[security problem] ExternalProject_Add downloads files without checking the hash
ExternalProject_Add(URL ...) and ExternalProject_Add(GIT_REPOSITORY ...) download files without generally checking their hash to verify authenticity of the download. Such download process is prone to various MITM attacks, when the attacker controls the network or DNS and substitutes the file with a malicious copy.
This is fundamentally different with the situation when the user downloads the project itself since it is the user's responsibility to verify the authenticity of downloads and to check hashes of downloaded files. ExternalProject_Add downloads files in ad-hoc fashion without
Please make URL_HASH required, and work for all downloads, not just URL ones.