search

build-cpp / cmkr

Modern build system based on CMake and TOML.
https://cmkr.build
MIT License
439 stars 27 forks source link

Add additional layer of verification in `CMKR_TAG` #43

Closed mrexodia closed 2 years ago

mrexodia commented 2 years ago

Currently you have to trust that the cmkr repository does not force push the same tag with new untrusted code.

You can already (trivially) point cmkr.cmake to your own infrastructure, but it would be good to also (optionally) verify the tag.

Perhaps v0.2.1:hash. Another option is to git checkout hash but tags have the advantage that they are human-readable and (more importantly) you can do a shallow clone which speeds up configure times.

An additional feature should be that unpinned tags are immediately pinned (cmkr.cmake should modify itself). This will ensure that everyone benefits from this security.

mrexodia commented 2 years ago

Closed in 1f6e31e0ef8e289a80c267f4b1951107d715f79f