Currently you have to trust that the cmkr repository does not force push the same tag with new untrusted code.
You can already (trivially) point cmkr.cmake to your own infrastructure, but it would be good to also (optionally) verify the tag.
Perhaps v0.2.1:hash. Another option is to git checkout hash but tags have the advantage that they are human-readable and (more importantly) you can do a shallow clone which speeds up configure times.
An additional feature should be that unpinned tags are immediately pinned (cmkr.cmake should modify itself). This will ensure that everyone benefits from this security.
Currently you have to trust that the cmkr repository does not force push the same tag with new untrusted code.
You can already (trivially) point cmkr.cmake to your own infrastructure, but it would be good to also (optionally) verify the tag.
Perhaps
v0.2.1:hash
. Another option is togit checkout hash
but tags have the advantage that they are human-readable and (more importantly) you can do a shallow clone which speeds up configure times.An additional feature should be that unpinned tags are immediately pinned (cmkr.cmake should modify itself). This will ensure that everyone benefits from this security.