[R-pkg-devel] checksums change after publication on CRAN?

Tue May 1 18:24:04 CEST 2018

Dear all,

1. CRAN indeed adds the checksum, as CRAN re-packages a package as it 
changes at least the DESCRIPTION file and maybe cleans up some line 
endings and permissions etc.

2. For recommdended packages, we publish in the contrib repository, but 
also for the release tarballs in subdirs on different days, then the 
package gets a different checksum, as the punlication day may be 
different then.

3. In this case we had a quick same version update that added a space in 
a Makevars file that should not change functionality at all, but makes 
compilation work on some OS where it would not work without the added 
space. This was some hotfix during the R-3.5.0 release cycle and 
carefully reviewed by the CRAN team.

CRAN generally does not accept new submissions without increased version 
number.

Best,
Uwe Ligges

On 30.04.2018 18:09, Joris Meys wrote:
> I wrongfully stated that CRAN added a line. The line was not added but
> changed (and not in the SVN repo). A diff between both downloads is
> available here:
> 
> https://gist.github.com/boegel/2ea28647f00ddd9b18f9b1a0ac6dd2b4
> 
> Cheers
> Joris
> 
> On Mon, Apr 30, 2018 at 6:03 PM, Joris Meys <Joris.Meys at ugent.be> wrote:
> 
>> In a discussion of twitter it was pointed out that the checksums of
>> packages change after publication on CRAN. One example is the Matrix
>> package version 1.2-12, which was available on CRAN already on nov 17, 2017
>> but got a different checksum on nov 20, 2017. This caused issues in eg
>> easybuilders.
>>
>> (see reference here : https://github.com/easybuilders/easybuild-
>> easyconfigs/pull/6118 )
>>
>> I went through the Matrix SVN repo, and there is no commit whatsoever that
>> adds the last line in the DESCRIPTION file. This line reads:
>>
>> Date/Publication: 2017-11-20 18:57:47 UTC
>>
>> I wondered how this happens, and it looks like CRAN adds this
>> automatically days after the source is available for download.
>>
>> This is suboptimal imho as it would technically mean that you can have two
>> files of the same package version with different checksums. It leads people
>> to believe packages on CRAN can be changed without bumping the version
>> number, and technically that's what it boils down to.
>>
>> Anyone who knows what's going on there?
>>
>> Reference to twitter discussion with Kenneth Hoste about this :
>> https://twitter.com/kehoste/status/990484417721389056
>>
>> Kind regards
>> Joris
>>
>> --
>> Joris Meys
>> Statistical consultant
>>
>> Department of Data Analysis and Mathematical Modelling
>> Ghent University
>> Coupure Links 653, B-9000 Gent (Belgium)
>>
>> <https://maps.google.com/?q=Coupure+links+653,%C2%A0B-9000+Gent,%C2%A0Belgium&entry=gmail&source=g>
>>
>> tel: +32 (0)9 264 61 79
>> -----------
>> Biowiskundedagen 2017-2018
>> http://www.biowiskundedagen.ugent.be/
>>
>> -------------------------------
>> Disclaimer : http://helpdesk.ugent.be/e-maildisclaimer.php
>>
> 
> 
>