[Rd] Package integrity check via SHA256 or OpenPGP possible?

Brian Ripley ripley at stats.ox.ac.uk
Thu Oct 15 16:13:06 CEST 2015



> On 15 Oct 2015, at 08:11, Philip Gillißen <guerda at freenet.de> wrote:
> 
> Dear list,
> 
> I'm using R in a corporate environment and was interested how R checks integrity of packages during an installation.
> I saw (and verified my suspicion in the code[1]) that the verification purely relies on MD5.
>> From an IT security perspective, this can be improved.

Maybe, but 'IT security' was not the point.  MD5 sums were added first as a way to check for corrupted downloads/unpacking (which used to be common on Windows), and second to reinforce the version number of a package as sometimes the source package is altered without changing the version, and less rarely binary packages are re-built.


> 
> My question is: Is is possible to force R to verify integrity via SHA256 or even OpenPGP signatures?
> If not are there any plans to support better hashes than MD5?
> As the source code looks, an extension to support other (optional) hash values would be quite easy.
> 
> Thanks in advance!
> 
> Kind regards,
> Philip
> 
> [1] see from line 594 on in src/library/tools/R/install.R in R-latest.tar.gz
> 
> 
> 
> 
> 
> 
> ---
> Alle Postfächer an einem Ort. Jetzt wechseln und E-Mail-Adresse mitnehmen! http://email.freenet.de/basic/Informationen
> 
> 
> 
> ______________________________________________
> R-devel at r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel



More information about the R-devel mailing list