cmake, msvc: Pin liblzma version

[hebasto]

This is an alternative to #137, which does not disable GUI for MSVC builds.

[hebasto]

Friendly ping @sipsorcery @TheCharlatan @pablomartin4btc @m3dwards :)

[fanquake]

Shouldn't any upstreams be fixed/not shipping compromised code by this point? It's not clear to me what we have to work around exactly.

[hebasto]

Shouldn't any upstreams be fixed/not shipping compromised code by this point?

The version 5.4.1 has no known exploits/backdoors for Windows, right?

It's not clear to me what we have to work around exactly.

The goal is to re-enabling building bitcoin-qt.exe using MSVC and vcpkg package manager.

[fanquake]

The version 5.4.1 has no known exploits/backdoors for Windows, right?

I don't know, but I also don't know why we need to override anything here, why 5.4.1 in particular is the right choice (given upstream is 5.4.4), or why we can't just use upstream.

[hebasto]

The version 5.4.1 has no known exploits/backdoors for Windows, right?

I don't know, but I also don't know why we need to override anything here, why 5.4.1 in particular is the right choice (given upstream is 5.4.4), or why we can't just use upstream.

5.4.1 is the latest version, which vcpkg fetch from the SourceForge repository. For newer versions, it switched to the GitHub's one, which is unavailable for now.

[fanquake]

Ok. I guess this is a special case, and I'd hope we don't have to micro-manage dependencies we don't actually use, going forward, with vcpkg.

[sipsorcery]

Is this change related to the liblzma pinning?

[hebasto]

After liblzma pinning, it is possible to use all default dependency features, which is the goal of the liblzma pinning.

This commit reverts changes introduced #137 as a quick response to xz backdoor and the following GitHub repo disabling.

[m3dwards]

ACK b2ccf9d

Tested with MSVC build.

I understand that xz/liblzma is compromised on version 5.6.0 and 5.6.1 and so 5.4.1 is ok.