I think it might be helpful to have cmake use an SHA256 hash to verify the third-party files it downloads. I can submit a PR for this.
- Downloads are further verified for integrity (in addition to the verification from https)
- cmake stops complaining about missing verification (when ARROW_VERBOSE_THIRDPARTY_BUILD=ON)
- Slightly more work in the future to add or update a third-party dependency.
The cmake docs note:
Specifying [URL_HASH] is strongly recommended for URL downloads, as it ensures the integrity of the downloaded content. It is also used as a check for a previously downloaded file, allowing connection to the remote location to be avoided altogether if the local directory already has a file from an earlier download that matches the specified hash.
SHA256 was introduced in cmake 2.8.7, released in late 2011.