[Rd] Package integrity check via SHA256 or OpenPGP possible?
Brian Ripley
ripley at stats.ox.ac.uk
Thu Oct 15 16:13:06 CEST 2015
> On 15 Oct 2015, at 08:11, Philip Gillißen <guerda at freenet.de> wrote:
>
> Dear list,
>
> I'm using R in a corporate environment and was interested how R checks integrity of packages during an installation.
> I saw (and verified my suspicion in the code[1]) that the verification purely relies on MD5.
>> From an IT security perspective, this can be improved.
Maybe, but 'IT security' was not the point. MD5 sums were added first as a way to check for corrupted downloads/unpacking (which used to be common on Windows), and second to reinforce the version number of a package as sometimes the source package is altered without changing the version, and less rarely binary packages are re-built.
>
> My question is: Is is possible to force R to verify integrity via SHA256 or even OpenPGP signatures?
> If not are there any plans to support better hashes than MD5?
> As the source code looks, an extension to support other (optional) hash values would be quite easy.
>
> Thanks in advance!
>
> Kind regards,
> Philip
>
> [1] see from line 594 on in src/library/tools/R/install.R in R-latest.tar.gz
>
>
>
>
>
>
> ---
> Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! http://email.freenet.de/basic/Informationen
>
>
>
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
More information about the R-devel
mailing list