On Mon, May 27, 2024, at 9:22 AM, Byoungchan Lee via devel wrote: > In well-maintained Fedora packages, the use of the FetchContent module > is generally discouraged because dependencies are already available in > the Fedora repositories. > > While it's uncertain if build workers in Fedora have internet access, > to improve security, I believe it is recommended to entirely disallow > the use of the FetchContent module. To achieve this, I propose adding a > flag in the cmake-rpm-macros to disable the FetchContent module. > > According to the CMake manual > (https://cmake.org/cmake/help/latest/module/FetchContent.html), > FETCHCONTENT_FULLY_DISCONNECTED=ON seems the flag that disables the use > of the FetchContent module.
Homebrew recently implemented a similar restriction https://github.com/Homebrew/brew/pull/17310 which follows a recommendation from a CMake maintainer https://github.com/Homebrew/brew/pull/17075. In summary FETCHCONTENT_FULLY_DISCONNECTED should not be used to disable FetchContent, instead a trap macro is recommended. However, I think the Homebrew implementation is not correct either. It is documented that FIND_PACKAGE_ARGS argument in FetchContent_Declare should instruct it to find system packages first. It will break packages that follow this pattern if we trap all FetchContent usage. It would be better if we can set FindPackage the only dependency provider https://cmake.org/cmake/help/latest/command/cmake_language.html#dependency-providers > Do I need a formal process to propose this change? Or can I just submit > a pull request to the cmake (https://src.fedoraproject.org/rpms/cmake) > repository? This is probably going to break packages. I think a change proposal would be good. Kan-ru -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
