Uploaded image for project: 'Apache Arrow'
  1. Apache Arrow
  2. ARROW-13787

[C++] Verify third-party downloads

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 5.0.0
    • 6.0.0
    • C++

    Description

      I think it might be helpful to have cmake use an SHA256 hash to verify the third-party files it downloads. I can submit a PR for this.

      Upsides:

      • Downloads are further verified for integrity (in addition to the verification from https)
      • cmake stops complaining about missing verification (when ARROW_VERBOSE_THIRDPARTY_BUILD=ON)

      Downside:

      • Slightly more work in the future to add or update a third-party dependency.

      The cmake docs note:

      Specifying [URL_HASH] is strongly recommended for URL downloads, as it ensures the integrity of the downloaded content. It is also used as a check for a previously downloaded file, allowing connection to the remote location to be avoided altogether if the local directory already has a file from an earlier download that matches the specified hash.

      SHA256 was introduced in cmake 2.8.7, released in late 2011.

      Attachments

        Issue Links

          Activity

            People

              karldw Karl Dunkle Werner
              karldw Karl Dunkle Werner
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 10m
                  1h 10m

                  Slack

                    Issue deployment