[Rd] Package integrity check via SHA256 or OpenPGP possible?

Philip Gillißen guerda at freenet.de
Thu Oct 15 09:11:07 CEST 2015

Dear list,

I'm using R in a corporate environment and was interested how R checks integrity of packages during an installation.
I saw (and verified my suspicion in the code[1]) that the verification purely relies on MD5.
>From an IT security perspective, this can be improved.

My question is: Is is possible to force R to verify integrity via SHA256 or even OpenPGP signatures?
If not are there any plans to support better hashes than MD5?
As the source code looks, an extension to support other (optional) hash values would be quite easy.

Thanks in advance!

Kind regards,

[1] see from line 594 on in src/library/tools/R/install.R in R-latest.tar.gz

Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! http://email.freenet.de/basic/Informationen

More information about the R-devel mailing list