[CMake] How URL_MD5 is computed in ExternalProject_Add?

Tue May 19 09:38:49 EDT 2015

Hello David,

I understand exactly what you mean but the misunderstanding comes from your sentence:

>> > The point is to double check that it downloaded correctly and as expected.

That's NOT why I use the URL_MD5 variable in ExternalProject_Add.
I use it to avoid downloading again libraries after typing 'make clean'.

So, my feeling is that I shouldn't use the URL_MD5 variable to perform this checking.
Furthermore, I should check other steps (updating, configuration, building, installation).

Do you agree with this?
What is the correct way to do this with CMake?

Cédric

----- Mail original -----
> De: "David Cole" <DLRdave at aol.com>
> À: "Marc CHEVRIER" <marc.chevrier at sap.com>
> Cc: "Cedric Doucet" <cedric.doucet at inria.fr>, cmake at cmake.org
> Envoyé: Mardi 19 Mai 2015 15:04:58
> Objet: Re: [CMake] How URL_MD5 is computed in ExternalProject_Add?
> 
> The point of specifying URL_MD5 in ExternalProject_Add is so that it
> can check to see if it downloaded the file properly. If you don't tell
> it what the md5 sum should be, then what good is computing it after
> downloading it?
> 
> The point is to double check that it downloaded correctly and as
> expected. If you don't tell it what to expect, it's impossible. So...
> you can't download arbitrary content from the internet unless you can
> also download it's corresponding md5 sum reliably.
> 
> But... you can't even do that: because if somebody is trying to spoof
> it and hacks the file on the internet, they can just as easily hack
> the md5 you'd get from the internet and fool you into using a hacked
> file.
> 
> So: it's up to you to verify that a package retrieved from the
> internet is use-able and un-hacked, and then computes its md5 sum (or
> even better, SHA-1 sum), and pass it to ExternalProject_Add so it can
> *fail* if the sum of the downloaded file does not match the expected
> sum.
> 
> Does this make sense?
> 
> 
> 
> On Tue, May 19, 2015 at 7:29 AM, CHEVRIER, Marc <marc.chevrier at sap.com>
> wrote:
> >
> > You can use FILE (MD5 <file> <variable>) command to compute MD5 value.
> >
> > From: CMake on behalf of Cedric Doucet
> > Date: Tuesday 19 May 2015 13:14
> > To: "cmake at cmake.org"
> > Subject: Re: [CMake] How URL_MD5 is computed in ExternalProject_Add?
> >
> >
> > I managed to obtain the same MD5 code by running the md5sum command on the
> > downloaded file.
> > However, I would like to write an automatic way of downloading third-party
> > libraries.
> > Is it possible to let CMake compute the MD5 of the downloaded file?
> >
> > Cédric
> >
> >
> >
> > ________________________________
> >
> > De: "Cedric Doucet" <cedric.doucet at inria.fr>
> > À: cmake at cmake.org
> > Envoyé: Mardi 19 Mai 2015 12:37:03
> > Objet: [CMake] How URL_MD5 is computed in ExternalProject_Add?
> >
> > Hello,
> >
> > I use the URL_MD5 variable to avoid downloading more than once a library
> > with the ExternalProject_Add command.
> > However, I don't manage to get the same MD5 code as CMake when I try to get
> > one with generators available on the internet.
> >
> > How could I get the same one for an URL written in the form
> > http://www.mywebsite.myext/mypath/myfile?
> > I have already tried the MD5 of the URL and of myfile but I don't get the
> > same MD5 as CMake.
> >
> > Thanks!
> >
> > Cédric
> >
> > --
> >
> > Powered by www.kitware.com
> >
> > Please keep messages on-topic and check the CMake FAQ at:
> > http://www.cmake.org/Wiki/CMake_FAQ
> >
> > Kitware offers various services to support the CMake community. For more
> > information on each offering, please visit:
> >
> > CMake Support: http://cmake.org/cmake/help/support.html
> > CMake Consulting: http://cmake.org/cmake/help/consulting.html
> > CMake Training Courses: http://cmake.org/cmake/help/training.html
> >
> > Visit other Kitware open-source projects at
> > http://www.kitware.com/opensource/opensource.html
> >
> > Follow this link to subscribe/unsubscribe:
> > http://public.kitware.com/mailman/listinfo/cmake
> >
> >
> >
> > --
> >
> > Powered by www.kitware.com
> >
> > Please keep messages on-topic and check the CMake FAQ at:
> > http://www.cmake.org/Wiki/CMake_FAQ
> >
> > Kitware offers various services to support the CMake community. For more
> > information on each offering, please visit:
> >
> > CMake Support: http://cmake.org/cmake/help/support.html
> > CMake Consulting: http://cmake.org/cmake/help/consulting.html
> > CMake Training Courses: http://cmake.org/cmake/help/training.html
> >
> > Visit other Kitware open-source projects at
> > http://www.kitware.com/opensource/opensource.html
> >
> > Follow this link to subscribe/unsubscribe:
> > http://public.kitware.com/mailman/listinfo/cmake
>