-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmake, msvc: Pin liblzma version #140
Conversation
This change avoids `liblzma` versions with known backdoors. It is equivalent to `liblzma` package as it was before microsoft/vcpkg@a487471.
This reverts commit 418b4f4.
Friendly ping @sipsorcery @TheCharlatan @pablomartin4btc @m3dwards :) |
Shouldn't any upstreams be fixed/not shipping compromised code by this point? It's not clear to me what we have to work around exactly. |
The version 5.4.1 has no known exploits/backdoors for Windows, right?
The goal is to re-enabling building |
I don't know, but I also don't know why we need to override anything here, why 5.4.1 in particular is the right choice (given upstream is 5.4.4), or why we can't just use upstream. |
5.4.1 is the latest version, which vcpkg fetch from the SourceForge repository. For newer versions, it switched to the GitHub's one, which is unavailable for now. |
Ok. I guess this is a special case, and I'd hope we don't have to micro-manage dependencies we don't actually use, going forward, with vcpkg. |
@@ -458,8 +458,7 @@ jobs: | |||
|
|||
- name: Generate build system | |||
run: | | |||
# TODO: Re-enable default features, once the liblzma package become available to build again. | |||
cmake -B build --preset ${{ matrix.conf.preset }} -DWERROR=ON -DVCPKG_MANIFEST_NO_DEFAULT_FEATURES=ON -DVCPKG_MANIFEST_FEATURES="wallet;miniupnpc;zeromq;tests" | |||
cmake -B build --preset ${{ matrix.conf.preset }} -DWERROR=ON | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this change related to the liblzma pinning?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After liblzma pinning, it is possible to use all default dependency features, which is the goal of the liblzma pinning.
This commit reverts changes introduced #137 as a quick response to xz backdoor and the following GitHub repo disabling.
ACK b2ccf9d Tested with MSVC build. I understand that xz/liblzma is compromised on version |
This is an alternative to #137, which does not disable GUI for MSVC builds.