ it into the main build:
FetchContent_Declare(
protobuf
GIT_REPOSITORY https://github.com/protocolbuffers/protobuf.git
- GIT_TAG v3.12.0
+ GIT_TAG ae50d9b9902526efd6c7a1907d09739f959c6297 # v3.15.0
SOURCE_SUBDIR cmake
)
set(protobuf_BUILD_TESTS OFF)
@@ -517,7 +522,7 @@ that all five projects are available on a company git server. The
FetchContent_Declare(
projE
GIT_REPOSITORY git@mycompany.com:git/projE.git
- GIT_TAG origin/release/2.3-rc1
+ GIT_TAG v2.3-rc1
)
# Order is important, see notes in the discussion further below