On Sun, May 26, 2024 at 8:47 PM Kan-Ru Chen <ka...@kanru.info> wrote: > > On Mon, May 27, 2024, at 9:22 AM, Byoungchan Lee via devel wrote: > > In well-maintained Fedora packages, the use of the FetchContent module > > is generally discouraged because dependencies are already available in > > the Fedora repositories. > > > > While it's uncertain if build workers in Fedora have internet access, > > to improve security, I believe it is recommended to entirely disallow > > the use of the FetchContent module. To achieve this, I propose adding a > > flag in the cmake-rpm-macros to disable the FetchContent module. > > > > According to the CMake manual > > (https://cmake.org/cmake/help/latest/module/FetchContent.html), > > FETCHCONTENT_FULLY_DISCONNECTED=ON seems the flag that disables the use > > of the FetchContent module. > > Homebrew recently implemented a similar restriction > https://github.com/Homebrew/brew/pull/17310 which follows a recommendation > from a CMake maintainer https://github.com/Homebrew/brew/pull/17075. > > In summary FETCHCONTENT_FULLY_DISCONNECTED should not be used to disable > FetchContent, instead a trap macro is recommended. > > However, I think the Homebrew implementation is not correct either. It is > documented that FIND_PACKAGE_ARGS argument in FetchContent_Declare should > instruct it to find system packages first. It will break packages that follow > this pattern if we trap all FetchContent usage. > > It would be better if we can set FindPackage the only dependency provider > https://cmake.org/cmake/help/latest/command/cmake_language.html#dependency-providers > > > Do I need a formal process to propose this change? Or can I just submit > > a pull request to the cmake (https://src.fedoraproject.org/rpms/cmake) > > repository? > > This is probably going to break packages. I think a change proposal would be > good. >
It's probably not necessary for a Change document, since FetchContent already fails inside the build system since there's no internet access there. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
