[Rd] Does (will) CRAN provide consistent integrity verification

Younce, Matt Matt_Younce at cinfin.com
Thu Apr 16 18:32:04 CEST 2015

Intended Audience:  CRAN administrators, maintainers and R Package Developers.
Does anyone know of consistent methods (or plans for near future) to verify integrity of downloaded R package binaries from CRAN?
The purpose is to foster a high degree of trust in the validity of downloaded binaries from CRAN.
For example Apache projects mostly provide something like MD5, SHA1, SHA256, or signing with GnuPG, etc., as in http://www.apache.org/dev/release-signing.
I have noticed that several R package zip files do contain MD5 strings, but not all do, and not as a separate download link.  Besides, MD5 is not the preferred method.
What role in the administration of CRAN would be best positioned to guide and assist R package developers (and/or repository administrators) to provide a simple reliable method?
Without such features, the alternatives for many risk adverse entities would be to resort to vendor releases of R which can be cost prohibitive.
Several recent articles underscore the need is here now, so I am hoping (and probably a growing number are also hoping) there is some way to currently or easily achieve this without resorting to a big dollar vendor.
Thanks very much for your help,
Matt Younce

	[[alternative HTML version deleted]]

More information about the R-devel mailing list