> Using ExternalProject and a dependency fetching script suffer from the > same problem. It is very easy to implement these things insecurely, > and it makes your software hard to package for Linux distributions. > When I see a trendy new project that prominently features a "curl | > sh" line on its webpage I shudder and, try as I might, I usually write > it off in my mind. Besides those lines sometimes not having "https://"; > in them,
You should check sha256 of all downloaded files. It really guarantees that files were not tampered, unlike that "s" letter in the URL after "http" which only checks that peer's TLS certificate looks okay. > installing software outside of your package manager will > eventually lead to a slew of problems (developers that focus on one or > two projects may never experience those problems, but that is almost > entirely luck). This is not the case if done carefully, and is not relevant at all if dependencies are not installed into system location -- Regards, Konstantin -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: http://public.kitware.com/mailman/listinfo/cmake
