pkg/58113: cmake depends on curl and may use build-time network access

[campbell+netbsd%mumble.net@localhost]

>Number:         58113
>Category:       pkg
>Synopsis:       cmake depends on curl and may use build-time network access
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 04 18:25:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current
>Organization:
The NetBS CMake Featurecreepyation
>Environment:
>Description:
cmake pulls in a curl dependency, which there is no reason for any build tool to ever have:

# $NetBSD: Makefile,v 1.215 2023/11/19 17:16:27 adam Exp $
...
.include "../../www/curl/buildlink3.mk"

The commit message on devel/cmake/Makefile rev. 1.27 claims:

Author: wiz <wiz%pkgsrc.org@localhost>
Date:   Fri Feb 23 11:48:18 2007 +0000

    Update to 2.4.6:
    ...
    * Allow installed zlib, curl, expat, xmlrpc to be used.

It's not clear whether this is the _only_ reason cmake brings in a curl dependency.  Apparently cmake also by design does network access at build time:

https://cmake.org/cmake/help/latest/module/FetchContent.html

We should fix cmake to disable this design mistake so it

(a) doesn't bring in a curl dependency, and
(b) never even thinks about attempting network access.
>How-To-Repeat:
1. code inspection
2. build curl with brotli option
>Fix:
throw out cmake and start over