feat: git cloning should verify the cryptograhic hash

[yurivict]

Feature Description

The cloning operation here just clones the latest revision.

Git is not a secure protocol and resulting download can be easily substituted by a malicious party who might control network connections.

Such git clone should be always for a particular repository tag or revision, and should always verify the cryptographic hash of the downloaded content.

In fact there is no need for clone. You can just download a desired tarball.

The Solution

Verify cryptographic hash.

Considered Alternatives

Alternatives are not secure.

Additional Context

No response

Related Features to This Feature Request

• Metal support
• CUDA support
• Vulkan support
• Grammar
• Function calling

Are you willing to resolve this issue by submitting a Pull Request?

Yes, I have the time, and I know how to start.

[giladgd]

@yurivict The git clone always clones from https://github.com thus using TLS, and when you don't specify any parameters (such as a specific GitHub repo or release) it then defaults to using the default repo (ggml-org/llama.cpp) with the llama.cpp release version that the specific node-llama-cpp version was shipped with.
For the default GitHub repo and the builtin llama.cpp version that node-llama-cpp is shipped with it uses the local llama.cpp repo bundle that's shipped with the module itself by default so that cloning works offline and no network request is needed for the build process.

Because of the above, I don't see any security issue that should be solved.
If I missed anything then please let me know, otherwise this issue can be closed.