# B15 — cmake/import*.cmake: dependencies pinned to mutable git tags

Bug ref      : always.md B.15 ; pharo.md §7
Severity     : HIGH (one upstream re-tag silently changes the bundled library)
Files        : cmake/importLibFFI.cmake, cmake/importLibGit2.cmake, cmake/importSDL2.cmake
Lines        : varies (every `GIT_TAG "<name>"` block)

## Problem

```cmake
# importLibFFI.cmake
download_project(PROJ   libffi
    GIT_REPOSITORY      https://github.com/pharo-project/libffi.git
    GIT_TAG             "v3.3-cmake"
    ${UPDATE_DISCONNECTED_IF_AVAILABLE}
)
```

`GIT_TAG "v3.3-cmake"` fetches whatever commit currently bears the
`v3.3-cmake` tag. Git tags are mutable; any rewrite of that tag (by
the upstream maintainer, or by anyone who briefly gains write access
to the repo) changes the bundled library on the next build with no
local diff.

The same pattern is used in `importLibGit2.cmake` and
`importSDL2.cmake`.

## Fix

Pin to an immutable commit SHA. Tags can stay as a comment for
readability.

```diff
diff --git a/cmake/importLibFFI.cmake b/cmake/importLibFFI.cmake
index 757016f4c..88e1f174f 100644
--- a/cmake/importLibFFI.cmake
+++ b/cmake/importLibFFI.cmake
@@ -15,7 +15,10 @@ function(build_ffi)
 
 	download_project(PROJ   libffi
 		GIT_REPOSITORY      https://github.com/pharo-project/libffi.git
-        GIT_TAG             "v3.3-cmake"
+        # GIT_TAG was "v3.3-cmake"; pin to the full SHA of the commit that
+        # tag points at so a future re-tag cannot silently change the bundled
+        # library. Operator: replace <FILL_IN_COMMIT_SHA> with the actual SHA.
+        GIT_TAG             "<FILL_IN_COMMIT_SHA>"
         ${UPDATE_DISCONNECTED_IF_AVAILABLE}
 	)
```

Apply the same pattern to:

  - `cmake/importLibGit2.cmake`  (every `GIT_TAG` line)
  - `cmake/importSDL2.cmake`     (every `GIT_TAG` line)

## Test plan

- Build with the new pinned SHAs: succeeds.
- Manually re-tag a test dependency's git tag to point at a
  different commit: build is unaffected because we no longer follow
  the tag.

## Risk notes

- Upgrading a dependency now requires editing this file with the
  new commit SHA. That is the desired property.
- The SHA must be the **full** 40-character hash; short hashes
  could collide.
- Whoever updates the SHA should also update the comment naming
  the upstream tag and the date.