Re: pkg/58113: cmake depends on curl and may use build-time network access

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Thu,  4 Apr 2024 21:25:01 +0000 (UTC)
> From: Thomas Klausner <wiz%NetBSD.org@localhost>
> 
> On Thu, Apr 04, 2024 at 06:25:00PM +0000, campbell+netbsd%mumble.net@localhost wrote:
> > We should fix cmake to disable this design mistake so it
> > 
> > (a) doesn't bring in a curl dependency, and
> > (b) never even thinks about attempting network access.
>  
> It's an upstream feature that people might expect to have.
> 
> I have no problem with an option that you can turn off if you want,
> and pkgsrc disabling it at build time, but we shouldn't limit what
> people use cmake (installed by pkgsrc) for outside of pkgsrc.

Maybe it's useful for users to run outside of pkgsrc (seems extremely
dubious to me, like a feature for decompressing an exploit payload in
configure), but for use inside pkgsrc it violates policy about network
access during builds.

So we should either:

(a) have an alternate package, say devel/cmake-local or
    devel/cmake-no-stupid-network-in-builds or whatever, and use that
    in pkgsrc for packages that are built with cmake (or rename the
    current one to devel/cmake-with-network-misfeatures); or

(b) if not that, then find some way to disable any use of the network
    features when we invoke cmake in pkgsrc, like we do with meson
    (--wrap-mode=download).  (I thought we also did this with pip
    (PIP_ISOLATED=1, PIP_NO_DEPS=1, PIP_NO_INDEX=1, PIP_PROXY=0.0.0.0,
    &c.) and flit (FLIT_NO_NETWORK=1), but I can't find those now.)

(Obviously it would also be ideal to block network access in the bulk
build environment, too, but that serves more for detecting abuse of
the build system than for configuring the build system to behave.)