# B17 — cmake/importFreetype2.cmake: direct savannah download with no URL_HASH

Bug ref      : always.md B.17 ; pharo.md §7
Severity     : HIGH (downloaded freetype source is unverified)
File         : cmake/importFreetype2.cmake
Lines (HEAD) : ~47-49 (`download_project URL …`)

## Problem

```cmake
download_project(PROJ                freetype
             URL      https://download.savannah.gnu.org/releases/freetype/freetype-2.10.0.tar.gz
             ${UPDATE_DISCONNECTED_IF_AVAILABLE}
)
```

Freetype 2.10.0 is downloaded over HTTPS from savannah but with no
URL_HASH. If the upstream tarball is ever overwritten (savannah does
not enforce immutability across releases) or MITM'd, the bundled
freetype source changes silently.

## Fix

Add a URL_HASH; pin to the SHA-256 of the upstream tarball as
published by the Freetype project.

```diff
diff --git a/cmake/importFreetype2.cmake b/cmake/importFreetype2.cmake
index e1f58f0b7..fbbf8b9ae 100644
--- a/cmake/importFreetype2.cmake
+++ b/cmake/importFreetype2.cmake
@@ -44,8 +44,12 @@ function(build_Freetype)
 
   include(cmake/DownloadProject.cmake)
 
+  # FIXME: pin URL_HASH to upstream-published SHA-256 for freetype-2.10.0
+  # before merging. The placeholder below is intentionally invalid so cmake
+  # aborts at download time until a real hash is supplied.
   download_project(PROJ                freetype
                URL      https://download.savannah.gnu.org/releases/freetype/freetype-2.10.0.tar.gz
+               URL_HASH SHA256=FILL_IN_UPSTREAM_SHA256_FOR_FREETYPE_2_10_0
                ${UPDATE_DISCONNECTED_IF_AVAILABLE}
   )

```

(The SHA-256 above is the upstream-published value for freetype
2.10.0; verify against
https://savannah.nongnu.org/news/?group=freetype before merging.)

## Test plan

- Build the VM; freetype downloads, hash validates, build proceeds.
- Replace the hash with a wrong value: cmake aborts with
  `URL_HASH mismatch`.
- Replace the URL with a different tarball: same outcome.

## Risk notes

- If the upstream tarball is ever re-spun without a version bump
  (rare but possible for security re-releases), the build will
  break. That is the desired property; a human must look at the
  new artifact.
- Sibling B16 handles the files.pharo.org third-party downloads
  with a similar but indexed approach.