[R-pkg-devel] [Learning] the secret of Win[dows C-backed packages]

Bob Rudis bob at rud.is
Sat Aug 13 20:19:22 CEST 2016


Aye. I rly need to get back to my security & privacy "R" post. The
slipstreaming in of these binaries is somewhat frightening. Almost as
frightening as being stuck on Windows ��
On Sat, Aug 13, 2016 at 13:09 Dirk Eddelbuettel <edd at debian.org> wrote:

>
> I don't think there is a good "generally applicable" solution.  We have a
> bunch of hacks. Below are three quickly picked examples from packages of
> mine:
>
> RQuantLib relies on environment variables and a 'library that needs to just
> be there' on the build host:
>
>    ## The environment variable QUANTLIB_ROOT has to point to an existing
> build of QuantLib
>    ## With R 2.12.0 and later, we also support 32 and 64 bit builds and
> need to differentiate
>    PKG_CPPFLAGS=-I$(QUANTLIB_ROOT) -I../inst/include -I. -I$(BOOSTLIB)
>    PKG_CXXFLAGS=$(SHLIB_OPENMP_CFLAGS) -fpermissive
>    PKG_LIBS=-L$(QUANTLIB_ROOT)/lib${R_ARCH} -lQuantLib
> $(SHLIB_OPENMP_CFLAGS)
>
> RcppGSL does the same
>
>    ## This assumes that the LIB_GSL variable points to working GSL
> libraries
>    PKG_CPPFLAGS=-I$(LIB_GSL)/include -I../inst/include
>    PKG_LIBS=-L$(LIB_GSL)/lib -lgsl -lgslcblas
>
> Rblpapi copies a library (for which we have 'free' binaries but no source)
> in
> from GitHub:
>
>    ## target to ensure tar.gz files get unpacked
>    ## the opening '@' ensures operations are executed 'quietly'
>    ## in order to see commands as they happens add a 'v' to the tar and cp
> commands
>    ## curl has '-k' flag to suppress certificate warnings
>    blpLibrary:
>                 @if [ ! -d ../inst ]; then mkdir -p ../inst; fi
>                 @if [ ! -d ../blp/win/${FLV} ]; then mkdir -p
> ../blp/win/${FLV}; fi
>                 @if [ ! -f ../blp/win/${FLV}/blpHeaders.tar.gz ]; then
> curl -s -k -L -O
> https://github.com/Rblp/blp/raw/master/headers/windows/blpHeaders.tar.gz;
> mv blpHeaders.tar.gz ../blp/win/${FLV}; tar xfz
> ../blp/win/${FLV}/blpHeaders.tar.gz -C ../inst; fi
>                 @if [ ! -f ../blp/win/${FLV}/blpLibrary.tar.gz ]; then
> curl -s -k -L -O
> https://github.com/Rblp/blp/raw/master/win${WIN}/blpLibrary.tar.gz; mv
> blpLibrary.tar.gz ../blp/win/${FLV}; tar xfz
> ../blp/win/${FLV}/blpLibrary.tar.gz; fi
>                 @if [ ! -d ${FLV} ]; then mkdir -p ${FLV}; fi
>                 @cp blpapi3_${WIN}.dll ${FLV}
>                 @if [ ! -d ../inst/libs/${FLV} ]; then mkdir -p
> ../inst/libs/${FLV}; fi
>                 @cp blpapi3_${WIN}.dll ../inst/libs/${FLV}
>
>
> None of that really generalizes well.  The last bit, much like the
> so-called
> anticonf pattern, is more or less a non-standard practice exposing a
> security
> risk by copying in code from a semi-random location which could be hijacked
> or man-in-the-middle'd.
>
> Really all this is just pretending that Windows is an envrionment on which
> you can deploy proper build systems -- similar to what we are used from the
> likes of dpkg/apt/yum or brew.  But in all honesty you just can't.
>
> So I would not try to aim for something overly general.  It is Windows
> after all.
>
> Dirk
>
> --
> http://dirk.eddelbuettel.com | @eddelbuettel | edd at debian.org
>

	[[alternative HTML version deleted]]



More information about the R-package-devel mailing list