diff options
| author | Harmen Stoppels <harmenstoppels@gmail.com> | 2021-02-19 13:32:22 (GMT) |
|---|---|---|
| committer | Craig Scott <craig.scott@crascit.com> | 2021-02-25 10:14:15 (GMT) |
| commit | 24b467c043a600c301f8e3037712fb18ed9a9ae4 (patch) | |
| tree | 5ea99c01678f2099a717df42bb0fe99b39de613d /Modules | |
| parent | ebcb8896e31abfeb37422bf0ac6501b2f26ee3d0 (diff) | |
| download | CMake-24b467c043a600c301f8e3037712fb18ed9a9ae4.zip CMake-24b467c043a600c301f8e3037712fb18ed9a9ae4.tar.gz CMake-24b467c043a600c301f8e3037712fb18ed9a9ae4.tar.bz2 | |
Help: Prefer commit hashes in FetchContent examples for security reasons
Fixes: #21841
Co-Authored-By: Craig Scott <craig.scott@crascit.com>
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/FetchContent.cmake | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/Modules/FetchContent.cmake b/Modules/FetchContent.cmake index 7224900..297eec7 100644 --- a/Modules/FetchContent.cmake +++ b/Modules/FetchContent.cmake @@ -34,7 +34,7 @@ The following shows a typical example of declaring content details: FetchContent_Declare( googletest GIT_REPOSITORY https://github.com/google/googletest.git - GIT_TAG release-1.8.0 + GIT_TAG 703bd9caab50b139428cea1aaff9974ebee5742e # release-1.10.0 ) For most typical cases, populating the content can then be done with a single @@ -126,7 +126,7 @@ Declaring Content Details FetchContent_Declare( googletest GIT_REPOSITORY https://github.com/google/googletest.git - GIT_TAG release-1.8.0 + GIT_TAG 703bd9caab50b139428cea1aaff9974ebee5742e # release-1.10.0 ) FetchContent_Declare( @@ -141,6 +141,11 @@ Declaring Content Details SVN_REVISION -r12345 ) + Where contents are being fetched from a remote location and you do not + control that server, it is advisable to use a hash for ``GIT_TAG`` rather + than a branch or tag name. A commit hash is more secure and helps to + confirm that the downloaded contents are what you expected. + Populating The Content """""""""""""""""""""" @@ -456,12 +461,12 @@ frameworks are available to the main build: FetchContent_Declare( googletest GIT_REPOSITORY https://github.com/google/googletest.git - GIT_TAG release-1.8.0 + GIT_TAG 703bd9caab50b139428cea1aaff9974ebee5742e # release-1.10.0 ) FetchContent_Declare( Catch2 GIT_REPOSITORY https://github.com/catchorg/Catch2.git - GIT_TAG v2.5.0 + GIT_TAG de6fe184a9ac1a06895cdd1c9b437f0a0bdf14ad # v2.13.4 ) # After the following call, the CMake targets defined by googletest and @@ -480,7 +485,7 @@ it into the main build: FetchContent_Declare( protobuf GIT_REPOSITORY https://github.com/protocolbuffers/protobuf.git - GIT_TAG v3.12.0 + GIT_TAG ae50d9b9902526efd6c7a1907d09739f959c6297 # v3.15.0 SOURCE_SUBDIR cmake ) set(protobuf_BUILD_TESTS OFF) @@ -517,7 +522,7 @@ that all five projects are available on a company git server. The FetchContent_Declare( projE GIT_REPOSITORY git@mycompany.com:git/projE.git - GIT_TAG origin/release/2.3-rc1 + GIT_TAG v2.3-rc1 ) # Order is important, see notes in the discussion further below |