[CMake] Using find_package() portably?

[Konstantin Tokarev]

> Using ExternalProject and a dependency fetching script suffer from the
> same problem. It is very easy to implement these things insecurely,
> and it makes your software hard to package for Linux distributions.
> When I see a trendy new project that prominently features a "curl |
> sh" line on its webpage I shudder and, try as I might, I usually write
> it off in my mind. Besides those lines sometimes not having "https://"
> in them,

You should check sha256 of all downloaded files. It really guarantees that
files were not tampered, unlike that "s" letter in the URL after "http" which
only checks that peer's TLS certificate looks okay.


> installing software outside of your package manager will
> eventually lead to a slew of problems (developers that focus on one or
> two projects may never experience those problems, but that is almost
> entirely luck).

This is not the case if done carefully, and is not relevant at all if dependencies
are not installed into system location

-- 
Regards,
Konstantin