[Rd] Does (will) CRAN provide consistent integrity verification

Dan Tenenbaum dtenenba at fredhutch.org
Fri Apr 17 00:23:45 CEST 2015



----- Original Message -----
> From: "Matt Younce" <Matt_Younce at cinfin.com>
> To: r-devel at r-project.org
> Sent: Thursday, April 16, 2015 9:32:04 AM
> Subject: [Rd] Does (will) CRAN provide consistent integrity verification
> 
> Intended Audience:  CRAN administrators, maintainers and R Package
> Developers.
> Does anyone know of consistent methods (or plans for near future) to
> verify integrity of downloaded R package binaries from CRAN?
> The purpose is to foster a high degree of trust in the validity of
> downloaded binaries from CRAN.
> For example Apache projects mostly provide something like MD5, SHA1,
> SHA256, or signing with GnuPG, etc., as in
> http://www.apache.org/dev/release-signing.

And all of this is probably irrelevant unless packages can be downloaded over HTTPS.

Dan


> I have noticed that several R package zip files do contain MD5
> strings, but not all do, and not as a separate download link.
>  Besides, MD5 is not the preferred method.
> What role in the administration of CRAN would be best positioned to
> guide and assist R package developers (and/or repository
> administrators) to provide a simple reliable method?
> Without such features, the alternatives for many risk adverse
> entities would be to resort to vendor releases of R which can be
> cost prohibitive.
> Several recent articles underscore the need is here now, so I am
> hoping (and probably a growing number are also hoping) there is some
> way to currently or easily achieve this without resorting to a big
> dollar vendor.
> Thanks very much for your help,
> Matt Younce
> 
> 
> 	[[alternative HTML version deleted]]
> 
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>



More information about the R-devel mailing list