[Rd] Proposal to limit Internet access during package load
Tomas Kalibera
tom@@@k@||ber@ @end|ng |rom gm@||@com
Tue Sep 27 20:18:12 CEST 2022
On 9/27/22 18:42, Blätte, Andreas wrote:
> Dear all,
>
> my apologies for a dull question. I think I do understand that unnoticed Internet access requires scrutiny and a more explicit approach.
>
> But I am not sure how this would impact on the practice on many Windows machines to download static libraries from one of the rwinlib repositories? See https://github.com/rwinlib, an approach taken by quite a few packages (src/Makevars.win triggers tools/winlibs.R for downloading a static library).
>
> I am asking because a package I maintain (RcppCWB) uses the approach, and am not sure whether and how the discussion has addressed this scenario. It may not be covered by Iñakis initial three scenario?
Dear Andreas,
please let me clarify for others that your package only downloads
pre-compiled static libraries for R 4.1 and earlier on Windows, what is
already now the "old release" and will not be checked against by CRAN
once R 4.3 is released. For R 4.2 ("release") and R-devel, your package
includes the source code of the library and links it, which is in
compliance with the CRAN policy. So if any new possible restriction in
downloading along the lines Inaki raised was set, it probably won't
affect you.
Downloading pre-compiled static libraries is only possible as very last
resort and only with agreement of the CRAN team - see the CRAN policy
for details (https://cran.r-project.org/web/packages/policies.html, look
for "external"). In other words, unless those special conditions are
met, it is already banned now.
More explanation for why it is a bad thing can be found in
https://cran.r-project.org/bin/windows/base/howto-R-4.2.html:
"For transparency, source packages should contain source (not executable
code). Using pre-compiled libraries may lead to that after few years the
information on how they were built gets lost or significantly outdated
and no longer working. Using older binary code may provide insufficient
performance (newer compilers tend to optimize better). Also, the CRAN
(and Bioconductor) repositories are used as a unique test suite not only
for R itself but also the toolchain, and by re-using pre-compiled
libraries, some parts will not be tested. Compiler bugs are found and
when fixed, the code needs to be re-compiled. Finally, object files (and
hence static libraries, particularly when using C++) on Windows tend to
become incompatible when even the same toolchain is upgraded. Going from
MSVCRT to UCRT is an extreme case when all such code becomes
incompatible, and adding support to 64-bit ARM would be another extreme
case, but smaller updates of different parts of the toolchain or even
some libraries in it lead to incompatibilities. The issues mentioned
here are based on experience with the transition to UCRT and Rtools42;
all of these things have happened and dealing with the downloads and
re-use of static libraries was one of the biggest challenges."
With respect to any possible restriction on downloading in principle,
this is no different from downloading external source code (both is
needed when the native code of packages is being built, so during "R CMD
INSTALL"), and that has already been mentioned in this thread. So it
doesn't have to be discussed specially I think.
Best
Tomas
>
> Kind regards, Andreas
>
>
>
>
>
> Am 27.09.22, 10:15 schrieb "R-devel im Auftrag von Iñaki Ucar" <r-devel-bounces using r-project.org im Auftrag von iucar using fedoraproject.org>:
>
> El mar., 27 sept. 2022 4:22, Dirk Eddelbuettel <edd using debian.org> escribió:
>
> >
> > Regarding 'system' libraries: Packages like stringi and nloptr download the
> > source of, respectively, libicu or libnlopt and build a library _if_ the
> > library is not found locally. If we outlaw this, more users may hit a
> > brick
> > wall because they cannot install system libraries (for lack of
> > permissions),
> > or don't know how to, or ... These facilities were not added to run afoul
> > of
> > best practices -- they were added to help actual users. Something to keep
> > in
> > mind.
>
>
> Yes, but then IMO Internet access should be explicitly enabled by the user
> with a flag. By default, it should be disabled and packages on CRAN should
> install as is.
>
> Iñaki
>
> [[alternative HTML version deleted]]
>
> ______________________________________________
> R-devel using r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
>
> ______________________________________________
> R-devel using r-project.org mailing list
> https://stat.ethz.ch/mailman/listinfo/r-devel
More information about the R-devel
mailing list