cmake, msvc: Pin liblzma version #140
Conversation
This change avoids `liblzma` versions with known backdoors. It is equivalent to `liblzma` package as it was before microsoft/vcpkg@a487471.
This reverts commit 418b4f4.
|
Friendly ping @sipsorcery @TheCharlatan @pablomartin4btc @m3dwards :) |
|
Shouldn't any upstreams be fixed/not shipping compromised code by this point? It's not clear to me what we have to work around exactly. |
The version 5.4.1 has no known exploits/backdoors for Windows, right?
The goal is to re-enabling building |
I don't know, but I also don't know why we need to override anything here, why 5.4.1 in particular is the right choice (given upstream is 5.4.4), or why we can't just use upstream. |
5.4.1 is the latest version, which vcpkg fetch from the SourceForge repository. For newer versions, it switched to the GitHub's one, which is unavailable for now. |
|
Ok. I guess this is a special case, and I'd hope we don't have to micro-manage dependencies we don't actually use, going forward, with vcpkg. |
| @@ -458,8 +458,7 @@ jobs: | |||
|
|
|||
| - name: Generate build system | |||
| run: | | |||
| # TODO: Re-enable default features, once the liblzma package become available to build again. | |||
| cmake -B build --preset ${{ matrix.conf.preset }} -DWERROR=ON -DVCPKG_MANIFEST_NO_DEFAULT_FEATURES=ON -DVCPKG_MANIFEST_FEATURES="wallet;miniupnpc;zeromq;tests" | |||
| cmake -B build --preset ${{ matrix.conf.preset }} -DWERROR=ON | |||
|
|
|||
There was a problem hiding this comment.
Is this change related to the liblzma pinning?
There was a problem hiding this comment.
After liblzma pinning, it is possible to use all default dependency features, which is the goal of the liblzma pinning.
This commit reverts changes introduced #137 as a quick response to xz backdoor and the following GitHub repo disabling.
|
ACK b2ccf9d Tested with MSVC build. I understand that xz/liblzma is compromised on version |
hebasto
changed the title
This is an alternative to #137, which does not disable GUI for MSVC builds.